User Insight

Overview

User behavioral analysis plays a crucial role in dynamic, predictive, and adaptive cybersecurity. It involves monitoring and analyzing the activities of users to identify anomalous behavior or patterns that may indicate a potential security threat. This approach is dynamic as it continuously adapts to the changing behavior of users and the evolving threat landscape. It’s predictive because it can forecast potential threats based on observed patterns. And it’s adaptive because it can adjust its response based on the severity of the threat.

By understanding the normal behavior of users, security systems can detect deviations that might signify an attack, such as unusual login times, multiple failed login attempts, or abnormal data access patterns. This allows for quicker detection of threats, reducing the potential damage caused by security breaches.

In the current historical period, identity has become the primary attack vector and the new security perimeter for businesses. This is due to the increasing number of services moving online, the widespread use of mobile devices, and the growing trend of remote work. These factors have expanded the attack surface for cybercriminals, making identity security more important than ever.

Identity security involves protecting user identities from being compromised and used for malicious purposes. It includes measures such as strong authentication methods, regular password updates, and the use of multi-factor authentication.

In an era where traditional security perimeters like firewalls are becoming less effective due to the decentralization of IT environments, focusing on identity security helps ensure that only authorized individuals have access to sensitive resources. This approach is often referred to as a “zero trust” model, which assumes no user or device is trustworthy by default, regardless of their location or network.

User behavioral analysis and identity security are essential components of a robust cybersecurity strategy. They provide a dynamic, predictive, and adaptive security posture that can effectively respond to the evolving threat landscape.

Dashboard Insights

Sharelock focuses on safeguarding user identities from unauthorized access and potential compromise. Their ITDR and ISPM modules are customized to detect and mitigate threats associated with user credentials and behavior, thus directly impacting user security within the organization. This importance is immediately evident in the main dashboard, where we can find the first insights on users and, in particular:

- Population: the entire company population analyzed and protected;

- Inactive: users who have been inactive for more than 90 days;

- Recommendations: de-provisioning recommendations aimed at Identity Management systems to remove inactive or risky accesses and reduce the attack surface.

By clicking on the individual sections, you directly access the list of users from which you can investigate their behavior and the level of their involvement in ongoing threats

The view contains the list of all active users in the system, but it is also possible to show inactive ones by acting on the filters section. Each user card contains the primary user registry information. In particular, we can find the user's identifier, his user code, the manager, the department, the job title, and the summary of the incidents and threats in which he is involved.

We can go into detail for the investigation and analysis phase by clicking on the user tab.

The User Insights view shows all the information security operators need to analyze, contextualize, and investigate user behavior across the entire company population. In the first part of the view, we find the user's details; in particular, we can see the user's identifier, user code, manager, department, job title, and the summary of the incidents and threats in which he is involved.

Next, you can find a section detailing user activities on their company accounts. The main views are:

- Account Usage

- User Activities

- User Active Threats

In the Account Usage section, we can find the list of accounts owned and managed by the user with a calendar next to it that indicates the day-to-day use by the user with a different color gradient depending on the intensity of use.

By clicking on the individual accounts, you can view their details.

In User Activity, the user's daily activity is divided hour by hour. By clicking on the individual time slots, we can view the details of the activity by analyzing which user accounts are used and what use is being made of them in the company systems.

In User Active Threats, however, we find the active threats in which the user is involved to have an overview of his behavior and risk status.

By clicking on the individual threats, you can view their details.

In the Timeline, we find all the behavioral indicators active in the user analysis. Initially, the Timeline only shows the Behavior Indicators with a risk score other than zero. Still, by acting on the "show 0% anomalies" toggle, you can see all the indicators, even those that did not lead to any anomalies.

- The identifier of the Behavior Indicator with the relevant MITRE technique to which it refers;

- Information regarding the algorithm used for the analysis of that specific behavior;

- The subject of the analysis.

Use the Download Icon to download the raw data file filtered by timestamp and applications to accelerate further the latest level of analysis on the original logs.

By expanding the card of the Indicator of Behavior, we access the detail where we find a graphic representation of the anomaly detected. Below the chart, the system offers us the Risk Score associated with the anomaly and a description of the incident for greater contextualization.

Sherlock perfectly distinguishes the user and account concepts, bringing all analyses back to the highest identity to have a holistic vision of the behavior of the company population and allow a complete identity security posture.

‍

‍