Devo Behavior Analytics
What is Devo Behavior Analytics?
New technologies and remote work continue to grow the attack surfaces of organizations. To make matters worse, organizations are struggling to find the adequate amount of analysts to take on this increasing workload as the supply-demand gap in the cybersecurity labor market continues to grow. As a result, alert fatigue caused by modern SoCs leads to undesired results including analyst burnout and significant missed alerts.Â
In addition, SoCs frequently take a north-south approach towards security where they look at traffic coming in and out of their organization. However, if a bad actor gains access to a user’s credentials, this can be fatal as tools struggle to detect Insider Risk. On the other hand, it is significantly more difficult for a bad actor to imitate the behavior of a user; if a user that is based in Boston suddenly logs in from Russia, that is a sign of anomalous behavior and a potential risk within your organization.Â
In order to bridge this skill and labor gap, Devo’s Autonomous SoC aims to empower analysts to perform higher level workflows. Whereas traditional SIEMs tend to require analysts sift through thousands of alerts a day, Behavioral Analytics allows analysts to take a different approach and to identify the riskiest ‘entities’ to investigate further instead. Entities are often defined as the components of a network: think IPs, domains, applications, and so forth. The normal behavior of these entities can be used to generate a ‘baseline’ or normal behavior. Any deviations against the baseline are then flagged and can be marked for further investigation by the analyst. Â
How it can help you
By allowing analysts to prioritize and drill-down into risky entities, analysts can spend less time triaging irrelevant alerts and more time performing higher level SoC tasks such as incident management. Behavior Analytics can increase the time-to-value of their SIEM, spend less time dealing with false positives, and perhaps most important of all, help reduce the number of false negatives in their SoC.
Required permissions
If a user is not am Admin in Devo, they will require the following role permissions in order to be able to gain access to all of the features within the Behavior Analytics application:
Required permission | Access level |
---|---|
Alerts → Alert configuration | Manage |
Alerts → Triggered alerts | View |
Data search → Finders | View |
Users will need View level access to the lookup SecOpsAlertDescription. Â
Users will also need access to the following tables:
siem.logtrust.web.info
entity.behavior.signals.events
entity.behavior.signal.filtered
Âentity.behavior.risk.events
Âentity.behavior.list.notables
entity.behavior.list.groups
entity.behavior.list.members
Â
Learn more about roles and how to define them in this section.