Online Retailer Enhances Visibility into User-Based Threats

Major US Online Retailer Enhances Visibility into User-based Threats with CyberEdge’s c-AssurPeople User Behavior Analytics

 

Background

A $1 billion online retail company in the US was looking for a way to enhance its security against risky users and hijacking of legitimate user credentials. The company was already among the first to use Splunk as its SIEM and as a Big Data platform for security, collecting and running analytics on data from its myriad of IT systems. However, from a threat mitigation perspective, the company realized that it was still struggling with discovering suspicious and malicious user-based threats. They required a security analytics solution to complement their Splunk log repository and platform that would help provide user behavior analytics and mitigate user-related threats.

 

The Need: Better Insight Into User Behavior

In addition to its Splunk Big Data platform, the retailer was also using several traditional security tools. While these tools were effective for data aggregation and detecting many types of external security threats, they are often prone to false-positives and are not able to discover rogue or compromised users and other types of suspicious user behavior. For this reason, the customer sought a solution that would better discover user based threats and complement the capabilities of Splunk.

 

The Challenge: Transform Big Data Into User Intelligence

Like most large enterprises, this retailer had huge volumes of log and event data. It also had a highly skilled team of experienced security analysts adept at using Splunk tools to collect this data and provide generalized security event information. What their team lacked, however, was a way to efficiently mine and analyze this log data to find suspicious and/or malicious user behaviors that could indicate serious security breaches.

The customer needed user behavior analytics with an advanced machine learning engine, layered on top of its Splunk platform, to transform massive amounts of event and log data into timely user intelligence that could be used by security analysts to discover, investigate and remediate user-based threats before they became serious security incidents.

 

The Solution: c-AssurPeople User Behavior Analytics

After an evaluation process, this online retailer chose to use CyberEdge’s user behavior analytics solution to augment the existing Splunk capabilities and internal processes used by their security team. The c-AssurPeople solution seamlessly connects to the customer’s Splunk environment, retrieves the log data associated with user login activities, and generates insights into abnormal and suspicious user behaviors for immediate investigation by analysts.

In addition, CyberEdge’s solution allows the retailer to quickly identify false positives generated by other security tools. In one instance, the retailer’s existing database security tool generated a high severity warning about a suspicious query to a sensitive database. Within a matter of minutes, the analyst performed the following investigation:

  • Identified the person who owns the DB account and his other accounts (Windows, VPN, etc).
  • Explored the VPN activity of that person, identifying a suspicious connection made from Europe.
  • Discovered that during the VPN session the person used his SSH account to access a Jumpbox machine from which he initiated another SSH session to access the DB server. Once on the DB server, the user logged into the DB and initiated the query that triggered the high severity alert.
  • Completed the investigation by validating that the person was indeed on a vacation in Europe and thus confirmed the false positive.

With just a few clicks, CyberEdge provided the analyst with all the relevant information. The CyberEdge solution’s risk scoring, combined with its rich querying capabilities, allowed the analyst to reach a definitive conclusion within minutes. Before using CyberEdge c-AssurePeople, similar investigations used to take hours. These time savings indicate a clear and easy-to-measure ROI.

 

The Results: Better Visibility, Reduced Risk, Improved ROI

CyberEdge’s user behavior analytics, together with Splunk’s high-powered big data analysis capabilities, enabled this retailer to achieve excellent results:

  • Better visibility and insight into suspicious and malicious user behavior
  • Reduced risk from malicious insiders and other user-based threats
  • Enhanced value from the log and event data aggregated in Splunk
  • Maximum ROI from existing security tools and Big Data systems

Learn more about using user behavioral analytics and other tool and services available to protect your company. Visit www.cyberedge.com