Fortscale FAQ

There are two ways the Fortscale UEBA engine can be deployed – as a stand-alone solution and an embedded engine within security infrastructure solutions. As a stand-alone solution, Fortscale UEBA for SOC, is designed to add real-time, risk-based behavioral analytics to an organization’s security operations center (SOC) to improve ability to investigate threats and manage risk. As an embedded engine, Fortscale Presidio is designed to be easy for security vendors to integrate into their security solutions to add behavioral analytics to enhance their detection and remediation capabilities.

Fortscale User and Entity Behavior Analytics (UEBA) identifies and scores anomalous activity to uncover risky actions and insider threats. Fortscale’s proprietary UEBA engine combines predictive, big data analytics and advanced machine learning to accurately spot outlier activity that represents a risk to the organization. The real-time risk profile of all entities – users, devices, applications, entitlements, etc. – can be used by security analysts or integrated into security infrastructure devices to improve decision-making and support dynamic policy enforcement that effectively neutralizes the threats facing an organization.

Fortscale is specifically optimized for analyzing user behavior, and unlike SIEM solutions or other machine analytics platforms, Fortscale doesn’t use rules and thresholds to define behavior. Abnormal behaviors that indicate a compromised user account or insider threat cannot effectively be determined by rule-based solutions without generating a very high rate of false-positives. Fortscale learns “normal” behavioral patterns of users, and constantly compares those patterns to behaviors obtained from a variety of sources.

There are a number of things that set Fortscale apart from other solutions. Here are a few:

Fortscale™ SMART Alerts: Our proprietary machine learning algorithms were created specifically to establish the correct context behind user behavior, thus providing accurate and highly relevant results to help analysts quickly identify user motives.
Scalable architecture: Fortscale works right out of the box no matter what the scale is. Our Hadoop-based infrastructure (unlike some major competitors) is fully self contained and enables us to horizontally scale our solution.
Fortscale is application agnostic, allowing it to quickly adapt its learning & detection capabilities to any user access event being logged.
Automatic continuous tuning: Unlike the majority of security analytics products – Fortscale is not rule-based or signature-based. Fortscale requires no customization. As soon as deployment is over, analysts can start getting highly relevant and accurate insights from day 1.

Fortscale can identify and quantify the risk-level of the activities of different users and entities to uncover:

  • Compromised user credentials
  • Abuse of privileged users
  • Third-party access compromise
  • A snooping user
  • Service account compromise
  • Exfiltration attempts
  • A suspicious geolocation sequence
  • Shared credentials
  • Network misconfiguration
  • Departing employee
  • Credentials compromised on the Darknet
  • Remote lateral movement

The answer for both of these infamous cases is a resounding “Yes”. From what we have managed to learn about the nature of these incidents, both of them would have been discovered if the organizations had implemented a solution such as Fortscale. In both cases, our machine learning algorithms would have detected anomalies in the nature of the logins, since the accounts used by the attackers were not previously used to log into the systems in question.

One of Fortscale’s greatest strengths is the ability to have a user-centric analytics approach, which takes into account the user activity across multiple devices and platforms, including mobile devices. Any device activity which is being logged by a centralized core enterprise access application such as Kerberos authentication, VPN access, etc., can be tracked by Fortscale and the device identified will be associated with the user activity.

Here are just a few examples:

  • Stolen User Credentials: Our customers frequently detect imposters that are using stolen but valid user credentials.
  • Malicious Insiders – Fortscale frequently pinpoints employees accessing highly sensitive account information when they should not be.
  • Policy Violations – Fortscale helps identify account sharing by detecting multiple accounts in use at the same time, or from different geolocations. Often, such policy violations reveal privileged account holders sharing their credentials with outsiders or less-privileged employees.
  • Risky Accounts – Fortscale has helped many of our customers identify users engaged in risky behavior such as snooping through sensitive data that was unrelated to their job.
  • Automated Information Gathering Activity – By identifying unusual rates of access activity Fortscale customers frequently detect compromised user accounts used to scour for sensitive resources on the pray.

Yes – Fortscale can tag a ‘first time’ action. For example – the system can tag a first time connection from a certain source machine to a specific target machine.

