ProHoster > Ibhulogi > iindaba ze-intanethi > Imakethi ye-UEBA ifile-ixesha elide i-UEBA

Imakethi ye-UEBA ifile-ixesha elide i-UEBA

Imakethi ye-UEBA ifile-ixesha elide i-UEBA

Namhlanje siza kubonelela ngamagqabantshintshi oMsebenzisi kunye ne-Entity Behavioral Analytics (UEBA) imakethi esekwe kutsha nje. Uphando lukaGartner. Imarike ye-UEBA isezantsi "kwinqanaba lokuphazamiseka" ngokutsho kweGartner Hype Cycle ye-Threat-Facing Technologies, ebonisa ukukhula kobuchwephesha. Kodwa i-paradox yale meko ilele ekukhuleni kwangaxeshanye ngokubanzi kutyalo-mali kwitekhnoloji ye-UEBA kunye nentengiso enyamalalayo yezisombululo ze-UEBA ezizimeleyo. UGartner uqikelela ukuba i-UEBA iya kuba yinxalenye yomsebenzi wezisombululo zokhuseleko lolwazi olunxulumeneyo. Igama elithi "UEBA" liya kuphelelwa ukusetyenziswa kwaye endaweni yesinye isifinyezo esigxininiswe kwindawo yesicelo emxinwa (umzekelo, "uhlalutyo lokuziphatha komsebenzisi"), indawo yesicelo efanayo (umzekelo, "uhlalutyo lwedatha"), okanye ngokulula ibe yinto ethile i-buzzword entsha (umzekelo, igama elithi "i-Artificial Intelligence" [AI] likhangeleka linomdla, nangona lingenzi ngqiqo kubavelisi be-UEBA banamhlanje).

Izinto eziphambili ezifunyanisiweyo kuphononongo lukaGartner zinokushwankathelwa ngolu hlobo lulandelayo:

  • Ukuvuthwa kweemarike kuhlalutyo lokuziphatha kwabasebenzisi kunye namaqumrhu kuqinisekiswa yinto yokuba obu buchwepheshe busetyenziswa licandelo eliphakathi kunye nelikhulu lequmrhu ukusombulula inani leengxaki zoshishino;
  • Izakhono zokuhlalutya kwe-UEBA zakhiwe kuluhlu olubanzi lweteknoloji yokhuseleko lolwazi olunxulumeneyo, njengokufikelela kwifu ii-brokers ezikhuselekileyo (CASBs), ulawulo lwesazisi kunye nolawulo (IGA) iinkqubo ze-SIEM;
  • I-hype ejikeleze abathengisi be-UEBA kunye nokusetyenziswa okungalunganga kwegama elithi "ubukrelekrele bokufakelwa" kwenza kube nzima kubathengi ukuba baqonde umahluko wangempela phakathi kobuchwepheshe babavelisi kunye nokusebenza kwezisombululo ngaphandle kokuqhuba iprojekthi yokulinga;
  • Abathengi bayaqaphela ukuba ukuphunyezwa kwexesha kunye nokusetyenziswa kwemihla ngemihla kwezisombululo ze-UEBA kunokuba nzima kakhulu kwaye kudle ixesha kunokuba umenzi athembisayo, nangona kuqwalaselwa kuphela iimodeli ezisisiseko zokufumanisa isoyikiso. Ukongeza iimeko zokusebenzisa isiko okanye umda kunokuba nzima kakhulu kwaye kufuna ubuchule kwisayensi yedatha kunye nohlalutyo.

Uqikelelo olucwangcisiweyo lophuhliso lwemarike:

  • Ngo-2021, imarike yomsebenzisi kunye ne-entity behavioral analytics (UEBA) iinkqubo ziya kuyeka ukubakho njengendawo eyahlukileyo kwaye ziya kutshintshela kwezinye izisombululo kunye nokusebenza kwe-UEBA;
  • Ngo-2020, i-95% yazo zonke izinto ezifakwe kwi-UEBA ziya kuba yinxalenye yeqonga lokhuseleko elibanzi.

Inkcazo yezisombululo ze-UEBA

Izisombululo ze-UEBA zisebenzisa i-analytics eyakhelwe-ngaphakathi ukuvavanya umsebenzi wabasebenzisi kunye nezinye izigqeba (ezifana nemikhosi, izicelo, i-traffic traffic kunye neevenkile zedatha).
Babona izoyikiso kunye neziganeko ezinokwenzeka, ezibonisa umsebenzi ongaqhelekanga xa kuthelekiswa neprofayili esemgangathweni kunye nokuziphatha kwabasebenzisi kunye nemibutho ekumaqela afanayo ngexesha lexesha.

