Knowledge-driven organizations run on data. As a result, modern enterprises have a fluid organizational structure in which most employees have access to most data to do their jobs. With relatively open access to sensitive structured and unstructured data, it’s tough for security teams to discern what data access behavior is okay and what’s not. Imperva CounterBreach features unique machine learning capabilities that specifically focus on users and how they interact with enterprise data in order to identify insider threats.
User and Data Profiling
CounterBreach detects compromised, careless and malicious insiders by independently profiling both users and data, rather than just user activity. By analyzing from both perspectives, CounterBreach is able to detect the truly worrisome incidents that warrant the attention of the security team.
Dynamic Peer Group Analysis
To understand risky user behavior, it’s important to identify the true peer groups across the enterprise rather than relying on the traditional organizational peer groups. Using Dynamic Peer Group Analysis technology, CounterBreach automatically learns how users across the organization access enterprise files and places them into “virtual” working groups. Once peer groups are identified, CounterBreach flags risky file access from unrelated individuals. Machine learning is also used to associate network files with the most relevant Active Directory group, providing security teams with more context about the nature of the files pertaining to an incident.
Data Access Domain Expertise
CounterBreach machine learning technology accurately identifies insider threats by leveraging algorithms that are tailored to specifically identify abusive data access. The solution establishes a behavioral baseline by analyzing granular user-centric details (such as user identity, user department, client IP, and client app) and data-centric details (such as table name, SQL operation, data sensitivity and number of rows). Using all of these elements, CounterBreach automatically learns about the actors and data in the environment to help security teams understand:
- Did an application or interactive user touch the data?
- Was a highly privileged service account used or an individual’s personal account?
- Is the information touched considered metadata or business critical data?
To accurately identify breaches, every data access needs to be captured and analyzed. Given that even a few moderate sized databases will generate terabytes of raw log data per day, multiplying this by 10s or 100s of databases over the course of a year drives up the costs to both capture and store this information. Imperva is able to monitor every transaction with minimal impact to production databases, and uses dimensionality reduction techniques to process billions of events per day on a single CounterBreach server.