Well, good afternoon. Good morning. Good evening, ladies and gentlemen, depending on where in the world, you are welcome to the first call webinar of this year. My name is Alexei, a Balaganski Analyst at call and the topic for today's webinar is improving your security operations center efficiency with advanced security analytics. This webinar is supported by Bab and today I am joined by Dr. Chaba Krak, who is a product manager at Bab. Before we begin just a few words about in case you are not yet familiar with us.
We are an independent Analyst company based in Germany, but having a, quite a global reach, we are focusing on enterprise it research advisory, decision support, networking for it specifically in the areas like information security, cybersecurity identity, next management. And so on.
The three pillars activities are research services, advisory projects for our customers and events, events from free online webinars like this one to proper on a pretty large scale conferences are of each most well known as probably our European identity cloud conference, which we hold each year in Munich, Germany in may.
And this may, this will be the 11th occasion. So you are all very welcome to Munich. But before that, we are going to have our first conference with the new series of events, focusing on digital finance that will be held in France for Germany in the beginning of March.
So you still have a chance to register, and you will find more information on our website. If you guidelines for the webinar, you are all muted center, so you don't have to worry about it. We will control all this features. There will be a recording made of the webinar and to be published in our website, the latest tomorrow. And we will let every attendee know about it. With an email.
We will have a Q and a session at the end, but please don't hesitate to ask you a question at any time by using the questions box in the go to webinar control panel on the right of your screen, the agenda for today's typical for our webinars, we'll have three parts. At first, I, as an Analyst will outline the general problem field. In this case, current challenges, we are now facing as regards to the most recent advanced threats and outlined the emerging technologies, which aim to improve the efficiency of current security tools.
And of course, people are using those tools follow to by the second part where Dr. Chaba I will present bee's contextual security intelligence approach, which combines both traditional and next generation security tools in a single security platform. And as I mentioned it, the end, we will have a Q and a session,
And I will not break our tradition and start this webinar is our favorite picture, which shows basically the world to we are currently living in where everything is connected. What is now happening with the society. Many people call the digital transformation here in Germany.
Many people use the term, the force industrial revolution, the industry, basically it's all about
The way businesses and consumers. And basically everyone has to change to adapt to the new way, have to operate in the post industrial society to exchange digital information, to open up to constantly open up and adapt to new channels and new emerging technologies to exchange that information more efficiently or when some new business models.
And as we can see the corporate data, those crown jewels, which we are as you should be, a security specialists are task to protect, can now be anywhere in the world, in the cloud in some third party data center or in translating between we are constantly have to onboard new identity types, whether it be people like our customers or leads or partners, or even devices, consumer devices like smart watches or connected cars or mobile devices, the internet of things. And so on.
If you look at the typical representation of a model network, we can see that there is no security parameter anymore because the network is basically spinning the whole world, including the headquarters, the multiple remote locations, the cloud. And of course there are numerous new risk factors out there, which are constantly bent on attacking our network and still in our sensitive information. And so on
The main point is that there is no security perimeter anymore. So all this has led to a major paradigm shift in information security is the way we approach information protection.
So from traditional perimeter security, we are now slowly migrating towards our monitoring and analytics because we know that
Since there is no perimeter, the question, if there is a hacker, or if there is a inside, our network is basically no longer an if, but a when. So we will be breached. The question is when and how to detect and mitigate it as quickly as possible. So the new approach focuses on at least trying to prevent those new advanced detects from multiple threat vector to, but primarily focus on early detection.
Try to think in terms of risks, because with so many security incidents, you just cannot fix them all. You have to prioritize by risk. And of course the incident response no longer just includes the actual blocking of a threat. It involve many more technical, legal, public relations and other processes, which have to be carried out as quickly as possible.
The concept of security operation center appeared probably in the early two thousands. And it's basically a single location where a team of experts is constantly monitoring security related events across the entire enterprise.
And basically deciding how to take actions against those threats. Many large enterprises have those security operations operation centers, which are typically based on the so-called security information and event management technology. Those theme solutions, as we call it are appeared around 2005 and has quickly gained popularity because at that time they were advertised as the ultimate solution for all security problems. And it's quite understandable because whole concept is so thematic.
If you will, you could immediately think about NASA mission control room filled with huge monitors and constant buzzing of alerts, certain team of experts rush to plug another whole in the security pyramid. So basically on this slide, I have outlined major capabilities such as team solution would typically have.
It's all basically about aggregating and keeping safely security events from multiple locations, multiple systems like servers, network devices, applications, databases, even cloud services, you name it and trying to correlate this data with identity information from on premises, identity index management systems.