Iimeko ezixhaphakileyo zokusetyenziswa kwicandelo leshishini kukubona isoyikiso kunye nokuphendula, kunye nokufunyanwa kunye nokuphendula kwizisongelo zangaphakathi (ubukhulu becala abangaphakathi abasengozini; ngamanye amaxesha abahlaseli bangaphakathi).

UEBA ifana isigqibo, kwaye umsebenzi, yakhelwe kwisixhobo esithile:

  • Isisombululo ngabavelisi beeplatifomu ze-UEBA "ezicocekileyo", kubandakanywa nabathengisi abathengisa izisombululo ze-SIEM ngokwahlukileyo. Kugxilwe kuluhlu olubanzi lweengxaki zeshishini kuhlalutyo lokuziphatha kwabo bobabini abasebenzisi kunye namaqumrhu.
  • Ifakwe - Abavelisi / izahlulo ezidibanisa imisebenzi ye-UEBA kunye nobuchwepheshe kwizisombululo zabo. Ngokuqhelekileyo kugxilwe kwiseti yeengxaki zeshishini. Kule meko, i-UEBA isetyenziselwa ukuhlalutya ukuziphatha kwabasebenzisi kunye / okanye amaqumrhu.

UGartner ujonga i-UEBA ecaleni kweezembe ezintathu, kubandakanywa izisombululi zengxaki, uhlalutyo, kunye nemithombo yedatha (jonga umfanekiso).

Imakethi ye-UEBA ifile-ixesha elide i-UEBA

"Pure" amaqonga e-UEBA ngokuchasene ne-UEBA eyakhelweyo

UGartner uthatha iqonga le-UEBA “elicocekileyo” njengezisombululo ezinokuthi:

  • ukusombulula iingxaki ezithile ezininzi, ezinjengokubeka iliso kubasebenzisi abanelungelo okanye ukhuphe idatha ngaphandle kombutho, hayi nje “ukubeka iliso kumsebenzi ongaqhelekanga wabasebenzisi”;
  • zibandakanya ukusetyenziswa kohlalutyo oluntsonkothileyo, olusekelwe kwiindlela ezisisiseko zohlalutyo;
  • ukubonelela ngeendlela ezininzi zokuqokelelwa kwedatha, kubandakanywa zombini iindlela zomthombo wedatha eyakhelwe-ngaphakathi kunye nezixhobo zolawulo lwelog, ichibi leDatha kunye / okanye iinkqubo ze-SIEM, ngaphandle kwesidingo esisinyanzelo sokuthumela abameli abahlukeneyo kwisiseko;
  • inokuthengwa kwaye isetyenziswe njengezisombululo ezizimeleyo kunokuba zibandakanywe
    ukwakheka kwezinye iimveliso.

Le theyibhile ingezantsi ithelekisa ezi ndlela zimbini.

Itheyibhile 1. Izisombululo ze-UEBA "ezicocekileyo" ngokuchasene nezakhelwe ngaphakathi

