Welcome

Account Insight

Overview

Account behavioral analysis is a critical component of dynamic, predictive, and adaptive cybersecurity. It involves monitoring and analyzing the activities associated with digital accounts to identify anomalous behavior or patterns that may indicate a potential security threat. This approach is dynamic as it continuously adapts to the changing behavior of accounts and the evolving threat landscape. It’s predictive because it can forecast potential threats based on observed patterns. And it’s adaptive because it can adjust its response based on the severity of the threat.

By understanding the normal behavior of accounts, security systems can detect deviations that might signify an attack, such as unusual login times, multiple failed login attempts, or abnormal data access patterns. This allows for quicker detection of threats, reducing the potential damage caused by security breaches.

Compromised or stolen accounts are often the first vectors of attack used within a corporate network to launch attacks on business assets.

Access managers which manage user identities and access rights within a network, are prime targets for attackers. If compromised, they can provide attackers with extensive access to sensitive resources. Therefore, monitoring and analyzing the behavior of these accounts is essential for detecting and preventing security breaches.

Dashboard Insights

Effective account monitoring is a frontline defense against cyber threats by continuously tracking and analyzing user activities. This proactive approach allows for the early detection of suspicious behavior, such as unauthorized access attempts, unusual login patterns, or abnormal data transfers. Organizations can promptly identify and respond to these warning signs to mitigate potential threats before they escalate into full-blown security incidents. This importance is immediately evident in the main dashboard, where we can find the first insights on account and, in particular:

  • Population: the entire company population analyzed and protected;
  • List of workloads: The entire population of company accounts is divided by workload;
  • Inactive IAM Matched: the accounts correctly registered in the IAM systems but inactive, not used;
  • Inactive known account: inactive accounts not registered in an IAM system but registered in an AM;
  • Active Ghost: accounts that are totally unknown and not even registered in an Access Manager, but active and present in the analyzed audit logs

By clicking on the individual sections, you directly access the list of accounts from which you can investigate their behavior and the level of their involvement in anomalies and ongoing threats.

The Account Insights view shows all the information security operators need to analyze, contextualize, and investigate accounts behavior across the entire company population. 

The list of accounts to be analyzed appears filtered for anomalous active accounts. Still, it is possible to remove these filters to have a list of all accounts, including inactive ones and accounts not found to be anomalous in the system. Another essential filter is the one that allows us to select the subject and, therefore, the accounts to view by acting on the appropriate drop-down menu.

The card with the account detail presents an overview of the anomalous status of the account in question, highlighting the number of anomalies present and the number of active tactics and threats in which it is involved. You can go into detail for a more detailed investigation by clicking on the account name.

The Account Insights view shows all the information security practitioners need to analyze, contextualize, and investigate account behavior across the enterprise population. In the first part of the view, we find the account details; in particular, we can see the following:

- IAM user: the user owner of the account as registered in the IAM systems;

- AM Account: the account as registered in the Access Manager;

- Risk Insight: the number of IoBs, tactics, and threats in which it is involved;

- Email: email linked to the account;

- Details: various attributes from IAM systems;

- Related accounts: other accounts related to the account in question

Next, you can find a section detailing users' activities on their business accounts. The principal views are:

- Account Activity

- Account Indicators

- Related Accounts

- Account Active Threats

In Account Activity, the account's daily activity is divided hour by hour. By clicking on the individual time slots, we can view the details of the activity 

In the Account Indicators view, we can find all the Behavior Indicators that analyze the account in question from multiple points of view. The information reported relates to the configuration of the Behavior Indicator and, in particular:

- Name: name of the indicator;

- Tactics/Threats: tactics and threats in which he is involved;

- Object: the entity under analysis, the subject of the analysis;

- Object field: the point of view from which the subject of the analysis is analyzed;

- Algorithms: the type of algorithm used and, therefore, the type of analysis being performed;

- Processing: the start date of the survey phase;

- Learning: the time window used by algorithms to create behavioral baselines;

- Description: description of the algorithm.

In the Related Accounts view, we can find all the accounts related to the account in question on the various workloads analyzed; therefore, all the accounts belong to the same identity. We can change the view and see the details by clicking on the individual accounts.

In the Account Active Threats view, we can find the list of active threats in which the danger is involved. By clicking on the individual threat, you can go into the details of the threats for a deeper investigation.

In the Timeline, we find all the behavioral indicators active in the account analysis. Initially, the Timeline only shows the Behavior Indicators with a risk score other than zero. Still, by acting on the "show 0% anomalies" toggle, you can see all the indicators, even those that did not lead to any anomalies.

- The identifier of the Behavior Indicator with the relevant MITRE technique to which it refers;

- Information regarding the algorithm used for the analysis of that specific behavior;

- The subject of the analysis.

Use the Download Icon to download the raw data file filtered by timestamp and applications to accelerate further the latest level of analysis on the original logs.

By expanding the card of the Indicator of Behavior, we access the detail where we find a graphic representation of the anomaly detected. Below the chart, the system offers us the Risk Score associated with the anomaly and a description of the incident for greater contextualization.