I-ProHoster > Блог > izindaba ze-inthanethi > Imakethe ye-UEBA ifile - phila isikhathi eside i-UEBA

Imakethe ye-UEBA ifile - phila isikhathi eside i-UEBA

Imakethe ye-UEBA ifile - phila isikhathi eside i-UEBA

Namuhla sizohlinzeka ngesifinyezo esifushane semakethe ye-User and Entity Behavioral Analytics (UEBA) ngokusekelwe kwakamuva. Ucwaningo lukaGartner. Imakethe ye-UEBA ingaphansi "kwesiteji sokudumazeka" ngokusho kukaGartner Hype Cycle for Threat-Facing Technologies, okubonisa ukuvuthwa kobuchwepheshe. Kepha indida yalesi simo ilele ekukhuleni okujwayelekile ngasikhathi sinye kokutshalwa kwezimali kubuchwepheshe be-UEBA kanye nemakethe eshabalalayo yezixazululo ezizimele ze-UEBA. U-Gartner ubikezela ukuthi i-UEBA izoba yingxenye yokusebenza kwezixazululo zokuphepha kolwazi oluhlobene. Igama elithi "UEBA" cishe lizophelelwa ukusetshenziswa futhi esikhundleni salo kufakwe esinye isifinyezo esigxile endaweni yohlelo lokusebenza encane (isb., "izibalo zokuziphatha komsebenzisi"), indawo yohlelo lokusebenza efanayo (isb., "izibalo zedatha"), noma ivele ibe okunye i-buzzword entsha (isibonelo, igama elithi "artificial intelligence" [AI] libukeka lithakazelisa, nakuba lingenzi mqondo kubakhiqizi besimanje be-UEBA).

Okutholakele okubalulekile ocwaningweni lukaGartner kungafingqwa ngale ndlela elandelayo:

  • Ukuvuthwa kwemakethe kokuhlaziywa kokuziphatha kwabasebenzisi nezinhlangano kuqinisekiswa iqiniso lokuthi lobu buchwepheshe busetshenziswa ingxenye yebhizinisi ephakathi nendawo enkulu ukuxazulula inani lezinkinga zebhizinisi;
  • Amakhono okuhlaziya e-UEBA akhelwe kubuchwepheshe obuhlukahlukene bokuphepha kolwazi obuhlobene, njengabathengi abavikelekile bokufinyelela amafu (ama-CASB), ukuphathwa kobunikazi kanye nokuphatha (IGA) izinhlelo ze-SIEM;
  • I-hype ezungeze abathengisi be-UEBA kanye nokusetshenziswa okungalungile kwegama elithi "ubuhlakani bokwenziwa" kwenza kube nzima kumakhasimende ukuqonda umehluko wangempela phakathi kobuchwepheshe babakhiqizi kanye nokusebenza kwezixazululo ngaphandle kokwenza iphrojekthi yokuhlola;
  • Amakhasimende ayaqaphela ukuthi isikhathi sokuqalisa kanye nokusetshenziswa kwansuku zonke kwezixazululo ze-UEBA kungase kusebenze kanzima futhi kudle isikhathi kunesithembiso somkhiqizi, ngisho nalapho kucatshangelwa amamodeli ayisisekelo okutholwa kosongo. Ukwengeza izimo zokusebenzisa ngokwezifiso noma ezinqenqemeni kungase kube nzima kakhulu futhi kudinga ubuchwepheshe kusayensi yedatha nezibalo.

Isibikezelo sokuthuthukiswa kwezimakethe zamasu:

  • Ngo-2021, imakethe yezinhlelo ze-user and entity behavioral analytics (UEBA) izobe ingasekho njengendawo ehlukile futhi izoshintshela kwezinye izixazululo ngokusebenza kwe-UEBA;
  • Ngo-2020, u-95% wakho konke ukuthunyelwa kwe-UEBA azoba yingxenye yenkundla yokuphepha ebanzi.

Incazelo yezixazululo ze-UEBA

Izixazululo ze-UEBA zisebenzisa izibalo ezakhelwe ngaphakathi ukuze zihlole umsebenzi wabasebenzisi nezinye izinhlangano (njengabasingathi, izinhlelo zokusebenza, ithrafikhi yenethiwekhi nezitolo zedatha).
Babona izinsongo nezigameko ezingaba khona, ngokuvamile ezimele umsebenzi ongaqondakali uma kuqhathaniswa nephrofayela evamile nokuziphatha kwabasebenzisi namabhizinisi kumaqembu afanayo phakathi nesikhathi.

