User Behavior Analytics - UEBA Forum

Jay Thompson
Chief Operational Officer at Merchant Light LLC
Dec 31 2020

If you host your website on your own server, it will be open to the public. Is there a way to monitor/ protect the rest of your network from hackers who have open access to your site? We have a single LAN and public site on the domain server of that LAN. Windows IIS is running our site on our Windows 2019 Server and most business data has been pulled off the server to a client machine. 

We don't have a huge (okay, hardly any) budget to work with.

Industry: IT Tech Support; application development; application interface development; retail sales of hardware and software, monthly PAAS support services including monitoring, patching, anti-malware, network maintenance and 24x7 support.

Requirements: monitor only those nodes and forests that need to be protected.  If monitoring tells you who is visiting your website, great, but we already have that. We want to know who is trying to hack our site or network using procedure calls or other means that are not predefined and approved by security team. 

Steffen HornungHi, your question tangles on various subjects. Firstly, IIS is a great choice for hosting internal sites. But the windows under this IIS has many issues to keep up with so most public sites are just hosted on linux. I don't want to push you to an OS you are not comfortable with, so I suggest you keep prying eyes/code/hackers from your public site by singling out the ports open to public by using a firewall on your perimeter and only let through your port 443 for https traffic. To further harden your approach you could put a reverse proxy between firewall and webserver (or the firewall appliance does that feature too) to let only urls pass that aligns with your website structure.  This way you have no exposure to hackers besides what should been put out there. On linux you have something like fail2ban which monitors accessed pages and blocks stubborn users if they subsequently try to gather vulnerable site paths. Something similar to this would be convenient on windows too, so you have a vector to look out for. I don't know if there is anything like this. hope this helps, let me know  Steve
Karin Krings
User at University of Phoenix
Dec 30 2020

I'm looking for recommendations for software to detect insider threats. Where can I find a Pros/Cons template, customized to organization, to source insider threat detection support?

Xavier SuriolI would suggest statistical methods (including machine learning): First, outlier detection. Then, approaches like “Association rules” (=not statistics to explain all the variance in a dataset but to find out tiny observations): for instance, they are useful for DNA prediction of diseases (one or two SNPs among millions of them), a forensic task. When fraudsters know a tool (a template, a program), the solution is no longer valid. Research is the answer (research software rather than “production” software like in accountability). I mean, research as a step beyond production (only useful in the short term).
reviewer1324719This is an inside-out --- outside-in --- inside-in question, as an insider can be an outsider as well. There is no short answer other than a blend of a PAM tool with Behavioral Analytics and Endpoint Management, to protect credentials, govern activities, and detect abnormal activities. I have about 40 questions I would ask before spitting out a single solution. Without knowing more about your environment I would be slow to start throwing possible solutions, as this will take you days to sort out the differing capabilities and features. You can start by looking at the Gartner Quadrants for PAM tools like BeyondTrust, CyberArk, Centrify, Thycotic, MicroFocus and others. If you spear your specific requirements you may miss bigger threats in your circumference, so use a net, and remedy the surrounding threats in this process.
Ken ShauretteYou'd need to break out better what you consider to be the types of insider threats. There is fraud; very different in an application system than insider activity that may be simply malicious or results in data loss. You need to identify a baseline of normal activity for each user across files, network, user behavior and the endpoint; correlate abnormal behaviour and lean false positives; that is your software and/or the CyOps team supporting you must.  Doing that begins to give you some use cases that you can then test to determine if they are important to you and can be supported by your choice(s) of solutions. There may not be one, there may be layers needed, but depending on your choice you may be able to get more in one than with other options. Feel free to contact me off list (LinkedIn) if you'd like a matrix that could be used in a product comparison.