And of course, with external intelligence about the recently discovered threats, there is of course, some pretty rudimentary data analysis in the traditional theme solutions, which mostly focuses on filtering according to some predefined rules and trying to find some common attributes across various data sources to put the puzzle pieces together.
And of course monitoring and the loading, which includes those large screens with dashboard showing what's going on in the network and where to rush to fix another detective security incident or huge part of a security Analyst in such a security operation center is forensic analysis. Basically for each alert, a person or group of person have to find out what exactly happened.
Compare a lot of security artifacts across different sources are in trying to come up with the best way to mitigate the problem. And of course we all know that audit and compliance is a big part.
So when you seem solutions include that specialized retention policies for compliance data and scheduled reporting for various compliance framework like PCI, there's a stocks and so on. So in theory, it sounds very interesting. The question is, does it really work? Unfortunately, within the recent years when people found out that it works a little less efficiently as they have expected, first of all, with a growing number of attacks, we have a really over overwhelming number of security alerts to react to.
It's fine when you have that bar go off three times a day, but if it goes off 10 times a minute and you have thousands of alerts to deal with, you just don't know where to start because many of those alerts are false positives reacting to some statistical noise, which always happens to the network. And those alerts are all similar because there is no way to understand the first glance, which ones are more important.
The second biggest problem it's insufficient level of automation, because even though the forensic Analyst has huge toes of data at his fingertips, it's he still have to use his hands to dig through those through those. Although there is a lot of tools helping them, they're usually poorly integrated and typical job of Analyst is switching back and forth between various tools, trying to keep in his head, the whole picture.
One of the reasons why it's happened is that SIM basically integrates with all other security devices on the network in one way only.
So we are collecting logs from them, but we have no easy way to, to push some kind of command back to the, those devices. And of course, as I mentioned, internet response is actually not just deleting the virus or disconnecting a hijacked account. It's about dealing with a big or number of legal and political and publications problems, which actually have to run according to some predefined policies and playbooks, and which are usually left to manage completely manually as a result, traditional theme solutions, hence security vision centers are very complex to operate.
They have to be the initial deployment is quite implicated. And for each company, they have to be heavily customized to connect to all those systems in place require a dedicated and the pretty large team of security experts for daily operations, just to manage those thousands or tens of thousands of alerts at then the time they have to react to an incident is just way too long to ensure real time mitigation.
Hence we have this biggest problem in the it industry nowadays, where we just don't have enough people not to mention enough skillful, skilled people to, to respond to all those growing numbers of alerts.
This is why quite a few years copy a call has been talking first in theory. And then of course, a little bit more practical about the next generation of security solutions, which we at the time called real time security intelligence solutions, or which are characterized by the major factor that they are designed to provide realtime or least near realtime detection of those rates.
And typically they are based on big data analytics because as soon as the whole field of big data analytics become commoditized enough to be affordable, not just to the largest enterprises, but to small companies as well, thanks to cheaper hardware and big data frameworks like Hadoop, which is opensource and very popular.
There have been developments in trying to apply those technologies, machine learning and advanced correlation of data across different sources to actually try to detect threats, not as separate alerts, but whole events unfolding in time, which is extremely important because modern advanced attack and actually take months and many steps in preparation infiltration later on moment.
So on before it actually becomes active, a huge factor, which keeping a call has been stressing initially that large solutions have to be easily deployed.
And the initial configuration must be as painless and automated as possible, which is also a big factor, thanks to automated calibration. Those regulation engines typically support. And those engines finally, they do not need rules because they can operate using those statistical algorithm and machine learning methods to identify anomalies and to filter out false positives without any redefined rules. And this dramatically reduces the number of alerts the Analyst Analyst have to deal with.
And each of those alert is of course assigned a risk score because this is one of the most important factors which are helps to reduce the number of the other length of time needed to react to critical threat prioritization. And those alerts, I suppose, to have some kind of actionable items included, it's not just some helpful context information, which helps people who are not security experts to decide whether some are incident is important or not, but also immediately take action, whether it be mitigation or simply relaying a problem to a more skilled person for more priority analysis.
It depends. And finally, our automated workflows, which imply that the forensic Analyst Analyst Analyst no longer has to spend time switching between different individual tools, but actually rely on the R TSI solution to deliver all necessary information and to guide him through the analysis process, as smooth, as automated as possible. And of course the huge factor is the managed service offering because our a smaller company just does not have enough budget and workforce to operate a full featured security manage center on premises.