udidi "Pure" UEBA amaqonga Ezinye izisombululo ezine-UEBA eyakhelwe-ngaphakathi
Ingxaki ekufuneka isonjululwe Uhlalutyo lokuziphatha kwabasebenzisi kunye nemibutho. Ukunqongophala kwedatha kunokunciphisa i-UEBA ukuhlalutya ukuziphatha kwabasebenzisi kuphela okanye amaqumrhu.
Ingxaki ekufuneka isonjululwe Inceda ukusombulula uluhlu olubanzi lweengxaki Iingcali kwiiseti eziqingqiweyo zemisebenzi
Uhlalutyo Ukufunyanwa kwe-anomaly kusetyenziswa iindlela ezahlukeneyo zokuhlalutya - ngakumbi ngeemodeli zamanani kunye nokufunda koomatshini, kunye nemithetho kunye nemisayino. Iza nohlalutyo olwakhelwe ngaphakathi ukwenza kunye nokuthelekisa umsebenzi wabasebenzisi kunye nequmrhu kwiiprofayili zabo kunye nabalingane babo. Iyafana ne-UEBA esulungekileyo, kodwa uhlalutyo lunokulinganiselwa kubasebenzisi kunye/okanye amaqumrhu kuphela.
Uhlalutyo Izakhono zokuhlalutya eziphucukileyo, azikhawulelwanga kuphela ngemithetho. Umzekelo, i-algorithm yokudibanisa kunye neqela eliguqukayo lamaqumrhu. Ngokufana ne-UEBA “esulungekileyo”, kodwa iqela lequmrhu kwezinye iimodeli zoyikiso ezifakiweyo kunokutshintshwa kuphela ngesandla.
Uhlalutyo Ulungelelwaniso lomsebenzi kunye nokuziphatha kwabasebenzisi kunye namanye amaqumrhu (umzekelo, ukusebenzisa uthungelwano lwaseBayesi) kunye nokudityaniswa kwendlela yokuziphatha emngciphekweni ngamnye ukuze kuchongwe umsebenzi ongaqhelekanga. Iyafana ne-UEBA esulungekileyo, kodwa uhlalutyo lunokulinganiselwa kubasebenzisi kunye/okanye amaqumrhu kuphela.
Imithombo yedatha Ukufumana iziganeko kubasebenzisi kunye nemibutho evela kwimithombo yedatha ngokuthe ngqo ngokusebenzisa iindlela ezakhelwe ngaphakathi okanye iivenkile zedatha ezikhoyo, ezifana ne-SIEM okanye iDatha yedatha. Iinkqubo zokufumana idatha zihlala zithe ngqo kwaye zichaphazela kuphela abasebenzisi kunye/okanye amanye amaziko. Musa ukusebenzisa izixhobo zolawulo lwelog / SIEM / Ichibi leDatha.
Imithombo yedatha Isisombululo akufanele sithembele kuphela kwi-traffic yenethiwekhi njengowona mthombo wedatha, kwaye akufanele ixhomekeke kuphela kwii-arhente zayo ukuqokelela i-telemetry. Isisombululo sinokugxila kuphela kwi-traffic traffic (umzekelo, i-NTA - uhlalutyo lwetrafikhi yenethiwekhi) kunye / okanye ukusebenzisa ii-arhente zayo kwizixhobo zokugqibela (umzekelo, izibonelelo zokubeka iliso zabasebenzi).
Imithombo yedatha Ukonelisa idatha yomsebenzisi/yeziko ngomxholo. Ixhasa ukuqokelelwa kweziganeko ezicwangcisiweyo ngexesha langempela, kunye nedatha edibeneyo ehleliweyo / engacwangciswanga evela kwii-directory ze-IT - umzekelo, i-Active Directory (AD), okanye ezinye izixhobo zolwazi ezifundwa ngumatshini (umzekelo, i-HR databases). Iyafana ne-UEBA esulungekileyo, kodwa umda wedatha yomxholo unokwahluka ukusuka kwimeko ukuya kwelinye. I-AD kunye ne-LDAP zezona zigcina idatha yemeko eqhelekileyo esetyenziswa zizisombululo ezifakwe kwi-UEBA.
Ukufumaneka Ibonelela ngeempawu ezidwelisiweyo njengemveliso ezimele. Akunakwenzeka ukuthenga i-UEBA eyakhelwe-ngaphakathi yokusebenza ngaphandle kokuthenga isisombululo sangaphandle apho yakhiwe khona.
Umthombo: Gartner (Meyi 2019)

Ngaloo ndlela, ukusombulula iingxaki ezithile, i-UEBA edibeneyo inokusebenzisa i-analytics ye-UEBA esisiseko (umzekelo, ukufundwa komatshini okulula okungalawulwayo), kodwa kwangaxeshanye, ngenxa yokufikelela ngokuthe ngqo kwidatha eyimfuneko, inokusebenza ngakumbi kune "pure" Isisombululo se-UEBA. Ngexesha elifanayo, iiplatifomu ze-UEBA "ezicocekileyo", njengoko zilindelekile, zibonelela ngohlalutyo olunzima njengolwazi oluphambili xa kuthelekiswa nesixhobo se-UEBA esakhelwe ngaphakathi. Ezi ziphumo zishwankathelwa kwiThebhile 2.