Izimo zokusetshenziswa ezivame kakhulu esigabeni sebhizinisi ukuthola ukusongelwa nokusabela, kanye nokutholwa nokusabela ezinsongweni zangaphakathi (ikakhulukazi abangaphakathi abasengozini; ngezinye izikhathi abahlaseli bangaphakathi).

I-UEBA ifana isinqumo, futhi umsebenzi, eyakhelwe kuthuluzi elithile:

  • Isixazululo singabakhiqizi bezinkundla “ezihlanzekile” ze-UEBA, okuhlanganisa nabathengisi ababuye bathengise izixazululo ze-SIEM ngokwehlukana. Kugxilwe ezinhlobonhlobo zezinkinga zebhizinisi ekuhlaziyeni ukuziphatha kwakho kokubili abasebenzisi nezinhlangano.
  • Kushumekiwe - Abakhiqizi/izigaba ezihlanganisa imisebenzi ye-UEBA nobuchwepheshe ezisombululweni zabo. Ivamise ukugxila kusethi ecaciswe kakhulu yezinkinga zebhizinisi. Kulokhu, i-UEBA isetshenziselwa ukuhlaziya ukuziphatha kwabasebenzisi kanye/noma amabhizinisi.

U-Gartner ubuka i-UEBA ehambisana nezimbazo ezintathu, okuhlanganisa izixazululi zezinkinga, izibalo, nemithombo yedatha (bona umfanekiso).

Imakethe ye-UEBA ifile - phila isikhathi eside i-UEBA

"Pure" UEBA platforms ngokumelene ne-UEBA eyakhelwe ngaphakathi

UGartner ubheka inkundla “ehlanzekile” ye-UEBA njengezixazululo:

  • ukuxazulula izinkinga ezithile ezimbalwa, ezinjengokuqapha abasebenzisi abakhethekile noma ukukhipha idatha ngaphandle kwenhlangano, futhi hhayi nje "ukwengamela umsebenzi ongaqondakali" ongaqondakali;
  • zibandakanya ukusetshenziswa kokuhlaziya okuyinkimbinkimbi, okusekelwe ezindleleni zokuhlaziya eziyisisekelo;
  • inikeza izinketho ezimbalwa zokuqoqwa kwedatha, okuhlanganisa kokubili izindlela zomthombo wedatha ezakhelwe ngaphakathi kanye namathuluzi okuphatha amalogi, Ichibi ledatha kanye/noma amasistimu e-SIEM, ngaphandle kwesidingo esiyisibopho sokuthumela ama-ejenti ahlukene engqalasizinda;
  • angathengwa futhi asetshenziswe njengezixazululo ezizimele kunokuba zifakwe phakathi
    ukwakheka kweminye imikhiqizo.

Ithebula elingezansi liqhathanisa izindlela ezimbili.