So they expect a managed partner and MSP to deliver such risk for them for relatively low investment. Now, this is so to say the theory, and as a concept, as a theoretical concept, we have been absorbing these developments for quite a few years, probably around five years already, but only in the recent couple of years, we have actually seen concrete products and solutions appear on the market.
Another slide which I have included here is to say that it's always important.
Look at the big picture, cause a steam as a technology prop platform is just a small part of the big picture where security experts have to move and operate to identify, prevent, detect, and respond to security issues. And of course there is always a feedback loop.
So to say, which helps to improve at work. And there is a lot of disparate previously disparate areas included into this picture and the biggest success factor for the new generation security tool is to integrate and automate all these numerous workflows.
So where are we now in the real time security intelligence market? We have observed this evolution for few years at actually in 2015, we have had our plans to publish our leadership compass.
So the, the, the multi-vendor comparison of whereas realtime solutions, but at that time, we have finally decided it was a little bit too early because the market was still not mature enough and the technologies was still being developed. But in that, since that time, we have observed a certain degree of maturity. And first of all, that includes several different sub segments. Submarkets among the R TSI solutions, which have evolved into pretty functionally dissimilar, which I have listed in this slide.
First of all, is these are security intelligence platforms, which are basically next generation theme solutions developed primarily by the traditional sea vendors, which are keen into upgrading the solutions to maybe up to date with the latest rates, by using the big data analytics technology, they are quite large and functional universal and extensible platforms, which support multiple types of third party integrations with various sources and devices and applications and database database cloud services.
You name it, they are pretty heavy and complicated, almost like traditional teams, but are provide much better functionality and much higher level of automation. Then there is a quite a stem low market has appeared recently, which is user behavior analytics. These are solutions which focus solely on at least primarily on user behavior in the networks and applications and not on endpoint.
They have probably emerged from the traditional fraud identification solutions, but now they are focusing on touch areas like privilege management, detecting hijacked accounts, which many types of malware are known for and other insiders rights. And finally, there is a plethora of specialized solutions, which focus on a single source of security data.
Like for example, the flow authentications in an active directory server or a specific network security device, or simply focus on solving the specific security problem as easily as efficiently as possible, that solutions have appeared across the whole market from many large established vendors and startups.
Like they usually focused on small and medium businesses and emphasized ease of deployment, simplicity of the UI, and usually plug into existing same solutions via standard protocols. And my last slide for today is what's what we are going to see in the future.
Well, first of all, the market is still not settled, has still not settled, it's continues to evolve. And we expect some future consolidation through mergers and acquisitions, probably new classes of solution to emerge, like for example, the entity behavior and analysis solutions, which has appeared recently extending the user profiling towards similar profiling of, for example, for mobile devices or I OT the internet of think devices, or maybe some specialized solutions for cloud services.
And so on, we should probably expect some kind of convergence where security analytics tools will merge with traditional security tools like inclusion detection or endpoint solutions. And we already have a number of products appearing in those submarkets, but really the biggest problem here is how to increase the adoption of those solutions.
They have recently published a report on our website, keeping a call embark study on big data information security. You can find that for free or, or under the link show on the screen.
And basically the, one of the biggest findings in that study was the massive gap in adoption between the so-called leaders and Laos. Basically the companies who know a lot about the recent technologies, but who represent relatively small minority and the majority who simply have no awareness that such solutions even exist. So the biggest obstacle for adoption isn't really lack of money, but lack of awareness. And this is where windows have to concentrate the marketing efforts.
And finally, of course, we are going to see some innovative new technologies being integrated into those tools, like for example, cognitive security, which is a pretty hot topic in which we will definitely discuss one of our future webinars in terms of things and all those problems as associated with those massive breaches and DDO attacks we know from the last year will probably be a hot topic. And who knows what else? This is probably the most interesting part of being a security Analyst. You can literally know, never know what happens next.
Then again, we will talk about it in the, our next webinars, but now I am going to hand over to Chaba who will be talking about their companies approach to solve this problem. Chabo it's your tone.
Thank you very much, ladies and gentlemen, it's my pleasure for being here and hopefully you guys see my screen at this point. My name is Chaba Costa. I'm a product manager at Bab and Alexei. I thank you for your presentation. That was very interesting.
I found several points, which I want to confirm in this presentation, in this thought and what I really want to emphasize from the vendor perspective. So my presentation will contains hopefully some interesting points for you. And as I mentioned, I really want to confirm what Alexei I mentioned before. But first of all, for those who are not familiar with BBI first, just let me to use the company in a few words, Bab bit founded in Budapest, hung as a leading provider of cortex security technologies with the mission of preventing database issues without constraining business.
