User Entity Behavior Analytics UEBA

                  User Entity Behavior Analytics (UEBA)

  • SIEM Implementation: – Working with leading Israel based bank for 4 Fraud Analytics projects of behavior analytics which includes banking fraud analytics and insider threats, monitoring threat assessment using risk threat intelligence platform. Work directly with customers, understand business and technical requirements. Design and implement security solution successfully completed. 6 implementation of User Entity Behavior Analytics SIEM for 4 projects in multiple phases of Banking Security.
    1. Fraud Intelligence: – Implementation of fraud intelligence based USE cases in UEBA SIEM with help of behavior analytics platform. Fraud transaction analytics & providing predictive intelligence with help of real-time use cases. Providing 24/7/365 support for feature enhancement and act as mediator for development team & bank.
    2. UEBA Operations Center: – Creating custom policies on SIEM, monitoring threat activities, incident handling and ticketing system. Monitoring behaviors of high risk users, ATM, Credit Cards. Creating incident cases and monitoring threat link analysis on UEBA SIEM platform. Worked with threat intelligence monitoring team for providing / implementing / blocking the threat from the infected network environment and perform further analysis based on patterns and attack vectors. This includes server builds and database configuration, storage systems within the UEBA environment.
  • Perform proof of concepts (POC): User Entity Behavior Analytics & demonstration to prospects clients, continuous improvement and suggestion to development them on behalf of client side use cases. Completed successful POC for BFSI segment.
  • Architecture & Operations: – Working with architecture and operations department for creating standard, scalable, secure architecture for all customers of UEBA. Maintaining checklist for operation activities for SIEM, health checkup of physical environment, daily / monthly activity checklist for allocated customers. Enhanced Solution Architect Teams’ pricing tool, SOWs, PSRs for entire portfolio of products working closely with the engineering team.
  • Infrastructure: – Working on threat lab for finding new threat to organization by correlating logs & forensics analysis for the same. Implementation, configuration & managing VMWARE ESXI 6.0 platform with 6 servers each of 256 GB RAM & 6 TB storage. Inside threat lab my job is to work in 2 areas first is build insider threat analytics use cases second area is activity behavior analytics.
  • Threat Hunting
    • Perform all types of hunting which includes proactive, stealthy, methodical and involves all level of cyber threat hunt and cyber kill chain cycles. Depends on customer requirement and situational awareness one of the hunting methodologies will be adopted which primarily includes Data-Driven Hunting, Intel-Driven Hunting, Entity-Driven Hunting, TTP-Driven Hunting, Hybrid hunting. Actively hunt for Industry and region-specific Indicators of Compromises (IOCs) and Threat actors. In-depth Link Analysis, finding magnitude of an Attack and performing Root-Cause Analysis. Collect and Provide actionable intelligence inputs from various internal & external sources. Providing a context of the threat and determine the relevant and prioritized response. Develop and update Indicators of Compromises (IOCs) library to ensure threat hunting activities are aligned with best practices, minimize gaps in response and provide comprehensive mitigation of threats
    • Cyber Threat Hunting :- Designing Threat Model for complex indicators of compromises of different sophisticated attacks like DNS Shadowing, Fast Flux DNS, Beaconing, Phishing, APT, Lateral Movement, Browser Compromised, DNS Amplification, DNS Tunneling, Skeleton key Malware, Advance Persistent Threats, Low and Slow attacks, Composite Threat Detection, Attacks Related to Airplanes, DNS Reconnaissance, Domain Generation Algorithm, Robotic Pattern Detection, DoS, Intrusion Detection, Cookie visibility and theft, User login Session hijacking, Broken Trust, Session fixation, Data Snooping / Data aggregation, Cross Channel Data Egress, Reverse Shell, log4jExploit, RDP Tunnel, Reflective DLL Loading Attack, Kerberoast, Juicy Potato, Golden and Silver Tickets, Cobalt Strike.
    • Banking fraud detection. Developed threat models, cross correlate security policies by writing Spotter, SQL, HQL complex queries using machine learning concepts.
    • Analysis of packets and perform cross correlation of transacted entity (logs) to transaction entity (packets). Find abnormal communication and find beaconing, covert channel by leveraging BPP, PPS, BPS
    • Passive Threat Hunting: – Threat hunting though Linux which includes Linux commands, AWK, SED. Normalizing raw event before ingesting for analytics and hunt for anomalies based on result threat model enrichment and identify highly sophisticated adversaries.
    • IOC Hunting: – Creating and maintaining IOC repository and sharing with global team. IOC hunting using strings, redline, network miner, mandiant_ioc_editor.
    • RED/PURPLE Team Detection: – In POV phase detected almost all RED teaming activities by using hybrid hunting model. Proficient on usage of VECTR purple teaming solution. Maintaining attack artifacts and reference set of all detected attacks and adversaries.
    • Fraud / Insider Threat: – Configuration of fraud analytics use cases Data Snooping, Financial fraud detection, Data Enumeration, Multi-dimensional regional banking transaction use cases, SWIFT Use Cases.
  • Data Source Configured: – Direct integration or ingestion of events form different log sources. Primarily categorization of logs based on functionalities like DNS, Proxy, Firewall, Endpoint, DLP, DHCP, IAM, System, Email. Mostly logs configured for all different functionalities like Web Proxy, Data Loss Prevention / Endpoint DLP, Next Generation Firewall, Email / Email Security, Firewall, Authentication / VPN, Antivirus / Malware / EDR, Data Loss Prevention / Network DLP, Microsoft Windows, Content Management System, Endpoint Management Systems, DNS / DHCP, Network Security, Authentication / SSO / Single Sign-On, Application / Enterprise / SaaS, Cloud Services / Applications, Identity Access Management, Unix / Linux / AIX. Bank ATM, Banking Internal System logs, SWIFT Logs.
  • UEBA Professional Services: –
Ø  UEBA Deployment and Custom ConfigurationØ  Log RetentionØ  Use Cases fine tuning
Ø  Architecture level changes, Design & PlanningØ  Emergency solutions for app issuesØ  UEBA Performance Acceleration & Optimization
Ø  Different security module ImplementationØ  UEBA Upgrade and MigrationØ  Use cases Testing and POCs – Demo Lab
  •  Fraud based anomaly detection system. In context of contribution I have designed architectures of each component. Testing use cases of each feature and validating all results.

