This includes weak passwords, weak multi-factor authentication or weak detection for brute force attacks The bad guys are looking for any weakness in the authentication process that they can exploit. With a huge surge in remote logins, user accounts are more vulnerable to attacks than before. Monitoring for suspicious logins and account compromise
Emails from malicious domains (integrating threat intelligence)ĥ.Spear phishing targeting a specific peer group of users.to detect phishing attacks has the benefit of being able to recognise these commonly used attacker techniques: A SIEM that uses machine learning algorithms to analyse email data - senders, email domains, subjects, attachment name, etc. SIEM use case should be able to detect and alert on malicious phishing campaigns. We have seen organisations getting an average of 350 emails daily to this end. The bad guys obviously are looking to cash in with fake email alerts and impersonation campaigns. The COVID-19 pandemic has made people hungry for as much knowledge on the situation as possible.
Monitoring for phishing and fake alert email campaigns
Rare logins – user logins from a rare location for his/her profile, but the location happens to be normal baseline location for a peer within the organisationĤ. Physical and logical geo-location correlation – with identity context, a good SIEM can identify the home office location of the user if they are logging in from another country or state that could be red flag (especially at this time, when there are strict travel restrictions across the globe). Land speed analysis (aka superman use cases) – user logging in from two distinct locations at the same time when it is humanly impossible for him/her to be physically present at these locations. With a variety of machine learning and identity context-based checks to detect potential credential sharing attempts, security teams can check: SIEM monitoring should have use cases catered to monitoring credential sharing. In this scenario, users may resort to sharing credentials, which in turn may lead to security challenges with unauthorised access, SOD violations, etc. In the remote work environment, it is very likely that certain users may not have the permissions they had before. With built in UEBA, behaviour profiling and rarity algorithms can help to build a normal baseline and alert on a rare or sudden increase in access to sensitive data. Organisations require their SIEM to detect and alert on data exfiltration attempts. With remote workforce and data exposure through new channels, the risk of data compromise has increased significantly – this could either intentional or accidental compromise. Insider threat monitoring – Data exfiltration
0 kommentar(er)
