Get Ahead of
Cyber Threats
Product

User Behavior Analysis Across Productivity Tools

May 27, 2021
Reading time: 5 min

User Behavior Analysis Solution

 

 

Monitoring user behavior is one of the many tools in a security team’s toolset to detect risky and anomalous behavior, usually indicative of a potential insider threat or data breach. Fletch’s User Behavior Analysis solution enables organizations to continually monitor and examine high-risk activity across various cloud applications, with our first offering focused on productivity integrations, including Google Workspace (formerly known as G Suite), Microsoft 365, Microsoft Azure Active Directory, and Okta. 

As companies migrate to the cloud or become more cloud-native, the various IT applications previously managed on-prem (on-premises) are now managed by third parties, posing a challenge for security teams to monitor usage correctly and detect high-risk activity. 

Fletch makes it possible for security teams to focus on high-risk behavior identified within users of an organization’s productivity applications without having to do manual data plumbing, triangulation, or threat hunting, as generally seen with equivalent security tools. Fletch is at the forefront of building easy-to-use analysis that helps organizations instantly detect insider threats and potential data breaches, requiring only 15 minutes to set up, no data plumbing or heavy lifting, and delivers actionable insights into your productivity environment within 24 hours.   

Fletch’s User Behavior Analysis solution includes five boards that help security teams monitor and discover risky and anomalous behavior. The short videos below explain the importance of each User Behavior Analysis board with further clarification of the specific behavior types being monitored.

Abnormal Behavior Overview

 

 

The Abnormal Behavior Overview board is a 10,000-foot view of all the high-risk users that Fletch has identified as high-risk. The summary board pulls from four other boards that use four-key different behavior methodologies, encompassing behaviors such as:

  • Users sharing more content than normal
  • Users accessing productivity applications from new or unforeseen locations, including proxies
  • Users gaining new administrative access to productivity applications
  • Users generating successful or failed activity outside of their usual working hours
  • Users excessively downloading data at much higher volumes than previously seen in prior days, weeks, or months. 

This summary board is designed to help combine the signals across these four different behavior methods, providing an overview of which users appear to be the highest risk. Often, high-risk users and true insider threats convey multiple behaviors when trying to access sensitive data within productivity tools, which is why Fletch analyzes users from these different angles. Security teams can monitor these multiple methodologies and quickly determine if there is, in fact, a true insider threat and have the ability to dive deeper as risky behavior is detected.

Methodology 1: Usage Frequency

 

 

The Usage Frequency Board helps security teams identify high-risk activity once a user has successfully authenticated or successfully accessed a cloud productivity application. Examples of the behaviors monitored within this board include:

  • Users generating more frequent logins than usual
  • Users generating activity across more objects than normal
  • Users sharing more content than normal
  • Users changing more content than normal
  • Users performing new commands
  • Users touching new objects

By monitoring these types of activities, security teams can better understand the signs that indicate a potential attacker has subverted a legitimate user or employee account and is trying to locate high-value data within the organization to steal or exfiltrate that data. 

Methodology 2: Usage Location

 

 

The Usage Location Board is designed to identify and track users accessing cloud productivity applications from abnormal locations. Even as most of the workforce has shifted to remote locations, most users typically operate from a set home office location or a small number of known locations. 

An example of why this board is important is that an attacker who has stolen a user’s credentials may not know where the employee’s normal work location is and might try accessing cloud productivity applications from new locations, new countries, or a third-party proxy server. This board helps identify anomalies to surface early indicators of account compromise when considering new or unknown account locations. 

Other example behaviors that this board monitors include:

  • Users with concurrent logins from multiple countries
  • User logins from new IP addresses
  • User logins from new locations
  • Successful user logins from 3 or more distinct source countries within a 5-minute window

Methodology 3: Role or Policy Usage

 

 

The Role or Policy Usage Board is designed to monitor users with elevated administrative privileges within productivity applications. There are legitimate business reasons why some users can create sub-accounts or disposable credentials for normal business operations. Unfortunately, this exact mechanism can be abused by an attacker when trying to hide their nefarious activity. 

For example, if an attacker is trying to steal a large amount of data, they may not want that activity to be traceable to a specific user. The attacker may create a disposable account using the master credentials they subverted, perform the action to exfiltrate data, and discard the sub-account to hide their activity.

Other behaviors that this board monitors include:

  • Third-party productivity users who have gained administrative access
  • Users that have modified productivity policies
  • Users that have modified productivity user roles
  • Users that have touched new objects

Methodology 4: Time-of-Day Usage

 

 

The Time-of-Day Usage Board is designed to identify and track user activity across cloud productivity applications based on normal working hours for users. As a general rule of thumb, regardless of the time zone a user resides, each user has a set of core working hours that they usually access cloud applications. This board helps surface outlier activity that could indicate an attacker that has subverted a legitimate employee or user account and is now trying to perform activities outside of normal working hours. 

An attacker may not know when a user’s normal working hours are and therefore could be performing suspicious activity entirely outside of the user’s typical working hours, indicators that the account has been taken over. 

Other types of behavior this board monitors include:

  • Users generating failing activity outside of usual working hours 
  • Users generating successful activity outside of usual working hours
  • Users logging in outside of usual working hours

Unlike other solutions, Fletch is extremely easy to set up and takes only 15-minutes to connect your data. Within 24 hours, know where you stand when it comes to abnormal user behavior across your cloud productivity applications and understand your highest risk employees you should be paying attention to. Reach out today to request a demo. 

analytics
cloud
cybersecurity
data
saas
uba
user behavior analytics
Back to Top
© 2023 Fletch. All rights reserved.   
Terms
Privacy Policy
Security at Fletch
FOLLOW US