Itheyibhile 2. Isiphumo sokumahluko phakathi kwe-UEBA "ecocekileyo" kunye ne-built-in-built-in UEBA

udidi "Pure" UEBA amaqonga Ezinye izisombululo ezine-UEBA eyakhelwe-ngaphakathi
Uhlalutyo Ukusebenziseka kokusombulula iingxaki ezahlukeneyo zoshishino kuthetha iseti yehlabathi jikelele yemisebenzi ye-UEBA ngogxininiso kuhlalutyo oluntsonkothileyo kunye neemodeli zokufunda koomatshini. Ukujolisa kwiseti encinci yeengxaki zoshishino kuthetha iimpawu ezikhethekileyo ezigxininisa kwiimodeli ezikhethekileyo zesicelo kunye nengqiqo elula.
Uhlalutyo Ukwenza ngokwezifiso imodeli yohlalutyo kuyimfuneko kwimeko nganye yesicelo. Iimodeli zohlalutyo ziqwalaselwe kwangaphambili kwisixhobo esine-UEBA eyakhelwe kuyo. Isixhobo esine-UEBA eyakhelwe-ngaphakathi ngokubanzi sifumana iziphumo ezikhawulezayo ekusombululeni iingxaki ezithile zoshishino.
Imithombo yedatha Ukufikelela kwimithombo yedatha evela kuzo zonke iimbombo zeziseko zoshishino. Imithombo yedatha embalwa, edla ngokukhawulelwa bubukho beearhente zabo okanye isixhobo ngokwaso esinemisebenzi ye-UEBA.
Imithombo yedatha Ingcaciso equlethwe kwilog nganye inokuthintelwa ngumthombo wedatha kwaye mayingabi nayo yonke idatha eyimfuneko yesixhobo esisembindini we-UEBA. Isixa kunye neenkcukacha zedatha ekrwada eqokelelwe yi-arhente kwaye igqithiselwe kwi-UEBA inokuqwalaselwa ngokukodwa.
izakhiwo Yimveliso ye-UEBA epheleleyo yombutho. Ukudityaniswa kulula usebenzisa amandla enkqubo ye-SIEM okanye i-Data lake. Ifuna iseti eyahlukileyo yeempawu ze-UEBA kwisisombululo ngasinye esakhelwe kwi-UEBA. Izisombululo ezifakwe kwi-UEBA zihlala zifuna ukufaka iiarhente kunye nokulawula idatha.
Ukudityaniswa Ukudityaniswa ngesandla kwesisombululo se-UEBA kunye nezinye izixhobo kwimeko nganye. Ivumela umbutho ukuba wakhe isitakhi setekhnoloji ngokusekwe kweyona ndlela "engcono phakathi kwe-analogue". Iinyanda eziphambili zemisebenzi ye-UEBA sele zibandakanyiwe kwisixhobo ngokwaso ngumenzi. Imodyuli ye-UEBA yakhelwe ngaphakathi kwaye ayinakususwa, ngoko ke abathengi abanako ukuyibuyisela ngento eyeyabo.
Umthombo: Gartner (Meyi 2019)

UEBA njengomsebenzi

I-UEBA iya isiba luphawu lwezisombululo ze-cybersecurity zokugqibela ezinokuzuza kuhlalutyo olongezelelweyo. I-UEBA isekela ezi zisombululo, ibonelela ngoluhlu olunamandla lohlalutyo oluphambili olusekwe kumsebenzisi kunye/okanye kwiipateni zokuziphatha zequmrhu.

Ngoku kwimarike, ukusebenza kwe-UEBA eyakhelwe-ngaphakathi kuphunyezwa kwezi zisombululo zilandelayo, zihlelwe ngokwezobuchwephesha:

  • Uphicotho olugxile kwidatha nokhuseleko, abathengisi abajolise ekuphuculeni ukhuseleko lwedatha ehleliweyo kunye nokugcinwa kwedatha engacwangciswanga (aka DCAP).

    Kolu didi lwabathengisi, amanqaku kaGartner, phakathi kwezinye izinto, Iqonga le-Varonis cybersecurity, enikezela ngohlalutyo lokuziphatha komsebenzisi ukujonga utshintsho kwiimvume zedatha ezingalungiswanga, ukufikelela, kunye nokusetyenziswa kuzo zonke iivenkile zolwazi ezahlukeneyo.

  • Iinkqubo zeCASB, ukunika ukhuseleko kwiisongelo ezahlukeneyo kwizicelo ze-SaaS ezisekelwe kwifu ngokuthintela ukufikelela kwiinkonzo zefu zezixhobo ezingafunekiyo, abasebenzisi kunye neenguqulelo zesicelo usebenzisa inkqubo yokulawula ukufikelela kwi-adaptive.

    Zonke izisombululo ze-CASB ezihamba phambili kwiimarike ziquka ubuchule be-UEBA.

  • Izisombululo zeDLP - kugxininise ekuboneni ukuhanjiswa kwedatha ebalulekileyo ngaphandle kombutho okanye ukuxhatshazwa kwayo.