Ithebula 1. “Pure” UEBA solutions vs ezakhelwe ngaphakathi

isigaba "Pure" UEBA amapulatifomu Ezinye izixazululo nge-UEBA eyakhelwe ngaphakathi
Inkinga okufanele ixazululwe Ukuhlaziywa kokuziphatha komsebenzisi nezinhlangano. Ukuntuleka kwedatha kungakhawulela i-UEBA ukuze ihlaziye ukuziphatha kwabasebenzisi kuphela noma amabhizinisi.
Inkinga okufanele ixazululwe Isebenza ukuxazulula izinkinga eziningi Isebenza ngokukhethekile kusethi elinganiselwe yemisebenzi
Ama-Analytics Ukutholwa okudidayo kusetshenziswa izindlela zokuhlaziya ezahlukahlukene - ikakhulukazi ngamamodeli ezibalo nokufunda komshini, kanye nemithetho namasiginesha. Iza nezibalo ezakhelwe ngaphakathi ukuze udale futhi uqhathanise umsebenzi wabasebenzisi kanye nebhizinisi kumaphrofayela wabo kanye nozakwabo. Ifana ne-UEBA emsulwa, kodwa ukuhlaziya kungakhawulelwa kubasebenzisi kanye/noma amabhizinisi kuphela.
Ama-Analytics Amakhono okuhlaziya athuthukile, anganqunyelwe imithetho kuphela. Isibonelo, i-algorithm yokuhlanganisa eneqoqo eliguqukayo lamabhizinisi. Ngokufanayo ne-UEBA “ehlanzekile,” kodwa ukuqoqwa kwebhizinisi kwamanye amamodeli ashumekiwe asongelayo kungashintshwa ngesandla kuphela.
Ama-Analytics Ukuhlotshaniswa komsebenzi nokuziphatha kwabasebenzisi nezinye izinhlangano (isibonelo, ukusebenzisa amanethiwekhi e-Bayesian) kanye nokuhlanganiswa kokuziphatha okuyingozi komuntu ngamunye ukuze kuhlonzwe umsebenzi ongaqondakali. Ifana ne-UEBA emsulwa, kodwa ukuhlaziya kungakhawulelwa kubasebenzisi kanye/noma amabhizinisi kuphela.
Imithombo yedatha Ukwamukela izehlakalo kubasebenzisi nezinhlangano ezivela emithonjeni yedatha ngokuqondile ngezindlela ezakhelwe ngaphakathi noma izitolo zedatha ezikhona, njenge-SIEM noma i-Data lake. Izindlela zokuthola idatha ngokuvamile ziqondile kuphela futhi zithinta kuphela abasebenzisi kanye/noma amanye amabhizinisi. Ungasebenzisi amathuluzi okuphatha amalogi / SIEM / Ichibi ledatha.
Imithombo yedatha Isixazululo akufanele sithembele kuphela kuthrafikhi yenethiwekhi njengomthombo oyinhloko wedatha, futhi akufanele sithembele kuphela kubasebenzeli baso ukuze baqoqe i-telemetry. Isixazululo singagxila kuphela kuthrafikhi yenethiwekhi (isibonelo, i-NTA - ukuhlaziywa kwethrafikhi yenethiwekhi) kanye/noma sisebenzise abenzeli bayo kumadivayisi wokugcina (isibonelo, izinsiza zokuqapha abasebenzi).
Imithombo yedatha Ukugcwalisa idatha yomsebenzisi/yebhizinisi ngomongo. Isekela ukuqoqwa kwemicimbi ehleliwe ngesikhathi sangempela, kanye nedatha ehlangene ehlelekile/engahlelekile evela kunkomba ye-IT - isibonelo, Uhla lwemibhalo olusebenzayo (AD), noma ezinye izinsiza zolwazi ezifundeka ngomshini (isibonelo, izizindalwazi zakwa-HR). Kufana ne-UEBA emsulwa, kodwa ububanzi bedatha yomongo bungase buhluke kwelinye icala. I-AD ne-LDAP izitolo zedatha ezisetshenziswa kakhulu ezisetshenziswa yizixazululo ezishumekiwe ze-UEBA.
Ukutholakala Ihlinzeka ngezici ezisohlwini njengomkhiqizo ozimele. Akunakwenzeka ukuthenga ukusebenza kwe-UEBA eyakhelwe ngaphakathi ngaphandle kokuthenga isisombululo sangaphandle esakhiwe kuso.
Umthombo: Gartner (Meyi 2019)

Ngakho-ke, ukuze kuxazululwe izinkinga ezithile, i-UEBA eshumekiwe ingasebenzisa izibalo eziyisisekelo ze-UEBA (isibonelo, ukufunda ngomshini okulula okungagadiwe), kodwa ngesikhathi esifanayo, ngenxa yokufinyelela kudatha edingekayo, ingasebenza ngempumelelo kakhulu kunokuthi "okuhlanzekile" Isixazululo se-UEBA. Ngesikhathi esifanayo, izinkundla “ezihlanzekile” ze-UEBA, njengoba kulindelekile, zinikeza ukuhlaziya okuyinkimbinkimbi njengolwazi oluyinhloko uma kuqhathaniswa nethuluzi le-UEBA elakhelwe ngaphakathi. Le miphumela ifinyezwe kuThebula 2.

Ithebula 2. Umphumela womehluko phakathi kwe-UEBA “ehlanzekile” neyakhelwe ngaphakathi