We are operating globally with offices across the United States and Europe together with the network of the reseller partners as you.
So I will talk about the context intelligence, which is a suite of our different products called clog control box and blind Porwal and tries.
And then, and we are trying to deliver a solution, a suite that can focus on the privileged user account problem. So with suite protects organization in real time from stress post, by the misuse of fire risk and privilege accounts, and hopefully we can provide a very good pointed solution for this privileged user problem. Some key facts, the company itself was founded in 2000, we have 23 from the fortune 100 customers. And with Ganji product, we have more than 1 million corporate users.
So worldwide two data company employs approximately 200 people, but we are growing fast, both in terms of employees and revenue. Last year, revenue's increased by 35%. And as I mentioned, we have several sales offices. For example, if you are connecting from Germany or France, you can find our offices there as well, as well as in Russian United Kingdom in United States.
And of course there are partners in more than 50 countries all over the world.
And now focus on the main topic of my presentation, the SAC problem, the secret operation center problem and the privileged user problem in, in this sucks. So first of all, as all vendors, we have to understand the problems. Therefore we have to make research researchers, we have to make some interviews and we have to make some good questions for our customers or potential customers and for our partners, because we have to understand what is needed on the market. So more than one year ago, we identified a very interesting change in the cyber security landscape.
We were just before the, the great cyber security problems like the, the election, what we saw in the United States last year, there were, there were no sign of the different information warfare or cyber warfare, what is also echoing the media these days.
But we saw that our customers are really afraid from the, what is previously called apt advanced persistance threat. So for those attacks that really affect the insight of the company and that is coming from the privileged users and they are changing their approach, how they want to fight against this cyber threats.
And the change was that they have the sea, of course they have seam for a decade, so it's nothing new, but we saw that the sea became the single pane of glass, of the incident of the security incident, and they hired out larger or smaller, but the stuff that is responsible for continuously monitor the theme and the incidents and the secretary incidents, what is happening there. So, although I think we are all familiar, we're working on the cyber sector.
They feel that this is, this is this additional way, how we should manage, or how should we should handle the security incidents that we have a seen, we have a single pain of glass that we have the staff inside that, but from our perspective, that became the reality not really longer than, than just one year.
And our customers began begin to, to ask more information to their team, more information to them, socks and more information and more support for the incident management process. Therefore to me, the research like Alexei and Kuppinger call does it regularly.
And we try to make some, some, some deep interviews with those who really have a secret operation center or thinking on the creation of a S operation center. So we focused on the so challenge, the goal was to gain a deep, contextual insight into this field and not just from the technical perspective, but we also tried to understand the personal background. And we also tried to pro understand the process background.
The method was the, our, our experts made some interviews and filled visits more than 13 customers and partners we've reached 13 so far, but if you're interested in participating in such research, feel free to contact us because we are really interested in your view on the stocks and the incident management.
And today, we really want to understand your problem, especially on the previous user part. And we understood that only a minority of our customers or mind of our current or potential customers have an already operating security operation center.
But most of them almost all of them are thinking on the creation of a site. And from the partner perspective, many of our partners are thinking on the creation on of many security center or managed security operation center because their customers or also need that kind of capability. And they want to provide them the, so as a service, therefore they need products that are enabled them to provide the, the incident management, the incident monitoring on all field and the field as well. Just mentioned the industries.
We visited customers from the financial, from the it or the, the security sector and for the, from the government sector as well.
We also made many interest, many interviews with key industrial Analyst, and they also emphasized the point what Alexei. I also mentioned in this presentation, in this, in this call that we are, we can see an emerging market. We can see an emerging need from the customers. And we are just at the right point to jump into the SAC support. We also reviewed the market reports. We reviewed several scientific and technic technology literature.
So at this point I can, I can truly believe that we see the problem, what we have to solve or what we have to provide at least a small solution, focusing on our problem, the, the privileged user outcomes. What were the main challenges? First of all, the seems are over run with log data. That means that the or operating subs has to reduce the even per sec secondary rate for a few thousand, but this is also a huge amount of data that, that arriving to the sea.
And therefore they have to, they have to fine tune their system very well, and they have to do something with the other log beta because in a forensic situation or in a hunting situation, they need the raw data as well. The second main challenge, what we've identified is the protection against privilege account hijack is a major concern as it's obvious that all companies are already attacked or via be attack in the near future. And the preventive counter measures are not enough nowadays.