    Ukuqhubela phambili kwe-DLP ubukhulu becala kusekelwe ekuqondeni umxholo, kugxininiso oluncinci ekuqondeni umxholo onjengomsebenzisi, isicelo, indawo, ixesha, isantya seziganeko, kunye nezinye izinto zangaphandle. Ukuze isebenze, iimveliso ze-DLP kufuneka ziqaphele zombini umxholo kunye nomxholo. Kungenxa yoko le nto abaninzi abavelisi beqala ukudibanisa ukusebenza kwe-UEBA kwizisombululo zabo.

  • Ukubekwa esweni kwabasebenzi kukukwazi ukurekhoda nokudlala kwakhona izenzo zabasebenzi, ngokuqhelekileyo kwifomathi yedatha efanelekileyo kwiinkqubo zomthetho (ukuba kuyimfuneko).

    Abasebenzisi abasoloko bebeka iliso bahlala bevelisa inani elikhulu kakhulu ledatha efuna ukuhluzwa ngesandla kunye nohlalutyo lwabantu. Ngoko ke, i-UEBA isetyenziselwa ngaphakathi kwiinkqubo zokubeka iliso ukuphucula ukusebenza kwezi zisombululo kwaye ibone kuphela iziganeko ezinobungozi obuphezulu.

  • Ukhuseleko lwendawo yokuphela -Izisombululo ze-Endpoint kunye nokuphendula (EDR) kunye neeplatifti zokukhusela (EPP) zibonelela ngesixhobo esinamandla kunye nenkqubo yokusebenza ye-telemetry
    izixhobo zokuphela.

    I-telemetry enjalo enxulumene nomsebenzisi inokuhlalutya ukubonelela nge-UEBA yokusebenza eyakhelweyo.

  • Ubuqhophololo kwi-Intanethi -Izisombululo zokufumana ubuqhophololo kwi-Intanethi zifumanisa umsebenzi otenxileyo obonisa ukuthotywa kweakhawunti yomthengi nge-spoof, i-malware, okanye ukuxhaphazwa konxibelelwano olungakhuselekanga / ukuhlaselwa kwetrafikhi yesikhangeli.

    Uninzi lwezisombululo zobuqhetseba zisebenzisa i-essence ye-UEBA, uhlalutyo lwentengiselwano kunye nomlinganiselo wesixhobo, kunye neenkqubo eziphambili kakhulu ezincedisana nazo ngokuthelekisa ubudlelwane kwi-database yesazisi.

  • IAM kunye nolawulo lofikelelo -UGartner uqaphela umkhwa wokuguquguquka phakathi kwabathengisi benkqubo yolawulo lokufikelela ukudibanisa nabathengisi abasulungekileyo kunye nokwakha ukusebenza kwe-UEBA kwiimveliso zabo.
  • I-IAM kunye ne-Identity Governance and Administration (IGA) iinkqubo sebenzisa i-UEBA ukugubungela iimeko zohlalutyo lokuziphatha kunye nesazisi ezifana nokubhaqwa okungaqhelekanga, uhlalutyo lwamaqela aguqukayo lwamaqumrhu afanayo, uhlalutyo lokungena, kunye nohlalutyo lomgaqo-nkqubo wokufikelela.
  • I-IAM kunye noLawulo loFikelelo oluLungelelekileyo (PAM) - Ngenxa yendima yokubeka esweni ukusetyenziswa kwee-akhawunti zolawulo, izisombululo zePAM zine-telemetry ukubonisa indlela, kutheni, nini kwaye phi ii-akhawunti zolawulo zisetyenziswe. Le datha inokucazululwa kusetyenziswa usetyenziso olwakhelwe ngaphakathi lwe-UEBA kubukho bokuziphatha okungaqhelekanga kwabalawuli okanye injongo engalunganga.
  • Abavelisi be-NTA (uHlahlelo lweTrafikhi yeNethiwekhi) -sebenzisa indibaniselwano yokufunda koomatshini, uhlalutyo oluphambili kunye nobhaqo olusekwe kumgaqo ukuze uchonge umsebenzi okrokrelekayo kuthungelwano lweshishini.

    Izixhobo ze-NTA zihlalutya ngokuqhubekayo i-traffic yomthombo kunye/okanye iirekhodi zokuhamba (umzekelo, i-NetFlow) ukwakha iimodeli ezibonisa ukuziphatha okuqhelekileyo kwenethiwekhi, ngokukodwa kugxininise kuhlalutyo lokuziphatha kwequmrhu.

