Pinpointing all suspicious users accounts, based on its sophisticated Anomaly Analyzer self-learning mechanism, without the use of predefined rules or heuristics.
Connections can be genuine or bogus. Suspicious behavior may include connection attempts on closed ports, blocked internal connections, a connection made to bad destinations etc., using data from firewalls, network devices or flow data. External sources can be further enriched to discover the domain name, country and geographical details.
Abnormal Administrative Behavior
Monitoring inactive accounts, accounts with unchanged passwords, abnormal account management activities etc., using data from AD account management related activities.
Intrusion Detection and Infections
This can be done by using data from IDS/IPS, antivirus, anti-malware applications, firewall logs, NIPS alerts and Web proxy logs, as well as internal connectivity logs, network flows, etc.
Statistical analysis can be done to study the nature of data. Functions like average, median, quartile etc. can be used for this purpose. Numerical data from all kind of sources can be used to monitor relations like the ratio of inbound to outbound bandwidth usage, data usage per application, response time comparison etc.
System Change Activities
Using collected data for quickly identifying the changes in configurations, audit configuration changes, policy changes, policy violations and the like.
Malicious Insider Identification
Edward Snowden is the most famous example of a legitimate contractor who accessed, collected and made use of highly sensitive data from the NSA, the company he was serving. This proves that no organization is immune to inside threats of this kind.
Smart Investigator is able to identify users and contractors having a high-risk activity or access sensitive data, by investigating their behavior history log by log, second after second.
Data exfiltration attempts, information leakage through emails etc., using data from mail servers, file sharing applications etc.
Malicious Intruders Identification
There is a person within the company’s structure who was monitored, investigated and recognized for security information leak/stealing. The company’s security team would like to be alerted as soon as he sets foot in the building.
The native integration with physical security module NEC NeoFace® allows Smart Investigator to alert security admins immediately when a blacklisted/whitelisted person passes in front of a registered camera within the CCTV network. The application automatically sends an email/message alert in real time.
Abnormal authentication attempts, off-hour authentication attempts etc., using data from Windows, UNIX and any other business application that requires authentication.
Sensitive Data Access Investigation
The access of enterprise users to databases, file share systems and applications may have hidden, high-risk patterns. While some actions may be considered more suspicious than others, access becomes riskier when it’s in the hands of certain high-risk users.
Smart Investigator uses its dedicated set of innovative modules to analyze users’ access to databases, file share systems, and applications, and to automatically pinpoint suspicious access activities.
Multiple sources (internal/external) making session requests for a particular user account during a given time frame, using login data from sources like Windows, Unix etc.
Security Events Verification
Information Security needs second prioritization of events for monitoring, by enriching SIEM/FW/IDS/DLP systems with big data machine learning-based analytics on users. SIEM systems manage rule-based events that are correlated and prioritized in real-time. Smart Investigator ensures a better prioritization of events, based on non-rule-based big data and historical data analysis.