User Behavior Analytics

Problem Statement

Network defenders in the Monitoring and Incident Response Division need a more reliable way to detect behavioral anomalies in order to counter malicious activity on DOS networks before incidents occur.

Problem Scoping and Discovery

The team conducted 60 discovery interviews and gained the following insights:

• The team explored Okta-based identity solutions and looked into the use of Splunk for user behavior analytics. However, they later decided to shift towards a tool-agnostic approach.

• Any solution would need to define network behavior triggers to detect anomalies. These triggers would need to be periodically updated based on network activity.

• Different users have different recovery options based on their user privilege level, and incident responses need to be tailored accordingly.

Solution Proposed

The team proposed a process that builds off of the work of the Data Architecture for Cyber Security team’s data aggregation solution that is being implemented in CTS. They propose using the data that has been aggregated and running analysis over it, specifically with Splunk User Behavior Analysis that comes with the cloud Splunk Enterprise Security instance, to detect malicious actors within the wider DoS network.