isigaba "Pure" UEBA amapulatifomu Ezinye izixazululo nge-UEBA eyakhelwe ngaphakathi
Ama-Analytics Ukusebenziseka kokuxazulula izinkinga zebhizinisi ezihlukene kusho isethi yendawo yonke yemisebenzi ye-UEBA egcizelela ukuhlaziya okuyinkimbinkimbi namamodeli okufunda omshini. Ukugxila kusethi encane yezinkinga zebhizinisi kusho izici ezikhethekile kakhulu ezigxila kumamodeli aqondene nohlelo lokusebenza anomqondo olula.
Ama-Analytics Ukwenza ngendlela oyifisayo imodeli yokuhlaziya kuyadingeka esimweni sohlelo ngalunye. Amamodeli okuhlaziya alungiselelwe kusengaphambili ithuluzi eline-UEBA eyakhelwe kulo. Ithuluzi eline-UEBA eyakhelwe ngaphakathi ngokuvamile lizuza imiphumela esheshayo ekuxazululeni izinkinga ezithile zebhizinisi.
Imithombo yedatha Ukufinyelela emithonjeni yedatha kusuka kuwo wonke amagumbi engqalasizinda yebhizinisi. Imithombo yedatha embalwa, ngokuvamile ekhawulelwe ukutholakala kwama-ejenti wayo noma ithuluzi ngokwalo elinemisebenzi ye-UEBA.
Imithombo yedatha Imininingwane equkethwe kulogi ngayinye ingase ikhawulelwe umthombo wedatha futhi ingase ingaqukathi yonke idatha edingekayo yethuluzi le-UEBA elisendaweni eyodwa. Inani nemininingwane yedatha eluhlaza eqoqwe umenzeli futhi idluliselwe ku-UEBA ingalungiselelwa ngokuqondile.
bokwakha Kungumkhiqizo ophelele we-UEBA wenhlangano. Ukuhlanganisa kulula usebenzisa amandla esistimu ye-SIEM noma ichibi ledatha. Idinga isethi ehlukile yezici ze-UEBA kusixazululo ngasinye esakhelwe ngaphakathi kwe-UEBA. Izixazululo ze-UEBA ezishumekiwe ngokuvamile zidinga ukufaka ama-ejenti nokuphatha idatha.
Ukuhlanganisa Ukuhlanganiswa okwenziwa ngesandla kwesixazululo se-UEBA namanye amathuluzi esimweni ngasinye. Ivumela inhlangano ukuthi yakhe isitaki sayo sobuchwepheshe ngokusekelwe endleleni "ehamba phambili phakathi kwama-analogue". Izinqwaba ezinkulu zemisebenzi ye-UEBA sezivele zifakiwe ethuluzini ngokwalo ngumenzi. Imojula ye-UEBA yakhelwe ngaphakathi futhi ayikwazi ukususwa, ngakho amakhasimende awakwazi ukuyifaka esikhundleni ngokuthile okungokwawo.
Umthombo: Gartner (Meyi 2019)

UEBA njengomsebenzi

I-UEBA isiba isici sezixazululo ze-cybersecurity zokuphela-to-ekupheleni ezingazuza kuzibalo ezengeziwe. I-UEBA isekela lezi zixazululo, ihlinzeka ngesendlalelo esinamandla sokuhlaziya okuthuthukile okusekelwe kumaphethini okuziphatha komsebenzisi kanye/noma ebhizinisi.

Njengamanje emakethe, ukusebenza kwe-UEBA eyakhelwe ngaphakathi kusetshenziswa kulezi zixazululo ezilandelayo, eziqoqwe ngobubanzi bezobuchwepheshe:

  • Ukuhlola okugxile kudatha nokuvikela, bangabathengisi abagxile ekuthuthukiseni ukuvikeleka kokugcinwa kwedatha okuhlelekile nokungahlelekile (okubizwa nangokuthi i-DCAP).

    Kulesi sigaba sabathengisi, amanothi kaGartner, phakathi kwezinye izinto, Varonis cybersecurity platform, ehlinzeka ngokuhlaziywa kokuziphatha komsebenzisi ukuze kuqashwe izinguquko kuzimvume zedatha ezingahlelekile, ukufinyelela, nokusetshenziswa kuzo zonke izitolo zolwazi ezihlukene.

  • Amasistimu we-CASB, enikeza isivikelo ezinsongweni ezihlukahlukene ezinhlelweni zokusebenza ze-SaaS ezisekelwe emafini ngokuvimbela ukufinyelela kumasevisi wamafu kumadivayisi angafunwa, abasebenzisi nezinguqulo zohlelo lokusebenza kusetshenziswa isistimu yokulawula ukufinyelela eguquguqukayo.

    Zonke izixazululo ze-CASB ezihamba phambili emakethe zifaka amakhono e-UEBA.

  • Izixazululo ze-DLP - egxile ekutholeni ukudluliswa kwedatha ebalulekile ngaphandle kwenhlangano noma ukuhlukunyezwa kwayo.

