Log Files Tell a Partial Story
Most User and Entity Behavior Analytics (UEBA) solutions rely solely on interpreting log files. This approach can miss user activity on the endpoint like renaming files and other obfuscation techniques and is blind to user activity off the corporate network.
In fact, many malicious actions look like legitimate business activities. Users constantly download files, copy and paste data, use screenshots, compress files, and share sensitive information. Security and compliance teams need to understand when an action is a precursor to a malicious action. UEBA solutions don’t provide this all-important context or visibility.
Visibility to User Intent with DTEX InTERCEPT
DTEX InTERCEPT provides visibility to all user activity by integrating into the endpoint where the activity takes place, on or off the corporate network. With hundreds of known-bad behavior patterns “built in” DTEX InTERCEPT can identify malicious intent and known threats without the 3 to 4 months of tuning required by UEBA solutions.
Unlike UEBA and log-based solutions that rely on intensive data collection of Windows Event logs, Firewall logs, Proxy logs, and AV logs, DTEX InTERCEPT collects only 3-5MB of endpoint-based metadata per user per day. This means full user behavior visibility even when users are off corporate networks, and no negative impact on endpoint or network performance.
Only DTEX InTERCEPT can discern between legitimate and malicious activities without hundreds of custom rules or months of observation. Its dedicated signal sees the important activity that network-based tools and event logs miss to provide analysts the full context needed to dismiss or act on suspicious user activity quickly.
User Behavioral Awareness to Stop Data Loss
The Insider Threat Kill Chain describes the steps a malicious insider takes to identify and steal sensitive data. Traditional UEBA solutions relying on log data can see only bits and pieces of the actions in the kill chain, leaving organizations vulnerable to malicious and accidental loss of information. The table below illustrates the advantages of DTEX InTERCEPT versus log-based UEBA solutions.
|Kill Chain Activity||DTEX||Log-Based UEBA|
|Detects launching of PowerShell|
|Detects downloading or launching of common hacking tools|
|Unusual rates of opening files|
|Unusual access to new file locations|
|Mounting USB drives or accessing cloud storage|
|Detect TOR browser|
|Detect “incognito” mode|
|Non-corporate private messaging tools|
|Compressing files||If on network|
|Changing file extensions|
|Unusual rates of file renaming|
|Use of steganography applications|
|Clearing cookies and event viewer logs||If on network|
|Copy and paste data into an email or document|
|Use a screen capture and save the data as an image file|
|Copy data to removable media|
|Upload sensitive data to a cloud service|
|Send data to a personal email account|
|Use AirDrop to transfer data to another device|
DTEX InTERCEPT – A Smarter Approach to User & Entity Behavior Analytics
DTEX InTERCEPT is the first and only Workforce Cyber Intelligence platform to deliver holistic, real-time awareness about the workforce’s activities without invading personal privacy. Born in the cloud and scalable to millions of devices in hours, DTEX empowers enterprises to easily see, understand and act on contextual intelligence using ‘out of the box’ customer-tested and community-based scoring frameworks proven to stop insider threats, prevent data loss, maximize software investments, and protect the workforce, wherever they may be.