Therefore it's obvious that there will be at least some privileged accounts that will be hijacked by external attackers or internal attack occurs depending on the, on the nature of the cyber attack. Therefore, the, the privileged account management is still a problem and, and became a huge problem in the last year. Therefore it seems to be a good jumping point to help or to support the incident management related to the privileged account.
The third challenge is that the applied stock technologies heavily rely on predefined rule sets.
Therefore all the software, the same administrators have to fine tune their rules constantly, and that needs in one hand, the huge human resource need. On the other hand, if we or other vendors can somehow support this fine tuning, that could help a lot in such a situation as the first challenge, limited time to make differentiation between false positives and the real threat entire one. It's very usual that there is only 10 or 15 minutes to make a decision whether the incident is a real incident or just a force positive and entire two.
This is also just approximately one hour to make a decision. So the Analyst, the second Analyst have to make a right decision, a good decision, and they are able also, although they are able to make the right decision, there will be a few percent that they won't be able to make the right decision.
So if you can reduce that few percent to zero or near zero, we can have a lot in a suck and last but not least the is challenge is the availability of road data for hunting. Because as Alexei I mentioned, forensics is also the part of the incident incident management process.
Therefore we have to provide the role data for forensics and for just for hunting. That means to support the Analyst Analyst, Analyst Analyst, to understand in the network or in the infrastructure.
So we are, we, we are focusing now on those five challenges and I'd try to highlight how we as a vendor can provide a solution for such challenges. First of all, the overwhelmed themes with log data. It's very traditional that the, in the past many of the customers, many of the companies had central log management. But as we see now, the central log management lost its focus in the, in the last few years because the seams are able to collect the logs.
But as I think, all of you who already have an operating sea can confirm that the most logs sent into the seams, the, the slower, the sea is able to provide the design of the, of the incident. Therefore central log management became again, much more important than before decade ago. So central log management can be a solution, but it's not enough because the pre-processing of the logs and just sending the interesting logs to the sea seems to be the solution for the first challenge.
So the classification and filtering the business critical data from informational data and rooted only to the sea, that is what we want to provide with our Cisco product that can eliminate the log noise by filtering thence, log message, log, log messages out. But with the CNG store box, another product, what we have now, we can also store the forensics data.
And with that approach, we can support at least two challenges, and we are able to provide the relevant blogs for the SIM and the other logs for forensic situation.
As a side effect, we are able to optimize the license cost of, of the themes by forwarding all the relevant data. And this is also very important for many of our customers challenge to protection against the privileged account hijack. And there comes the behavior analyze this, which we see as the near future of the incident management, because as we've heard in the previous presentation, the we can, we can see a huge human resource problem inside the stocks in, in all the cyber security field.
Therefore the introduction of AI, the introduction of big data analytics, the S can help a lot to, to help those short sources that we have, that, that we have now in a stock.
And the beware realizes and realtime alert thing is one thing that we really want to provide for our customers, for the companies.
And, but we try to support. So I will, now we want to explain the basic concept behind our product, the blind spotter, which is on the market for two years. So first of all, users in general, leave their footprints all around the systems as they use the company, infrastructure directions appear in logs, audit trails, change logs in business applications and enormous other places. This is a huge amount of valuable data that already exist, huge amount.
And I want to emphasize that nowadays creating and sending more and more data and creating information from the data is essential in security, not just in security, but in sec in now in security as well. So the first step for brands Porwal is to collect that information, using the gather data containing the digital footprints users left.
It is possible to build a baseline of what's the norm for those users. When are they usually active? What services are they using?
How are they using those services and so on and so on and so on plus, but uses different national learning algorithms to create a profile of the users. After this baseline is established, we can start comparing activities to the usual behavior of users and identify usual behavior. In real time that occur using a hijack account or a malicious insider will interact differently with the system that a normal user would by comparing activities to the baseline. We can get such activities as they are happen by detecting suspicious activities. In real time, it becomes possible to react. Immediately.
Reactions can range from a simple notification to the suspension of the accounting question and can be done automatically, or by involving human intelligence for a more deter assessment.
Just as a side note, we also, so, or also rep from our research that there is a huge need for supporting human intelligence human decision, but the automatic reaction for such activities is not already the need from the companies.
I think the reason behind that, that we, we are not trust in AI in 800, so much to make such automated decision insecurity, but in the next few years as the, the human resource problem, we have increased on our market. I think we will see that more and more companies. We let the computer decide whether that, that decision, whether that incident is a real incident or just a four positive and make automatic decisions.
Okay. Plus one sending the dollars to the themes and, or terminated suspicious sessions in real time.
