Back to Home

Analysis of user behavior (User Behavior Analytics). How can Varonis help here? / Varonis Systems Blog

Varonis · information security · big data · data leak

Analysis of user behavior (User Behavior Analytics). How can Varonis help here?

    In the modern world, a serious threat to information security is data leakage that occurs as a result of accidental or deliberate actions of users of information systems themselves. Most leaks are so-called “unstructured data,” that is, data that is created and used by users themselves and stored on file servers or in user mailboxes. Thus, it would be reasonable to start an analysis of the state of information security from the inside, assuming that the potential or already existing intruder is already inside the local network. And in order to understand where a potential leak is possible, it is necessary to identify the presence of confidential data on the file server and understand who has access to them and who uses them most often. In addition, you should also identify users


    It should be noted that the User Behavior Analytics component has always been part of Varonis DatAdvantage that collects information about all user actions on the file server and shows the access rights of both the individual user to the folder or file, and users who have access to the file or folder. From here you can easily understand who has access to the file and uses it, and who should not have this access due to the lack of activity when working with information, or in accordance with security policies defined by the company. You can also build a specific user profile - what it does, which folders or mailboxes it has access to, how often it is accessed, etc.

    Varonis also allows you to analyze some abnormal activity on the part of users. Collecting DatAdvantage statistics in an automatic mode can reveal an excess of user activity compared to his previous activity on a file server. That is, if a user, for example, exceeded his average daily activity (by the number of actions with files on a file server), then this can be detected automatically with all statistics of user actions and logs. Thus, after the fact it is possible to identify abnormal user activity, which can help in the investigation of various information security incidents.
    You can also receive real-time alerts about abnormal user activity. Bulk file deletion or bulk copy may indicate a certain malicious activity. The range of different types of notifications is very wide. If you want to monitor the deletion or copying of certain files (for example, containing confidential information), then this can be easily configured. It should be noted that users will no longer be able to use confidential information, and information security administrators will not be aware of this.

    Another important aspect of user behavior may be attempts to access files or folders unsuccessfully. If the same user tries to open files or folders to which he does not have access, you may need to pay attention to this activity. If, for a short time, some account tries to open many files or folders without access to them, it may be some kind of virus activity, which is also an information security incident.
    An important aspect of analyzing user behavior may be the audit of administrative accounts. To prevent data leakage, it is always useful to know which accounts have administrative rights and what activities they perform on the file server. You can also track the elevation process for a specific account. Whether this change was agreed with an IS employee and does it contradict the security policy adopted by the company. Perhaps you should also monitor for administrative access to files containing confidential information. If it was implemented, then for what purpose and how often does this happen.

    Working with mail is also an important aspect of analyzing user behavior. It is always useful to know who has access to a particular mailbox, who enters this mailbox and how to use the data that is in it. It often happens that users do not even suspect that someone else can read their mail. And if someone sends messages on behalf of another user, then such cases are often difficult to track without a product that collects such statistics. Having information about access to the mailbox also allows you to reduce redundant access or take away access from users who do not need such access at all.

    Analysis of user actions also involves analysis of the actions of non-user accounts. If actions do not have to take place under the service account, then perhaps you should pay attention to them. It is also easy to instantly detect the operation of a crypto-locker program that encrypts data, including on a file server. The operation of the crypto-locker can be tracked both by multiple file modifications in a short time, and by changing the file extension.

    User behavior analysis is used in many information security solutions (in particular, SIEM). Varonis DatAdvantage does not try to repeat the functionality of other solutions, but uses its own approach, collecting information about working with files and data both on a file server and in mailboxes. In addition, it should be noted that notifications of any changes on the file server can be sent directly to the SIEM solution. In this regard, Varonis and SIEM can complement each other, increasing the effectiveness of information security.

    Read Next