  • I-SIEM -Abathengisi abaninzi be-SIEM ngoku banokusebenza kohlalutyo lwedatha oluphambili olwakhiwe kwi-SIEM, okanye njengemodyuli eyahlukileyo ye-UEBA. Kuyo yonke i-2018 kwaye ukuza kuthi ga ngoku ngo-2019, bekukho ukufiphala okuqhubekayo kwemida phakathi kwe-SIEM kunye nokusebenza kwe-UEBA, njengoko kuxoxwe kwinqaku. "Itekhnoloji yokuqonda kwi-SIEM yanamhlanje". Iinkqubo ze-SIEM ziye zaba ngcono ekusebenzeni kunye nohlalutyo kunye nokubonelela ngeemeko ezinzima zesicelo.

I-UEBA Application Scenarios

Izisombululo ze-UEBA zinokusombulula uluhlu olubanzi lweengxaki. Nangona kunjalo, abathengi bakaGartner bayavuma ukuba eyona meko iphambili yokusetyenziswa ibandakanya ukufumanisa iindidi ezahlukeneyo zezoyikiso, eziphunyezwe ngokubonisa kunye nokuhlalutya ulungelelwaniso oluqhelekileyo phakathi kokuziphatha komsebenzisi kunye namanye amaziko:

  • ukufikelela okungagunyaziswanga kunye nokuhanjiswa kwedatha;
  • ukuziphatha okukrokrisayo kwabasebenzisi abathile, izenzo ezikhohlakeleyo okanye ezingagunyaziswanga zabasebenzi;
  • ukufikelela okungaqhelekanga kunye nokusetyenziswa kwezixhobo zamafu;
  • nabanye.

Kukwakho nenani leemeko ezingaqhelekanga zokusetyenziswa kwe-non-cybersecurity, ezifana nobuqhetseba okanye ukubeka esweni umqeshwa, enokuthi i-UEBA ithetheleleke ngayo. Nangona kunjalo, bahlala befuna imithombo yedatha ngaphandle kwe-IT kunye nokhuseleko lolwazi, okanye iimodeli ezithile zokuhlalutya kunye nokuqonda okunzulu kule ndawo. Iimeko ezintlanu eziphambili kunye nezicelo abavumelana ngazo bobabini abavelisi be-UEBA kunye nabathengi babo zichazwe ngezantsi.

"Umntu Okhohlakeleyo Ngaphakathi"

Ababoneleli bezisombululo be-UEBA abajonga le meko kuphela bejonga abasebenzi kunye neekontraka ezithenjiweyo ngokungaqhelekanga, "okubi," okanye ukuziphatha okukhohlakeleyo. Abathengisi kule ndawo yobuchwephesha abajongi okanye bahlalutye indlela yokuziphatha kweeakhawunti zenkonzo okanye amanye amaqumrhu angengowabantu. Ubukhulu becala ngenxa yoku, abagxilanga ekufumaneni izoyikiso eziphambili apho abahlaseli bathatha iiakhawunti ezikhoyo. Kunoko, zijolise ekuchongeni abasebenzi ababandakanyekayo kwizinto eziyingozi.

Ngokusisiseko, ingqikelelo "yomntu ongaphakathi okhohlakeleyo" ivela kubasebenzisi abathembekileyo abanenjongo ekhohlakeleyo abafuna iindlela zokwenza umonakalo kumqeshi wabo. Ngenxa yokuba injongo ekhohlakeleyo kunzima ukuyilinganisa, abathengisi abangcono kolu didi bahlalutya idatha yokuziphatha ngokwemeko engafumaneki lula kwiilogi zophicotho.

Ababoneleli besisombululo kule ndawo nabo bongeza ngokufanelekileyo kwaye bahlalutye idatha engacwangciswanga, njengomxholo we-imeyile, iingxelo zemveliso, okanye ulwazi lweendaba zoluntu, ukubonelela ngomxholo wokuziphatha.