Just again, emphasizing that alerting or just sending the seams, sending the information, sending the date of the log into the sea is not enough nowadays the actionable intelligence, the actionable things in the theme is also much more important. Therefore, the theme and the security product have to work together to support the incident management process. Okay. Go to the challenge three heavily reliance on pretty fine rules. It's obvious that everyone starts with pretty fine rules in a same.
It's obvious that we have to understand the operation of our infrastructure to fine tune those rules and find the right set of rules that can help us to operate the theme efficiently in a daily operation. But it's not enough because many of the so-called targeted attacks that needs month or years to for being effective will be hidden from the predefine rules.
So to optimize the work of the Analyst, the blind spotter prioritizes, all potential incidents, it sees instead of just TRAC an alarm blind spotter provides its users with the prioritized of event.
I would like to describe how this ranking method works. Imagine the advent being plotted on the coordinate systems, what you can see here, the XX denotes the inherent risk of a user seniority admin, or a CEO is inherently more risky than a trainee or a guest account. They can do more damage. The YX axis is for deviation from the normal, how much a doing activity differs from what I, what usual for a user.
So, yes, so business as usual, activities of low user are not really interesting normal activities of high risk user or highly unusual things done by low risk accounts can be somewhat interesting. It's the highly unusual things done by high users that a company wants to know about.
If, for example, your SIS admin, if you have a SIS admin start to copy the anti-US user database in the middle of the night, logging in from an IP in China, that's highly unusual. And it's more interesting than, for example, your receptionist is checks is email at 7:00 AM from his own desktop computer.
So what blind can help is that the, the product categorize your events and highlight the most suspicious events where both the user is factor and the deviation level are high blind spot creates a priority list, displayed on a dashboard for a factory Analyst to investigate the most suspicious events, to make sure that they spend their time optimally and those scores can help a lot to find the interesting events and to find tune the redefined rules and to, to just jump onto those events that can be interesting now, or really be interesting in the near future.
Now go to challenge three challenge, four limited time to differentiate four positive from ref solutions. The solution is the multiple machine learning algorithms, because I'm, I think that there are several vendors who are talking about UBA user or, or big data on a high level, but our experience that many of, many of the attendees, these of such webinars on athlete familiar are about the potential algorithms that can help identifying the potential manages activities.
So the most important thing to realize is that when it comes to the mathematics of Lys and the outlier detection, there's no need to reinvent the wheel. There are algorithms out there that's been proven to be effective through decades worth of in retail or financial fraud detection. The challenge is to apply the same mathematical principles in the domain of security analytics. The blind Porwal does not rely on a single algorithm, rather utilizes several different ones to look at the data from different angles and combine the results.
Here are some examples of the algorithms, what we use, we we've already showed the simplest of them. The technique of can density analyzes is an ideal solution to find unusual times of activity. What I mentioned before, the approach of frequent items that mining is regularly used in retail. That's how Amazon, for example, knows that that it's customers more likely to buy a sleeping back along with a tent and that they just put into their card. Similar profiles can be built out of the digital activities of users in an enterprise as well.
Cluster analyzes as a second, as, as another example can be used to find peer groups based on behavior or database. That means then to log on the same servers and use similar comments by say, sales people use different services in a very different way. Outlier activity is not typical for a users group, like means suddenly downloading data from Salesforce can be detected this way.
Okay. Having more data information such as screen content has recorded by share control box.
One of the element of the contextual security intelligence suite allows us to apply traditional text analyzes algorithms to the data just as text can detect plug M such analytics can find suspicious behavior on a much deeper level than just pure metadata analyzes, scripted or robotic accounts can be potentially dangerous to enterprises. So we are also dealing with that angle external to successfully take over control for robotic account can easily access more important assets of the company as well.
The scripted account detection algorithm uses two methods to find these potential danger are able to account the first one and go deeper to the data science work, just to emphasize that we are really working on that and not just stating clock master is as one example, the ity of the activities of the account.
If it implements the same activity exactly in the same minute of the hour, probably it is a stricted account, no downtown, no downtime minus the endurance of the account.
If it implements activities, stylist from our probably a scripted account, it is also possible to detect humans who started to behave like stricted accounts and scripted accounts who started to behave like humans is restricted account detection. And last but not least, one of the most interesting part of this solution that because of the depth of the data that we collect, we are able to perform behavior via biometrics.
As we are focusing on privileged users, and we have real deep data of the, of the behavior of the usage or the activities of privileged users, we are able to do behavior biometrics. And this is how users interact with the device, for example, how they type or move a mouse or, or a patch pad.
