User-Based Risk Monitoring: Answering the
Question, "Who Dunit?!" On Your Network and
Across Cloud Services
In today's Whiteboard Wednesday, Jason Weiss from the UserInsight Engineering Team, will tell you exactly how you can answer the question, "Who Dunit?!" on your network and across cloud services.
Finding out exactly who is posing security risks to your organization is tough to figure out if you do not have a user activity monitoring tool. This is especially difficult if you are looking to gain visibility into risky behavior across the cloud services your employees are using or even across mobile environments.
Watch this video to learn how you can better monitor risky behavior across your network, cloud, and mobile environments with Rapid7 UserInsight.
Read Video Transcript
Hi, I'm Jason Weiss with the User Insight Engineering Team. Today's Whiteboard Wednesday. We're going to talk about Whodunit, focusing on user network attribution. Answering the question of whodunit can be a particularly challenging problem when you start looking beyond the traditional IT security perimeter. When you think about things like cloud services, figuring out the whodunit can be very challenging.
Let's take a look at this car, for example. We have a license plate on the car, and when it goes through the toll booth, we actually are able to correlate the license plate on that car with a specific user and the VIN number of that car, knowing that everything aligns pretty well.
Unfortunately, when we talk about computers and VPNs and DHCP, things aren't quite as easily attributed. At 3:14 pm, for example, here, when this laptop logs in we're able to actually determine that this user and this asset received this IP address at 3:14, which is great.
The problem with that is that unlike license plates that are largely static and used for years at a time, as soon as the user logs off from the VPN connection, within a few seconds, because there's a finite number of IP addresses, that IP address could be reassigned from say P. Jones to S. Willard on the network. That poses a particular challenge when you have cloud services being accessed, and let's say somebody's using a forbidden cloud service, and you know it came from the IP address of 192.168.1.5.
Well, how do you find just the facts? How do you figure out whodunit if this is a continuous timeline of users being assigned IP addresses? What we can do with the User Insight product is actually correlate all of this data that we aggregate and answer the whodunit question by looking at user attribution on the network. So we take all of the log files, and we actually can attribute a specific user at a specific time very quickly, so you don't have to crawl through a bunch of sim logs to make that determination when you're looking to figure out whodunit.
So if you're looking to identify restricted cloud services or a rogue bot doing command and control on your network, that network attribution is very critical, and that's what we can provide you here at Rapid7. Thank you.