    Ukuthuthuka kwe-DLP kusekelwe kakhulu ekuqondeni okuqukethwe, kugxilwe kancane ekuqondeni umongo njengomsebenzisi, uhlelo lokusebenza, indawo, isikhathi, isivinini semicimbi, nezinye izici zangaphandle. Ukuze isebenze kahle, imikhiqizo ye-DLP kufanele ibone kokubili okuqukethwe nomongo. Yingakho abakhiqizi abaningi beqala ukuhlanganisa ukusebenza kwe-UEBA ezisombululweni zabo.

  • Ukuqapha abasebenzi yikhono lokurekhoda nokudlala kabusha izenzo zesisebenzi, ngokuvamile ngefomethi yedatha elungele ukuqulwa kwecala (uma kunesidingo).

    Abasebenzisi abahlale beqapha ngokuvamile bakhiqiza inani eliningi kakhulu ledatha elidinga ukuhlungwa mathupha nokuhlaziywa komuntu. Ngakho-ke, i-UEBA isetshenziswa ngaphakathi kwezinhlelo zokuqapha ukuze kuthuthukiswe ukusebenza kwalezi zixazululo futhi kutholwe izehlakalo ezinobungozi obukhulu kuphela.

  • I-Endpoint Security - Izixazululo zokutholwa nokuphendula kwe-Endpoint (EDR) kanye nezinkundla zokuvikela i-endpoint (EPP) zihlinzeka ngezisetshenziswa ezinamandla kanye ne-telemetry yesistimu yokusebenza
    qeda amadivayisi.

    I-telemetry enjalo ehlobene nomsebenzisi ingahlaziywa ukuze inikeze ukusebenza kwe-UEBA eyakhelwe ngaphakathi.

  • Ukukhwabanisa ku-inthanethi - Izixazululo zokuthola ukukhwabanisa ku-inthanethi zithola umsebenzi ophambukayo obonisa ukonakala kwe-akhawunti yekhasimende ngobuqili, uhlelo olungayilungele ikhompuyutha, noma ukuxhashazwa kokuxhumana okungavikelekile/ukungena kwethrafikhi yesiphequluli.

    Izixazululo eziningi zokukhwabanisa zisebenzisa ingqikithi ye-UEBA, ukuhlaziya okwenziwayo kanye nokukalwa kwedivayisi, ngamasistimu athuthuke kakhulu ahambisana nazo ngokuqhathanisa ubudlelwano kusizindalwazi sikamazisi.

  • IAM nokulawula ukufinyelela - U-Gartner uphawula ukuthambekela kokuziphendukela kwemvelo phakathi kwabathengisi besistimu yokulawula ukufinyelela ukuze bahlanganiswe nabathengisi abamsulwa futhi bakhe ukusebenza okuthile kwe-UEBA emikhiqizweni yabo.
  • I-IAM kanye nezinhlelo Zokubusa Nokuphathwa Kobunikazi (IGA). sebenzisa i-UEBA ukumboza izimo zezibalo zokuziphatha nezobunikazi ezifana nokutholwa okudidayo, ukuhlaziywa kwamaqembu okunamandla kwamabhizinisi afanayo, ukuhlaziya ukungena ngemvume, nokuhlaziywa kwenqubomgomo yokufinyelela.
  • I-IAM kanye Nokuphathwa Kokufinyelela Okukhethekile (PAM) - Ngenxa yendima yokuqapha ukusetshenziswa kwama-akhawunti okuphatha, izixazululo ze-PAM zine-telemetry ukuze zibonise ukuthi ama-akhawunti okuphatha asetshenziswe kanjani, kungani, nini futhi kuphi. Le datha ingahlaziywa kusetshenziswa umsebenzi owakhelwe ngaphakathi we-UEBA ngokuba khona kokuziphatha okuxakile kwabalawuli noma inhloso enonya.
  • I-NTA Yabakhiqizi (Ukuhlaziywa Kwethrafikhi Yenethiwekhi) - sebenzisa inhlanganisela yokufunda komshini, izibalo ezithuthukile kanye nokutholwa okusekelwe emthethweni ukuze uhlonze umsebenzi osolisayo kumanethiwekhi ezinkampani.

    Amathuluzi e-NTA ahlaziya ngokuqhubekayo ithrafikhi yomthombo kanye/noma amarekhodi okugeleza (isb. i-NetFlow) ukuze akhe amamodeli abonisa ukuziphatha okuvamile kwenethiwekhi, ngokuyinhloko egxile ekuhlaziyeni ukuziphatha kwebhizinisi.