Since this is dynamic information, it is very difficult to steal or imitate ERs, biometric analyzes, continuously monitors, all traffic to identify hi accounts in real time.
Key dynamics analyzes looks at the manner and rhythm with which person types on a keyboard, the most typical value regarding the keystroke card, 12 time and slide time. These values are the basis of BBIS unique keys, stroke dynamics algorithm, which performs the analysis of the user key press and release time. So the basic principle of mouse movement is not the position of the mouse corridor, but the relative extent of the position as it changes. So the most obvious factor is the speed of mouse movement.
The ideal time between mouse movement and the click and the click is as typical as the Alexei time between two clicks of a double click. And what's more the angular valve rate of change of Anglo position of rotating body.
For example, the mouse can be also good characteristics. So although most of us do not use a computer for painting figuratively. We are continuously drawing spans with the corridor while we are using the mouse.
There are differences not only in the straightness or curvature of our drawing their lines, but in the smoothness of these movements as well, sub users move the cord or in one continuous line while others break to smaller fragments, also fast movements produce curves with different correct to movements. And I think this is something unique, really unique and can help a lot identifying the potential threats.
Now, our last challenge available of road data for hunting traditionally Bab bit has several good products that contained the road data row data in a log format, row data in an OD trail format. So with log store box, for example, you can do full test search.
You can search through billions of logs in seconds via an intuitive web user interface with Wirecard and operators to perform complex searches and do a down on the results. User can gain a quick pinpoint problems. As I mentioned, we also trails that were generated from, from, from the network data.
And those connections can also be searched from the share control box web user interface based on their metadata and direct actual content as well. The old throws are index. That means that they are OCR and all the content are, can be, can be, can be searched from the search and per it is also possible to execute searches on a large number of O auditors to find sessions that contain specific information or event STB can also can check control books can also execute searches and generate reports automated for trails.
Those possibilities can help a lot, not just in the forensics situation to find the relevant data in the context, but as those information can be useful for, for those who are under P C, I DSS, for example, IO 2017 ORs or HIPAA, it's very easy to create reports, compliance reports and help and help to fulfill the compliance requirements of a company.
So how do we see a S operation center? We see the S S operation center as it is built just next to the seam. There are several seams.
We've met several different solutions and vendors, but it was very common that a seam interface is the single pan of glass for a operation center. It's also very common that the companies are trying to collect as many logs as they are, as they can through a sensor log management solution filter and send it to the scene that they can correlate, correlate them and build good rules in that, from our perspective, we want to enrich such information with the privileged user related data and not just sending the information, the data that we can collect with our privileged user monitoring solution.
But we can that we also want to help decision. There is based decision within reaching such information with a privileged user behavior analytics related data.
Therefore, although many of the teams are working just with logs and make decision just from logs. We really want to provide the right information that are tied to the privileged users one and give the necessary data to find the risky situations and find the risky sessions. And although the seems, although the seems are already contained containing security analytics or ware analytics tools, we can enrich that with more detail and more precise data.
So from our perspective, we have these three product lines, we check control box.
We can monitor many remote accesses, such as FSH or RDP related connections gather all the deep data. What happens in the, in the session that were, that were made by privileged users send those information to blind spotter that can find the risky sessions based on its algorithms, send alerts and send those information to the SIM and through the cysto and the cyto G store box. We can also collect and transform, or pre-process the logs that will be sent to the SIM in, in a general manner and focusing on the previous users as well. So that was my presentation. I'm waiting for your questions.
Great. Well, yeah, thanks a lot. It was a very interesting presentation. Let me just show my screen again, and we will begin with our Q a session. So please submit your questions using the questions box. You will find the lower part of the go to webinar control panel, and while you are doing so I have a question to ask from myself. So if I understand you correctly, your company's approach is not to replace existing traditional theme, right? It's to augmented to add some additional components which optimize or extends the functionality. Right?
Absolutely.
So we see that the seed vendors are doing their job, right. And they invest a lot into general behavior analytics and the security analytics.
So what, what we understood from our research is that we shouldn't replace the current themes, but we have to reach their capabilities. And on the, on the type segment, what we are good in, this is the privileged user problem. We should provide as much information as we can.
Well, then of a follow up question would be what should the smaller companies do, which do not have a budget to run their own scene at all? Can they still use your software somehow, you know, different configuration?
Absolutely. We have our own search capabilities and incident management capabilities. Therefore for those who are, who, who don't have an up and running SIM solution, they can use our contact security such as suite by own and, and do the, well, I think they won't have necessary resource. This is also result from our research.
