LogicHub is the leading Intelligent Security Automation Platform that marries a powerful Decision Engine to a flexible Workflow Engine. Proven to deliver 10x the performance of traditional Security Orchestration Automation and Response (SOAR) solutions, it is the only platform of its kind to deliver analysis and decision-making automation to exponentially improve alert triage, incident response, and threat hunting.
One of the many use cases that LogicHub customers have implemented and benefited from is that of automating the monitoring of users writing files to external USB drives.
User File Copy Monitoring Challenges:
- Constant flow of IOCs
- High volume of log entries per day to analyze
- Tedious and repetitive process for analysts that is time consuming
- No easy and consistent way for analysts to manually determine what is unusual activity
- Limited analyst resources to process every log entry and/or alert
Automated analysis of logs related to external file copies and automate the escalation of alerts for suspicious activity. This gives the SOC consistent monitoring of the logs, potentially helping with both DLP needs and/or audit requirements.
Collect the Data and Combine
Logs for files written to external drives can generally be found in a couple places depending on the environment including antivirus (AV), endpoint detection and response (EDR), or data loss prevention (DLP). A SIEM connection can be used in order to get the raw logs into LogicHub. Once there they can be parsed, analyzed, and trimmed down to a subset for either human analysis and/or escalation. For this flow Symantec SEP logs were used.
Figure 1: Sample Symantec SEP Logs - Raw
The raw logs are ingested into LogicHub and parsed for processing by the flow.
Figure 2: Sample USB Write Logs - Parsed
Once parsed it then becomes easier to apply whitelisting to the logs to remove anything that does not need to be escalated. These whitelist definitions will be unique to your own environment. Items to whitelist on include:
- File type
After both parsing and whitelisting has been applied the remaining logs are ready for either human analysis or escalation.
Determining Anomalous Activity
In addition, we want to track USB file writes per user per day and look for outliers that could indicate a possible change in behavior. This type of monitoring can be performed with LogicHub with a feature that is built into the product itself, a feature called “baselining”. A baseline allows you to compare current (most recent) behavior with past behavior to determine whether the current behavior is consistent. This is helpful in determining deviations in users’ or systems’ behaviors.
We can use the existing playbook to gather the data for the baseline, and then from there we can define how much data to capture and use as a historical barometer for comparing a user’s actions against their past actions.
The baseline playbook has the captured data at the top and from there takes input of 1 day of activity on the left side, and 14 day history of activity from the right side, and then those are processed by the baseline scoring node.
Figure 3: Sample Baseline Flow
The baseline scoring node assigns both an “lhub_score” and an “lhub_confidence_score” to each unique row from the left input node. The lhub_score can be translated as a severity and the lhub_confidence_score is just as inferred, the confidence of the assigned lhub_score.
From this point the thresholds for both lhub_score and lhub_confidence_score can be decided upon. A takeaway from the sample score logs below is to notice that each Domain_User and IP_Address pair are scored according to their own baseline history. For one user 31 files written to a USB in a day warrants a high score, while for another it takes 200 files to be considered an anomaly.
Figure 4: Sample Baseline Scoring Output
LogicHub’s intelligent automation goes beyond orchestration and data enrichment to automatically perform baseline analysis on normal behavior, in this case for copying files to external drives. The same baseline function can be easily applied to any other data source for more accurate and effective alert triage and prioritization. In this use case, the security team was able to not only automate a job, but also gained a new anomaly detection method.
For more security automation use cases, visit www.logichub.com.