Ukoyikiswa kwangaphakathi kunye nezisongelo ezingenelelayo

Umngeni kukubona ngokukhawuleza kwaye uhlalutye ukuziphatha "okubi" emva kokuba umhlaseli efumene ukufikelela kumbutho kwaye uqala ukuhamba ngaphakathi kweziseko ze-IT.
Izigrogriso eziqinisekisayo (APTs), njengezoyikiso ezingaziwayo okanye ezingekaqondwa ngokupheleleyo, kunzima kakhulu ukuzibhaqa kwaye zihlala zizifihla emva komsebenzi osemthethweni okanye iiakhawunti zenkonzo. Izoyikiso ezinjalo zihlala zinemodeli yokusebenza enzima (bona, umzekelo, inqaku elithi " Ukujongana neCyber ​​​​Kill Chain") okanye indlela abaziphatha ngayo ayikavavanywa njengeyingozi. Oku kwenza kube nzima ukubhaqa usebenzisa uhlalutyo olulula (njengokutshatisa ngeepatheni, imibundu, okanye imigaqo yonxulumano).

Nangona kunjalo, uninzi lwezi zoyikiso eziphazamisayo zikhokelela ekuziphatheni okungaqhelekanga, okuhlala kubandakanya abasebenzisi abangacingeliyo okanye amaqumrhu (aka compromised insiders). Ubuchule be-UEBA bubonelela ngamathuba amaninzi anomdla okufumanisa ezo zoyikiso, ukuphucula umlinganiselo wesignali-kwingxolo, ukudibanisa kunye nokunciphisa umthamo wesaziso, ukubeka phambili izilumkiso eziseleyo, kunye nokuququzelela impendulo yesiganeko esisebenzayo kunye nophando.

Abathengisi be-UEBA abajolise kulo mmandla wengxaki bakholisa ukuba nodibaniso oluphindwe kabini kunye neenkqubo ze-SIEM zombutho.

Data Exfiltration

Umsebenzi kule meko kukufumanisa ukuba idatha idluliselwa ngaphandle kombutho.
Abathengisi bagxile kulo mceli mngeni ngokuqhelekileyo baphakamisa amandla e-DLP okanye e-DAG ngokuchongwa okungaqhelekanga kunye nohlalutyo oluphambili, ngaloo ndlela bephucula umlinganiselo wesignali ukuya kwingxolo, ukuhlanganisa umthamo wesaziso, kunye nokubeka phambili izibambi eziseleyo. Ngomxholo owongezelelweyo, abathengisi baxhomekeke kakhulu kwi-traffic yenethiwekhi (efana ne-web proxies) kunye nedatha yesiphelo, njengoko uhlalutyo lwale mithombo yedatha lunokunceda kuphando lokukhutshelwa kwedatha.

Ukufunyanwa kwedatha yedatha kusetyenziselwa ukubamba abangaphakathi kunye nabahlaseli bangaphandle abasongela umbutho.

Ukuchongwa kunye nolawulo lofikelelo olukhethekileyo

Abavelisi bezisombululo ezizimeleyo ze-UEBA kulo mmandla wobuchwephesha bajonga kwaye bahlalutye indlela yokuziphatha yabasebenzisi ngokuchasene nemvelaphi yenkqubo esele yenziwe yamalungelo ukuze kuchongwe amalungelo agqithisileyo okanye ukufikelela okungaqhelekanga. Oku kusebenza kuzo zonke iintlobo zabasebenzisi kunye nee-akhawunti, kubandakanya amalungelo kunye neeakhawunti zenkonzo. Imibutho ikwasebenzisa i-UEBA ukususa iiakhawunti ezileleyo kunye namalungelo abasebenzisi aphezulu kunokuba kufuneka.

Ukubekwa phambili kwesiganeko

Injongo yalo msebenzi kukubeka phambili izaziso eziveliswa zizisombululo kwi-teknoloji yazo ye-teknoloji ukuqonda ukuba zeziphi iziganeko okanye iziganeko ezinokuthi ziqwalaselwe kuqala. Iimethodi kunye nezixhobo ze-UEBA ziluncedo ekuchongeni izehlo ezingaqhelekanga okanye eziyingozi ngakumbi kumbutho othile. Kule meko, indlela ye-UEBA ayisebenzisi kuphela umgangatho osisiseko womsebenzi kunye neemodeli zoyikiso, kodwa iphinda izalise idatha ngolwazi malunga nesakhiwo sombutho wenkampani (umzekelo, izibonelelo ezibalulekileyo okanye iindima kunye namanqanaba okufikelela kubasebenzi).

Iingxaki zokuphumeza izisombululo ze-UEBA

Intlungu yemarike yezisombululo ze-UEBA lixabiso labo eliphezulu, ukuphunyezwa okunzima, ukugcinwa kunye nokusetyenziswa. Ngelixa iinkampani zisokola ngenani leephothali ezahlukeneyo zangaphakathi, zifumana enye ikhonsoli. Ubungakanani botyalo-mali lwexesha kunye nezixhobo kwisixhobo esitsha kuxhomekeke kwimingeni ekhoyo kunye neentlobo zohlahlelo olufunekayo ukuzisombulula, kwaye uninzi lufuna utyalo-mali olukhulu.

