CounterBreach combines machine learning with granular insight into how users access data to spotlight risky or dangerous insider behavior. The product has been in early access with a number of Imperva customers and has brought to light many incidents in which user actions put enterprise data at risk.
Read below to learn about incidents that we’ve uncovered so far, and click here to register for our beta program and to get further CounterBreach updates.
Data Mishandling Incident. A user directly connects to a database and modifies an abnormally high number of records within PCI tables.
With granular visibility into database access, CounterBreach learns the difference between the access patterns of interactive users and applications. It understands that the PCI tables are typically accessed by applications, and therefore it’s unusual to see an interactive user querying sensitive application data rather than administrative data. Additionally, CounterBreach learns how users normally access data on a day-to-day basis and sees that the modifications to these records were out of the ordinary; not only was this exceptional for the user, but also when compared to data access by interactive users across the organization. This behavior is risky because a connection of this nature bypasses the application’s permission model as well as its audit trail.
A similar example is an IT administrator querying database tables that contain credit card information, but by using a highly privileged service account, rather than the admin’s personal database account. This not only masks the user, but gives them full permissions to the database.
Database Account Abuse Incident. A user fails to log in to a database eight times in under four minutes, trying to using multiple personal database accounts. Upon succeeding with a service account, this user failed to perform any operations because he or she did not have appropriate permissions.
CounterBreach learns which database accounts are typically used by interactive users and detects multiple failed logins that occur from the same user. Because the solution knows which databases a user commonly accesses, it points out when a user tries to log on to a database they’ve never used before. Multiple failed database login attempts indicate suspicious activity, especially when they did not have authorized access in the first place.
Unstructured Data Theft Incident. A user copies around 2,000 documents from a department file share very slowly over the course of six hours.
CounterBreach has a granular view into how users access network file shares. It learns what typical file access rates look like as compared to the user’s peer group, as well as across the entire organization, and detects activity performed on a large number of files. CounterBreach also understands which IP addresses that employees use, as well as the file shares they most often access. This slow rate of file exfiltration is often the work of malware, or a user copying files remotely over VPN from an outside location.
Risky Event of Interest. A user accesses data late at night on four different occasions, performing queries on sensitive financial database tables. This is the only user in the organization that works between midnight and 6:00 a.m.
By distinguishing whether database access is performed by an interactive user or by an application, CounterBreach can detect when a human user is querying sensitive information designed specifically for use by an application. The solution also learns how users normally interface with data, and can point out access outside of standard working hours.
Interested to see what’s happening in your environment? Click here to learn more about our beta program.