  • I-SIEM - abathengisi abaningi be-SIEM manje banomsebenzi wokuhlaziya idatha othuthukisiwe owakhelwe ku-SIEM, noma njengemojula ehlukile ye-UEBA. Kuwo wonke u-2018 kuze kube manje ngo-2019, kube nokufiphala okuqhubekayo kwemingcele phakathi kokusebenza kwe-SIEM ne-UEBA, njengoba kuxoxiwe esihlokweni. "I-Technology Insight ye-SIEM yesimanje". Izinhlelo ze-SIEM sezingcono kakhulu ekusebenzeni nezibalo futhi zinikeza izimo zezicelo eziyinkimbinkimbi.

I-UEBA Application Scenarios

Izixazululo ze-UEBA zingaxazulula izinkinga eziningi. Kodwa-ke, amaklayenti akwa-Gartner ayavuma ukuthi icala eliyinhloko lokusetshenziswa lihilela ukuthola izigaba ezihlukahlukene zokusongela, ezifinyelelwa ngokubonisa nokuhlaziya ukuhlobana okuvamile phakathi kokuziphatha komsebenzisi nezinye izinhlangano:

  • ukufinyelela okungagunyaziwe kanye nokuhanjiswa kwedatha;
  • ukuziphatha okusolisayo kwabasebenzisi abakhethekile, izenzo ezinonya noma ezingagunyaziwe zabasebenzi;
  • ukufinyelela okungajwayelekile kanye nokusetshenziswa kwezinsiza zamafu;
  • nabanye.

Kukhona futhi inani lamacala okusetshenziswa okungajwayelekile okungekona okokuphepha ku-inthanethi, njengokukhwabanisa noma ukugadwa kwabasebenzi, okungase kuthethelelwe i-UEBA. Nokho, ngokuvamile zidinga imithombo yedatha engahlobene ne-IT kanye nokuphepha kolwazi, noma amamodeli athile okuhlaziya anokuqonda okujulile kwale ndawo. Izimo ezinhlanu eziyinhloko kanye nezicelo abakhiqizi be-UEBA namakhasimende abo abavumelana ngazo kuchazwe ngezansi.

"Insider Enonya"

Abahlinzeki bezixazululo ze-UEBA abakhava lesi simo baqapha kuphela abasebenzi nosonkontileka abathenjwayo ngokuziphatha okungavamile, “okubi,” noma okunonya. Abathengisi abakule ndawo yobungcweti abaqapheli noma bahlaziye ukuziphatha kwama-akhawunti esevisi noma ezinye izinhlangano ezingezona ezabantu. Ikakhulukazi ngenxa yalokhu, abagxilile ekutholeni izinsongo ezithuthukile lapho abaduni besebenzisa ama-akhawunti akhona. Kunalokho, zihloselwe ukuhlonza abasebenzi abahililekile emisebenzini eyingozi.

Empeleni, umqondo “womuntu wangaphakathi ononya” usuka kubasebenzisi abathenjwayo abanenhloso enonya abafuna izindlela zokwenza umonakalo kumqashi wabo. Ngenxa yokuthi inhloso enonya kunzima ukuyikala, abathengisi abangcono kakhulu kulesi sigaba bahlaziya idatha yokuziphatha komongo engatholakali kalula kumalogi okuhlola.

Abahlinzeki besixazululo kulesi sikhala baphinde bengeze futhi bahlaziye idatha engahlelekile, njengokuqukethwe kwe-imeyili, imibiko yokukhiqiza, noma ulwazi lwenkundla yezokuxhumana, ukuze kuhlinzekwe umongo wokuziphatha.

Izinsongo zangaphakathi ezifakwe engcupheni neziyingozi

Inselele iwukubona ngokushesha nokuhlaziya ukuziphatha “okubi” uma umhlaseli esezuze ukufinyelela enhlanganweni futhi eqala ukuhamba ngaphakathi kwengqalasizinda ye-IT.
Izinsongo eziqinisekisayo (APTs), njengezinsongo ezingaziwa noma ezingakaqondwa ngokugcwele, zinzima kakhulu ukuzibona futhi ngokuvamile zicasha ngomsebenzi osemthethweni wabasebenzisi noma ama-akhawunti esevisi. Izinsongo ezinjalo zivame ukuba nemodeli yokusebenza eyinkimbinkimbi (bona, ngokwesibonelo, isihloko esithi “ Ikhuluma neCyber ​​​​Kill Chain") noma ukuziphatha kwabo akukakahlolwa njengokuyingozi. Lokhu kubenza kube nzima ukukubona kusetshenziswa ukuhlaziya okulula (okufana nokumatanisa ngamaphethini, amathreshold, noma imithetho yokuhlobana).