Ngokuchaseneyo noko kufunwa ngabavelisi abaninzi, i-UEBA ayisosixhobo "sokuseta kwaye usilibale" esinokuthi siqhube ngokuqhubekayo kangangeentsuku.
Abathengi bakaGartner, umzekelo, qaphela ukuba kuthatha iinyanga ezi-3 ukuya kwezi-6 ukuqalisa inyathelo le-UEBA ukusuka ekuqaleni ukufumana iziphumo zokuqala zokusombulula iingxaki apho esi sisombululo siphunyezwe. Ngemisebenzi enzima ngakumbi, efana nokuchonga izoyikiso zangaphakathi kwintlangano, ixesha liyanyuka ukuya kwiinyanga ezili-18.

Izinto eziphembelela ubunzima bokuphumeza i-UEBA kunye nokusebenza kwesixhobo kwixesha elizayo:

  • Ubunzima boyilo lwentlangano, i-topology yenethiwekhi kunye nemigaqo yolawulo lwedatha
  • Ukufumaneka kwedatha efanelekileyo kwinqanaba elifanelekileyo leenkcukacha
  • Ubunzima be-analytics algorithms yomthengisi-umzekelo, ukusetyenziswa kweemodeli zamanani kunye nokufunda komatshini ngokubhekiselele kwiipatheni ezilula kunye nemithetho.
  • Isixa sohlalutyo olucwangcisiweyo lubandakanyiwe-oko kukuthi, ukuqonda komenzi ukuba yeyiphi idatha ekufuneka iqokelelwe kumsebenzi ngamnye kwaye zeziphi iinguqu kunye neempawu ezibaluleke kakhulu ukwenza uhlalutyo.
  • Kulula kangakanani ukuba umenzi adibanise ngokuzenzekelayo kunye nedatha efunekayo.

    Umzekelo:

    • Ukuba isisombululo se-UEBA sisebenzisa inkqubo ye-SIEM njengomthombo oyintloko wedatha yayo, ngaba i-SIEM iqokelela ulwazi kwimithombo yedatha efunekayo?
    • Ngaba iilogi zeziganeko eziyimfuneko kunye neenkcukacha zomxholo wombutho zingahanjiswa kwisisombululo se-UEBA?
    • Ukuba inkqubo ye-SIEM ayikaqokeleli kwaye ilawule imithombo yedatha efunwa sisisombululo se-UEBA, ngoko inokudluliselwa njani apho?

  • Ibaluleke kangakanani imeko yesicelo sombutho, mingaphi imithombo yedatha eyidingayo, kwaye ingaba lo msebenzi udibana kangakanani nendawo yobuchwephesha bomenzi.
  • Yiyiphi inqanaba lokukhula kombutho kunye nokubandakanyeka okufunekayo - umzekelo, ukudalwa, ukuphuhliswa kunye nokucokisa imithetho kunye nemizekelo; ukwabela iintsimbi kwizinto eziguquguqukayo zovavanyo; okanye ukulungisa umda wovavanyo lomngcipheko.
  • Singakanani isisombululo somthengisi kunye noyilo lwayo xa kuthelekiswa nobukhulu bangoku bombutho kunye neemfuno zayo zexesha elizayo.
  • Ixesha lokwakha iimodeli ezisisiseko, iiprofayili kunye namaqela abalulekileyo. Abavelisi basoloko befuna ubuncinci beentsuku ezingama-30 (kwaye ngamanye amaxesha ukuya kutsho kwiintsuku ezingama-90) ukwenza uhlalutyo phambi kokuba bachaze iingqiqo “eziqhelekileyo”. Ukulayisha idatha yembali kanye kunokukhawulezisa uqeqesho lwemodeli. Ezinye zeemeko ezinomdla zinokuchongwa ngokukhawuleza kusetyenziswa imithetho kunokusebenzisa umatshini wokufunda ngexabiso elincinci kakhulu ledatha yokuqala.
  • Umgangatho womgudu ofunekayo ukwakha amaqela aguqukayo kunye neprofayili ye-akhawunti (inkonzo / umntu) inokwahluka kakhulu phakathi kwezisombululo.

umthombo: www.habr.com

Yongeza izimvo