Fortscale User and Entity Behavior Analytics (UEBA) identifies and scores anomalous activity to uncover risky actions and insider threats. Fortscale’s proprietary UEBA engine combines predictive, big data analytics and advanced machine learning to accurately spot outlier activity that represents a risk to the organization. The real-time risk profile of all entities – users, devices, applications, entitlements, etc. – can be used by security analysts or integrated into security infrastructure devices to improve decision-making and support dynamic policy enforcement that effectively neutralizes the threats facing an organization.
There are two ways the Fortscale UEBA engine can be deployed – as a stand-alone solution and an embedded engine within security infrastructure solutions. As a stand-alone solution, Fortscale UEBA for SOC, is designed to add real-time, risk-based behavioral analytics to an organization’s security operations center (SOC) to improve ability to investigate threats and manage risk. As an embedded engine, Fortscale Presidio is designed to be easy for security vendors to integrate into their security solutions to add behavioral analytics to enhance their detection and remediation capabilities.
Fortscale is specifically optimized for analyzing user behavior, and unlike SIEM solutions or other machine analytics platforms, Fortscale doesn’t use rules and thresholds to define behavior. Abnormal behaviors that indicate a compromised user account or insider threat cannot effectively be determined by rule-based solutions without generating a very high rate of false-positives. Fortscale learns “normal” behavioral patterns of users, and constantly compares those patterns to behaviors obtained from a variety of sources.
There are a number of things that set Fortscale apart from other solutions. Here are a few:
The answer for both of these infamous cases is a resounding “Yes”. From what we have managed to learn about the nature of these incidents, both of them would have been discovered if the organizations had implemented a solution such as Fortscale. In both cases, our machine learning algorithms would have detected anomalies in the nature of the logins, since the accounts used by the attackers were not previously used to log into the systems in question.
Fortscale can identify and quantify the risk-level of the activities of different users and entities to uncover:
One of Fortscale’s greatest strengths is the ability to have a user-centric analytics approach, which takes into account the user activity across multiple devices and platforms, including mobile devices. Any device activity which is being logged by a centralized core enterprise access application such as Kerberos authentication, VPN access, etc., can be tracked by Fortscale and the device identified will be associated with the user activity.
Here are just a few examples:
Yes – Fortscale can tag a ‘first time’ action. For example – the system can tag a first time connection from a certain source machine to a specific target machine.
Yes, accounts associated with services can be tagged as “service accounts” and specifically monitored for risky behavior.
Yes, this is easily done if the organization is using the AD title attribute in their user accounts. If an organization is not using the AD title attribute, this information can usually can be obtained from the company’s HR system.
Yes, Fortscale contains a built-in set of reports for instant user behavior analytics. This includes a standard set of canned-analytics to enable analysts to quickly reach accurate conclusions when no specific investigation lead is in hand.
Fortscale also offers several packages, each with a set of standard reports and investigation tools that enable analysts to answer specific questions regarding user accounts. For example – we offer a package where analysts can see users who pulled large amounts of data through a VPN connection, which may indicate an exfiltration attempt. The tools and reports highlight the different anomalies and help analysts determine the behavior’s context, and if there’s a high probability of compromise.
Using powerful event-aggregation and data visualization capabilities, Fortscale investigation surfaces provide analysts with the information they need to rapidly reduce resolution time. With this comprehensive understanding of user behavior in all contexts, analysts have the insight and agility they need to dramatically streamline investigations and neutralize intruders.
Fortscale’s architecture enables it to connect to any log repositories that support common and standard interface technologies (e.g. syslog, common API, etc.).
Fortscale easily integrates with most common SIEM and Log Management solutions in the market today. We have extensive integration experience with major vendors including Splunk, IBM QRadar, LogRhythm, HP Arcsight, RSA Envision, RSA Security Analytics, and McAfee ESM.
Fortscale administrators and operators are typically security analysts or SOC operators with at least basic experience using standard security tools, looking into SIEM events, and validating security incidents. Our customer success team will provide the necessary user behavior analytics training.
Customers input log data into Fortscale, and more specifically – user access log data. Most of our customers use Fortscale with the following core set of data sources:
Additionally, Fortscale is an “application-agnostic” solution, and can work with any system that can provide logged transactions with the following attributes:
Yes, Fortscale can model user behavior across multiple applications.
Fortscale Presidio is designed to easily integrate with any security infrastructure solution to natively improve their contextual awareness and risk-based decision-making with user and entity behavioral analytics. Fortscale provides customizable and unique data models, behavioral capabilities and application program interfaces (APIs) for different use cases, such as:
To improve the context that security analysts have to make decisions, Fortscale UEBA for SOC can integrate with most common SIEM and Log Management solutions in the market today. We have extensive integration experience with major vendors including Splunk, IBM QRadar, LogRhythm, HP Arcsight, RSA Envision, RSA Security Analytics, and McAfee ESM.