Nokho, eziningi zalezi zinsongo ezihlaselayo ziphumela ekuziphatheni okungajwayelekile, ngokuvamile okubandakanya abasebenzisi abangaqaphile noma amabhizinisi (abangaphakathi abasengozini). Amasu e-UEBA ahlinzeka ngamathuba amaningana athakazelisayo okuthola izinsongo ezinjalo, ukuthuthukisa isilinganiso sesignali-kuya-nomsindo, ukuhlanganisa nokunciphisa ivolumu yezaziso, ukubeka phambili izexwayiso ezisele, nokwenza kube lula ukuphendulwa kwesigameko esiphumelelayo nophenyo.

Abathengisi be-UEBA abaqondise le ndawo yenkinga bavame ukuba nokuhlanganiswa okukabili nezinhlelo zenhlangano ze-SIEM.

Ukukhishwa Kwedatha

Umsebenzi kuleli cala uwukuthola iqiniso lokuthi idatha idluliselwa ngaphandle kwenhlangano.
Abathengisi bagxile kule nselele ngokuvamile bakhulisa amandla e-DLP noma e-DAG ngokutholwa okungaqondakali nokuhlaziya okuthuthukile, ngaleyo ndlela bathuthukise isilinganiso sesignali-kumsindo, ukuhlanganisa ivolumu yezaziso, nokubeka phambili izibangeli ezisele. Ukuze uthole umongo owengeziwe, abathengisi ngokuvamile bathembele kakhulu kuthrafikhi yenethiwekhi (njengama-proxies ewebhu) kanye nedatha yephoyinti lokugcina, njengoba ukuhlaziya le mithombo yedatha kungasiza ophenyweni lokuhluzwa kwedatha.

Ukutholwa kokukhishwa kwedatha kusetshenziselwa ukubamba abangaphakathi nabagebengu bangaphandle abasongela inhlangano.

Ukuhlonza nokuphathwa kokufinyelela okukhethekile

Abakhiqizi bezisombululo ezizimele ze-UEBA kule ndawo yobuchwepheshe baqaphela futhi bahlaziye ukuziphatha komsebenzisi bebhekene nesizinda sesistimu yamalungelo eseyakhiwe kakade ukuze bakhombe amalungelo amaningi noma ukufinyelela okuxakile. Lokhu kusebenza kuzo zonke izinhlobo zabasebenzisi nama-akhawunti, okuhlanganisa ama-akhawunti akhethekile nawesevisi. Izinhlangano futhi zisebenzisa i-UEBA ukuze zisuse ama-akhawunti angasebenzi kanye namalungelo abasebenzisi aphezulu kunalokho okudingekayo.

Ukubekwa phambili kwesigameko

Umgomo walo msebenzi uwukubeka phambili izaziso ezikhiqizwe izixazululo kusitaki sazo sobuchwepheshe ukuze kuqondwe ukuthi yiziphi izehlakalo noma izigameko ezingahle zibhekwe kuqala. Izindlela namathuluzi e-UEBA awusizo ekuhlonzeni izehlakalo ezixakile ikakhulukazi noma eziyingozi ngokukhethekile enhlanganweni ethile. Kulokhu, indlela ye-UEBA ayisebenzisi nje kuphela izinga eliyisisekelo lomsebenzi namamodeli wosongo, kodwa futhi igcwalisa idatha ngolwazi mayelana nesakhiwo senhlangano yenkampani (isibonelo, izinsiza ezibalulekile noma izindima kanye namazinga okufinyelela abasebenzi).

Izinkinga zokusebenzisa izixazululo ze-UEBA

Ubuhlungu bemakethe bezixazululo ze-UEBA yintengo yazo ephezulu, ukuqaliswa okuyinkimbinkimbi, ukugcinwa nokusetshenziswa. Ngenkathi izinkampani zidonsa kanzima ngenani lezingosi ezihlukene zangaphakathi, zithola enye ikhonsoli. Ubukhulu bokutshalwa kwezimali kwesikhathi nezisetshenziswa ethuluzini elisha buncike emisebenzini ekhona kanye nezinhlobo zezibalo ezidingekayo ukuze kuzixazulule, futhi ngokuvamile zidinga ukutshalwa kwezimali okukhulu.

