Home > Products > Features > Behavior Analysis

Behavior Analysis

One of the challenges users face with SIEM technology today is that although a robust SIEM solution can give you an answer to most any question about what is going on in the enterprise network, the end-user must know what question to ask. SIEM solutions are, in effect, only as good as the person using it. Even rule-based correlation suffers from this challenge — once a rule has been written, the condition is detected dependably, but the rule creator needs to understand the exact pattern of what to look for.

Many of the biggest security problems facing security personnel today are the new, the unknown and the previously undetected. Good security personnel recognize they also have to simply poke around in the logs looking for unusual behaviors that might indicate something is not quite right. This approach is valuable but it is time consuming, tedious and random.

Analyzing Logon Failure Activity

With EventTracker’s unique Behavior Analysis, Prism uses automatic statistical analysis to monitor the event stream for any new, different or unusual occurrences. EventTracker learns the normal activity of the network, systems, applications and users and detects and alerts on any new, unseen behavior or any deviations from the norm. If a user normally logs in 50 times a day and suddenly logs in 200 times in a day this pattern is detected. Is this a problem? Perhaps not, but it is certainly unusual and worth investigating. Similarly anything new — a new user, application, process, is recorded and can be easily reviewed. This automatic monitoring augments and improves the manual review of logs, resulting in quicker detection and less time spent.

Conditions detected include:

  • Abnormally high or low administrator and user activity
  • Abnormally high or low system, process or IP activity
  • First seen for IP addresses, admins, users, processes etc.
  • Sudden changes in event volumes

Every monitoring class can be configured, augmented and easily tuned over time by the end-user including what to monitor, the learning period and the threshold for when a change becomes interesting.