Why Monitoring Geolocation Information Matters for Security

February 05, 2014

In today’s Whiteboard Wednesday, Jason Weiss, a member of the engineering team for InsightIDR at Rapid7, will discuss the topic, “Why Monitoring Geolocation Information Matters for Security”.

Do you think it would be useful to be able to monitor geolocation traffic across your network, the cloud services that your employees use, or even in mobile environments? What if you saw an employee of yours walk by your office, but you saw that he accessed your network in Russia? In this video, Jason explains the importance of geolocation monitoring in order to find anomalies in user activity.

If this sounds interesting to you, check out InsightIDR. In one platform you gain the visibility into user activity and threats across your network, cloud and mobile environments.

Video Transcript

Hi, I'm Jason Weiss with the User-Insight Engineering team here at Rapid7. Today we want to talk on this Whiteboard Wednesday about why Geolocations matter for security.

Show more Show less

Let's say you've got Acme Corporation sitting here in Boston, Massachusetts and in Boston, they have a zip code of 02115. What's interesting about zip codes is that zip codes can help us identify a city for where that particular number is located, in this case Boston.

IP addresses have a very similar characteristic. There are lots of services out there that let me go take an IP address and geo-rectify that IP address into a city as well. For example, let's say that 192 168.1.1 was geo- rectified to Hartford, Connecticut. That would help me plot that IP address on the map.

Now, when we talk about security, and we think about log files, there's lots of information in log files that we might want to visualize. For example, we can see the ingress activity at the various office locations for the company. We can take that volume of ingress activity and adjust the size of the blot on the map, where the fatter blot represents more ingress activity.

We can also look at other characteristics in the log files like success or failure, and color-code that information. In the end, we're able to just quickly glance at that picture and determine what was success and what was failure.

Now, let's say for example we see these ingress activities coming from Hartford, Connecticut and you think, that's weird, because I'm standing here in Boston, Massachusetts. Well, think about a PO Box with a zip code. I can get a PO Box in Lexington, Massachusetts but still be in Boston. A PO Box is just another way for me to get information that happens to have a different zip code assigned to it.

IP addresses, when they're handed out to ISPs, they also have different locations. So even though I'm physically in Boston, the IP address might be in Hartford, Connecticut. But in the end, that doesn't really matter because over time, I can track those ingress activities and create what we call a baseline, and that baseline represents the normal volume of ingress activity from different locations.

So for instance, here on my map I can see that I have ingress in Boston and Hartford and even New York City. Well, as I click on those and I look at them it gets kind of interesting because here I see User-7 in Boston and maybe just moments later I see User-7 authenticated in New York City.

Well, what's going on with that? Did someone take a speed train down to New York? Well, not exactly. In this case, we were able to determine that a contractor was assigned a shared log-in to a restricted set of assets on the network. So, no harm no foul. It's all good.

But let's say one morning you wake up and you come to your trusty map and you look and you see ingress from Flopistan. And in fact, it's the worst case scenario. You see multiple user id's, failing to ingress and then success. Oh, no, it scares me just thinking about that too.

But, rest assured. In this case, the company actually sent some folks over to a trade show in Flopistan and they just forgot their password and it was no harm no foul. But, we had to investigate that and the map helped us see where we had success, where we had failure and we were able to see a deviation from that baseline and take appropriate actions.

So, in an ideal situation, wouldn't it be great if that software would automatically inform us of what's transpiring and tell us that hey, we have an alert, we have multiple failed ingress attempts from a location that's not on our normal baseline? That's the kind of stuff we're working on here at Rapid7. If that's interesting to you, reach out to us. Let's talk.

On-Demand Demo: Detection & Response

See how InsightIDR can help you detect intruders earlier in the attack chain.

Watch Demo