FireEye Stories Blog

Helix Highlights — Focusing on Analytics and Securing the Remote Workforce

The breadth and depth of remote work has increased dramatically as companies adapt to ‘the new normal.’ Business units and functions that have never been performed remotely are now required to operate in a fully remote mode. During these rapid changes, it’s critical that organizations adapt their security monitoring controls to provide visibility and detection for this remote workforce.

Analytics have long been a key component of the detection suite within the FireEye Helix platform and this month the team continued to add new capabilities to further enhance the safety and security of remote workers.

FireEye Helix Analytics Additions

Cloud security starts with visibility. Whenever a developer spins up a new cloud service, they should be able to easily centralize telemetry. Analysts can then go to this single location to review the security status of all cloud services.

An additional challenge to cloud security is the new reality of a remote workforce and security teams are needing to adapt. The Helix Analytics stack provides a rich set of capabilities to secure this new dynamic.

Abnormal Office 365 Logon

For organizations embracing the Office 365 productivity suite, baselining and understanding user behavior is paramount for detecting unusual behavior. Having a baseline of user behaviors and application usage means enables security teams to follow up on meaningful alerts on deviations that may warrant further investigation.

In the following example, we show a remote user who—after establishing an initial baseline—was discovered to be logging in from an uncommon source IP address. Further investigation revealed this user connecting from a country that is not their place of origin.

VPN Analytics | Abnormal Logon

A portion of the user population connecting through VPN has always been a reality for organizations, but now moving the entire workforce remote has expanded the attack surface tremendously.

The Abnormal VPN Logon module works by continuously profiling and baselining a user’s logon behavior across a variety of data points. In the following example, the VPN Logon behavior of two users caused the analytic to create an alert based on their previous behavior and these logons coming from countries in which they are based.

As more users are now using cloud productivity suites, the demand for being able to secure files being exchanged also becomes a key challenge. FireEye provides Detection on Demand, which is able to detonate and analyze all files flowing through these applications and provide a verdict. Some examples of these suites include Office 365, AWS, Google Private Cloud and more.

Further investigation is warranted and can be done with the recently introduced EBAC (Entity-Based Alert Correlation) on a per user basis, much like in the following image. This provides for further drill down capabilities and more relevant grouping of threats to facilitate quicker actionable investigations as well as displays risk scores for the environment.

Additional Remote-Workforce Focused Analytics

To close things out, here are additional remote-workforce focused analytics that users can take advantage of today:

  • Duo SSO
  • Okta
  • Abnormal GCP Activity
  • Citrix NetScaler
  • Druva
  • Entrust
  • AWS

Learn more here about FireEye security analytics and FireEye Helix.