Ngokuphambene nalokho okushiwo abakhiqizi abaningi, i-UEBA ayilona ithuluzi “lokusetha futhi ulikhohlwe” elingase lisebenze ngokuqhubekayo izinsuku zilandelana.
Amakhasimende akwa-Gartner, isibonelo, aqaphela ukuthi kuthatha izinyanga ezi-3 kuye kweziyi-6 ukwethula isinyathelo se-UEBA kusukela ekuqaleni ukuze kutholwe imiphumela yokuqala yokuxazulula izinkinga okwaqaliswa ngazo lesi sixazululo. Ngeminye imisebenzi eyinkimbinkimbi, efana nokukhomba izinsongo zangaphakathi enhlanganweni, isikhathi sikhuphuka sibe izinyanga eziyi-18.

Izinto ezinomthelela ebunzimeni bokusebenzisa i-UEBA kanye nempumelelo yesikhathi esizayo yethuluzi:

  • Ukuxaka kwezakhiwo zenhlangano, i-topology yenethiwekhi kanye nezinqubomgomo zokuphatha idatha
  • Ukutholakala kwedatha efanele ezingeni elifanele lemininingwane
  • Ubunkimbinkimbi be-algorithms yezibalo zomthengisi—isibonelo, ukusetshenziswa kwamamodeli ezibalo nokufunda komshini ngokumelene namaphethini alula nemithetho.
  • Inani lezibalo ezilungiselelwe kusengaphambili elifakiwe—okungukuthi, ukuqonda komkhiqizi ukuthi iyiphi idatha okufanele iqoqwe ngomsebenzi ngamunye nokuthi yiziphi izinto eziguquguqukayo nezibaluli ezibaluleke kakhulu ukuze kwenziwe ukuhlaziya.
  • Kulula kangakanani ukuthi umenzi ahlanganise ngokuzenzakalela nedatha edingekayo.

    Isibonelo:

    • Uma isisombululo se-UEBA sisebenzisa isistimu ye-SIEM njengomthombo oyinhloko wedatha yaso, ingabe i-SIEM iqoqa ulwazi emithonjeni yedatha edingekayo?
    • Ingabe amalogi omcimbi adingekayo kanye nedatha yomongo wenhlangano ingahanjiswa kusixazululo se-UEBA?
    • Uma isistimu ye-SIEM ingakaqoqi futhi ingalawuli imithombo yedatha edingwa isisombululo se-UEBA, manje-ke ingadluliselwa kanjani lapho?

  • Sibaluleke kangakanani isimo sohlelo lwenhlangano, mingaki imithombo yedatha esiyidingayo, nokuthi lo msebenzi udlulana kangakanani nendawo yobungcweti yomkhiqizi.
  • Yiliphi izinga lokuvuthwa kwenhlangano nokubamba iqhaza elidingekayo - isibonelo, ukwakhiwa, ukuthuthukiswa kanye nokucwengwa kwemithetho namamodeli; ukwabela izisindo eziguquguqukayo ukuze zihlolwe; noma ukulungisa umkhawulo wokuhlola ubungozi.
  • Yeka ukuthi isixazululo somthengisi sikhulu kangakanani nesakhiwo saso uma kuqhathaniswa nosayizi wamanje wenhlangano kanye nezidingo zayo zesikhathi esizayo.
  • Isikhathi sokwakha amamodeli ayisisekelo, amaphrofayili namaqembu abalulekile. Abakhiqizi bavame ukudinga okungenani izinsuku ezingu-30 (futhi ngezinye izikhathi kufika ezinsukwini ezingu-90) ukwenza ukuhlaziya ngaphambi kokuba bachaze imiqondo “evamile”. Ukulayisha idatha yomlando kanye kungasheshisa ukuqeqeshwa okuyimodeli. Ezinye zezimo ezithakazelisayo zingakhonjwa ngokushesha kusetshenziswa imithetho kunokusebenzisa umshini wokufunda ngenani elincane ngokumangalisayo ledatha yokuqala.
  • Izinga lomzamo elidingekayo ukuze kwakhiwe iqembu eliguqukayo kanye nokwenza iphrofayela ye-akhawunti (isevisi/umuntu) ingahluka kakhulu phakathi kwezixazululo.

Source: www.habr.com

Engeza amazwana