Netskope’s Behavior Analytics tool looks at patterns of human behavior, and then applies algorithms and statistical analysis to detect meaningful anomalies from those patterns—anomalies that indicate potential threats. Instead of tracking devices or security events, behavior analytics tracks users. Analyzing this activity will help detect insider threats, compromised accounts, compromised devices, rogue insiders, data exfiltration, lateral movement, anomalous behavior, and advanced persistent threats.
The Behavior Analytics page provides information about the various types of detected insider threats and compromised accounts. Use the Behavior Analytics dashboard to address some common use cases, such as:
- Insider Threats: Insider threats refer to security risks caused by malicious users within a corporate network. This type of attack is different from one caused by a compromised credential, where an external attacker has used valid, stolen account credentials to impersonate an employee and access a network. In the case of a malicious insider, the user typically is acting with intent and likely knows that they are breaking policy and potentially the law.
- Compromised Accounts: An external attacker is abusing stolen account credentials to impersonate an employee and access cloud resources.
- Data Exfiltration: An attacker is abusing a compromised account or compromised device to steal data from the victim. Many campaigns have been found using cloud-based services, such as webmail and file-sharing services, as C&C servers to blend in with normal traffic and avoid detection.
- Compromised Devices: A device that has been accessed by an attacker or infected with malware may communicate with attacker-controlled infrastructure to phone home, receive commands, or fetch malicious content.
For Behavior Analytics User Confidence Index, see the Behavior Analytics User Confidence Index topic.
For Behavior Analytics related Incidents, see the Behavior Analytics Incidents topic.