Yes, accounts associated with services can be tagged as “service accounts” and specifically monitored for risky behavior.

Yes, this is easily done if the organization is using the AD title attribute in their user accounts. If an organization is not using the AD title attribute, this information can usually can be obtained from the company’s HR system.

Yes, Fortscale contains a built-in set of reports for instant user behavior analytics. This includes a standard set of canned-analytics to enable analysts to quickly reach accurate conclusions when no specific investigation lead is in hand.

Fortscale also offers several packages, each with a set of standard reports and investigation tools that enable analysts to answer specific questions regarding user accounts. For example – we offer a package where analysts can see users who pulled large amounts of data through a VPN connection, which may indicate an exfiltration attempt. The tools and reports highlight the different anomalies and help analysts determine the behavior’s context, and if there’s a high probability of compromise.

Using powerful event-aggregation and data visualization capabilities, Fortscale investigation surfaces provide analysts with the information they need to rapidly reduce resolution time. With this comprehensive understanding of user behavior in all contexts, analysts have the insight and agility they need to dramatically streamline investigations and neutralize intruders.

Fortscale’s architecture enables it to connect to any log repositories that support common and standard interface technologies (e.g. syslog, common API, etc.).

Fortscale easily integrates with most common SIEM and Log Management solutions in the market today. We have extensive integration experience with major vendors including Splunk, IBM QRadar, LogRhythm, HP Arcsight, RSA Envision, RSA Security Analytics, and McAfee ESM.

Fortscale administrators and operators are typically security analysts or SOC operators with at least basic experience using standard security tools, looking into SIEM events, and validating security incidents. Our customer success team will provide the necessary user behavior analytics training.

Customers input log data into Fortscale, and more specifically – user access log data. Most of our customers use Fortscale with the following core set of data sources:

  • Active Directory
  • Crown Jewels Applications
  • Salesforce Logs
  • VPN Logs
  • Windows Account Management Events
  • Printing Logs
  • NTLM logs
  • Kerberos Authentication
  • Windows Group Management Events
  • Oracle DB Logs
  • SSH Logs
  • Intel Security McAfee Web Gateway Logs
  • Forcepoint DLP Logs
  • Network DLP
  • Secure Web Gateway
  • Cisco ACS

Additionally, Fortscale is an “application-agnostic” solution, and can work with any system that can provide logged transactions with the following attributes:

  • User account name
  • Action performed (login, logout, request for resource, etc.)
  • User location and destination addresses
  • When the action took place (timestamp)

Yes, Fortscale can model user behavior across multiple applications.

Fortscale Presidio is designed to easily integrate with any security infrastructure solution to natively improve their contextual awareness and risk-based decision-making with user and entity behavioral analytics. Fortscale provides customizable and unique data models, behavioral capabilities and application program interfaces (APIs) for different use cases, such as:

  • Security Incident and Event Management (SIEM) systems – providing new investigative capabilities that help uncover insider threats. Presidio enriches the data with embedded behavioral analytics and real-time risk scores on users and entities that replace rule-based correlation engines to improve detection accuracy and expedite investigations.
  • Endpoint Detection and Response (EDR) & Endpoint Protection Platform (EPP) solutions – expanding their visibility into the malicious behaviors of users, by leveraging best-of-breed machine learning to identify risky activity and insider threats.
  • Data Loss Prevention (DLP) solutions – enhancing their ability to identify internal threats, by adding machine learning and advanced investigation capabilities that dramatically improve the accuracy and relevancy of their alerts.
  • Identity and Access Management (IAM) solutions – helping them adjust entitlements and enforcement, based on real-time user/entity risk assessments and intelligence, to minimize the attack surface and make risk-based policy adjustments.
  • Cloud Access Security Broker (CASB) gateways – adding visibility into the activity of users within the enterprise and providing behavioral analytics that enable them to better understand and prioritize events, threats and risks.

To improve the context that security analysts have to make decisions, Fortscale UEBA for SOC can integrate with most common SIEM and Log Management solutions in the market today. We have extensive integration experience with major vendors including Splunk, IBM QRadar, LogRhythm, HP Arcsight, RSA Envision, RSA Security Analytics, and McAfee ESM.


Schedule a Demo