data-transfer-anomalies

Detecting Abnormal or suspicious upload (or) download activity by a user using a Machine learning model. A leading power distribution organization wants to monitor its insider threat using the abnormal or suspicious upload (or) download activity by the user.

CHALLENGES

  • Security threat: Identify malicious insiders who might leak sensitive data from the power utility.
  • False positive reduction: Using traditional SIEM rules generates many false positive alerts, and so focus is to leverage ML capabilities for anomaly detection.

SOLUTIONS

  • Leveraged Splunk Enterprise for integration, aggregation, and cleaning/transformation of data.
  • Utilized Splunk MLTK app to visualize data, model the data and evaluate the model performance.
  • Multiple ML models were evaluated for detecting suspicious uploads (or) downloads activity.
  • The selected model was packaged and deployed in the production environment successfully.

BENEFITS

  • Visibility into insider threats.
  • Reduced false positive alerts.
  • Reduced manual effort around log and alert review.

Monitored Systems/Data Sources: Squid proxy logs.

Users: Security Operation Center Team

Product: Splunk Enterprise

Splunk App:  Machine Learning Tool Kit

Get in touch

Send us a Message

Looking for general information or have a specific question. Fill the form below or drop
us a line at susan@positka.com.