They don't have, they won't have the necessary results for continuous monitoring, but we can provide alerting realtime alerting and incident review capabilities as well.
Okay, great. And by the way, I should point out that we have published some research articles on each or SP bits products on our websites, or if you are looking for more details, you're welcome to go, to copy a call.com and have a look. And I have first question from the audience, which is, I guess, coming from the German, because it's the one I totally relate to as well.
So how do you ensure that your monitoring of user activities is done in a way that complies with data privacy regulations? How do you convince organizations like workers, council that probably wish to buy any kind of user surveillance?
Yeah, so priv privacy is becoming a major, major question nowadays, as we all know, we have a new European regulation. This is the GDPR, the general data protection regulation that will be affected from the next year. So privacy is absolutely in the top of the top question for European companies and, and some countries are also very related to the, to the privacy question. And as we are also European company, we truly understand the, the privacy related issues. So let me focus on, on the behavior analytics and mainly the privileged user via a product.
So it watches the Watchers, the privileged users who bring much more threat to the privacy of other users and blind spotter itself, privileged users can easily access the PII of other users. And normally no one can supervise what they are doing. Blind spot plays exactly this role in the organization first and more blind spot logs, all access to the profiles and the activity data. And we have other privacy and technologies implemented into the product. So it was redesigned in the, in the mind with the mindset of privacy preserving.
And I want to tell you that many of our, our European customers really needs the involvement of such privacy and anything technologies, but another market within, we don't really see the such awareness or privacy culture.
Okay. Okay. So next question then are, since we're running a little bit out of time, you have to hurry up. So how can you ensure that, that techers do not cheat your algorithm by slowly changing the behavior of hijacked account?
Okay. This is also very, very common question.
So just a few example, cheating of one algorithm requires a valid user credential perfect knowledge about the selected algorithm and time cheating of all algorithms requires several valid user credentials. Perfect told about all of the algorithms in blind spot and really a lot of time even years. And by the way, peer group analyzes may be able to find this as well. So I would say that it would be very, very hard to achieve those algorithms.
And by the way, is it possible to somehow influence those algorithm? For example, define that such and such user is actually traveling to China now.
So it's okay. If he suddenly look from China
In, in Saudi, I would say that, of course the AI can be cheated by AI as well. And we saw last year a challenge where that was, that was the project and we, and other vendors, everyone were dealing with AI should aware with the possibility of, of, of such threat. But currently we don't see this kind of cheating of algorithms.
So hi, but we are aware with this, with this potential program. And as we have a lot of data scientists, we, we are investigating how to, how to handle this tiny risk, what we see now.
Okay. One more question. So you were focusing a lot of monitoring privileged users. Do you believe that there is fundamental difference between kind of normal users and privileged users in terms of how you should approach their monitoring? Because any, any user is in theory, potentially privileged user, for example, chief or financial officer can sign huge sums of money for contract.
If he's account is abused, then would be a lot of privileged escalation.
Yes. I would say that in general, all users have some kind of footprint, but just a few of them could be really dangerous for the company itself. If we understand the, the nature of the cyber attack, the cyber attacks are usually trying to gather the privileged user accounts.
Therefore, although anyone can be dangerous with the usage of behavior analytics, general behavior, user analytics, which is built into the same system or just, or our blind Porwal can also help in this, in this situation. But I would say that based on the activities on the users, we can identify who can be privileged, but from our perspective, it is worth, and it is worth to, to find significant amount of money to first focus on the previous user problems, because that will be the finish of a cyber effect. And that is when we, as the last potential counter measure should help.
Okay.
So we have reached the top of the, how to say, so we have time for one last question. You were talking about biometric analysis, like stroke and mouth movement and dynamics though. Is it something which you see or you have a unique position on the market, or are you competing with other vendors in this area? And what's the so special about your solution?
Well, based on our current knowledge plus, but is the only UBA solution, which is able to do key strong dynamics analyzes, and because of the depth of the data that we call with the share control box product, we are able to perform behavioral biometrics. Key dynamics analyzes looks at the manner and rhythm with which a person types on the keyboard, as I mentioned. So the most typical values regarding the keystroke card time and slight time, these values are the basis for S unique of dynamics algorithm, which performs the statistical of the user's key press and release time.
Okay, great. Well, thanks a lot. Chaba thanks a lot. Our attendees. Unfortunately, we now have to finish our webinar since we already a little bit over our allocated time.
Again, thanks a lot. Have a nice day and see you in one of our next webinars. Goodbye.
Thank you. Goodbye.