Data aggregation: – Working on User Entity Behavior Analytics platform for log management by aggregating data from multiple sources, including network, security, servers, databases and applications. Providing the ability to consolidate monitored data to help avoid missing crucial events.

Alerting: Filter SIEM platform provided alerts & automated analysis of correlated events and production of alerts, to notify recipients of immediate issues.

Retention: Working on long-term storage of historical data to facilitate correlation of data over time, and to provide the retention necessary for compliance requirements.

Packet Analytics: – Network data analytics using packet inspection. Doing research by implementation of MOLOCH & Elasticsearch in threat lab & integrating analytical output with SIEM. With MOLOCH packet analytics I am working on following use cases. High Usage Of Bandwidth, Dos Attack, URL Usages, Malware Analysis, Port Traffic Usage, Access Intelligence, Geolocation Mapping, Connection Holding Patters, Session Profile Filters.

  • Comprehensive knowledge on implementation of user behavior analytics SIEM & building smart connectors, report template development and custom rule configuration.
  • Real time monitoring and investigation analysis escalating incidents on different levels. Worked with threat intelligence monitoring team for providing/implementing/blocking the threat from the infected network environment and perform further analysis based on patterns and attack vectors.
  • Worked as a part of incident analysis team to identify analyze third party intelligence feed which includes domains/ips/malwares behaviors and report to respective team for further actions.

Worked on SIEM use case deployment configuration validations and fine tuning the content and creating knowledge base for other team members. Validated and worked in preparation of internal workflow process with technical procedures and generate security operation document for processes, use case run book, acceptances criteria and associated risk tasks.

  1. Establish global network security analytics risk policies, threat analysis practices, procedures, Monitor user identity, access and activity information across heterogeneous systems/applications and devices
  2. Approve, implement and maintain the security and access control points in the infrastructure utilizing Security Analytics
  3. Prepare weekly and monthly security analytics reports highlighting to Sr. Management the company’s Risk. Increased awareness to Sr. Management the vital role of the information security department.
  4. Implement continuous stan
  5. Identify and mark unprincipled access privileges using advanced Peer Group analysis technique & mine typical behavior for end nodes, peer groups and resources
  6. dardized controls across the IT environment including separation of duty checks
  7. On demand compliance reporting, including user access and end node account activity reports
  8. Monitoring High Risk Access to reduce the pressure of stamping during access certifications.
  9. Build contextual policies using identity, access and activity data & Quantify Risk Score for the Anomalous Activities
  10. On behalf of behavoir pattern intelligence detect  unprincipled, fraudulent User Activities
  11. Integration of multiple SIEM technologies for actionable intelligence. SIEM technologies includes Splunk, ArcSight.
  12. Data Exfiltration Intelligence, Privileged Account Detection and Security Profiling on behalf of Real-time threat and risk monitoring, Behavior Anomaly Detection
  13. Monitoring with Real-Time Entity Correlation and Behavior-based Anomaly Detection
  14. Personalized and Prioritized Threat and Risk Dashboards and Data Driven Link Analysis & Investigation
  15. Investigate using visualization workbench with advanced link analysis, case management and workflow

Insider Threat Analytics

· Data Theft Detection And Prevention

· Fraud Detection And Prevention

· VIP Fraud Analysis

· Sabotage Analysis And deterrence

· Peer and User Behavior Analytics

· Malware Beaconing Detection

Fraud intelligence

· Enterprise Fraud Detection

· Web Fraud Detection

· Customer Service Rep Fraud Detection

· Peak / Hit Analysis

· User Access Review

· Intellectual Property Prevention

Cyber Threat Analytics

· Targeted Attack Detection

· APT Detection

· Advanced Malware Detection

· Cyber Investigation & Response

· Behavior Pattern Analysis

· Anomaly Detection using Behavior Analytics

SOC Monitoring & Forensics

Context-Aware Cyber Threat Analytics

· Link Analysis and Forensics Response

· High Privileged Account Activity Monitoring

· Enterprise Application Security Monitoring

· Incidence Response And Case Management

· User & Organizational Risk Score Analytics

· Insider Threat Security Operation Management