Identifying Abnormal Asset and User Locations

Aura quickly and easily identifies and reports on asset and user locations and helps detect abnormalities. The ability to identify locations your users and assets can be critical for proactively detecting threats and helping expedite your security investigations.

It’s All About Location, Location, Location…

There is a very close relationship between network assets and who is using them. Without a full understanding of location, it is hard to gain a full understanding of how and where assets are being used. Credentials are often compromised during security attacks and locational information can be a critical element in identifying this unauthorized activity. Aura identifies the locations of assets as well as the locations of the users that are using those assets, to provide unparalleled visibility.

Some assets, such as servers, are fairly static when it comes to location, as they are typically located in a data centre at a fixed location. However other assets, such as mobile phones or laptops, move around with the user of those assets. Beyond physical location, another location dimension to consider could even be the virtual location of the asset on your internal network, especially if you have a large global network. Within a typical company, users have both an external location, representing where they are physically in the world, and an internal location, representing their company office or business unit location. In the current climate, with many workers working from home the user’s external location is almost certainly different to the user’s company internal location.

Aura identifies and keeps track of these locations as follows:

  1. Asset location – a fixed location in a data centre (e.g. a server), or moves around with a user (e.g. a phone or laptop). There may be both a physical and also a network location for an asset.
  2. Internal user location – usually the office location where a user is based or the location of their business unit
  3. External user location – the user may be logging in remotely via VPN and their external location is likely different to their internal location.

Let’s see how we can leverage Aura to easily identify these three different locations.

Identifying Asset Locations

Identifying the last known asset location in Aura is quick and easy. This location information is dynamically calculated by Aura using a number of different factors and applied logic. Simply enter the asset into the Network Asset Investigation view and Aura will geolocate the asset and present the location on a map. Aura will also display the city, state/region and country of the asset. We can see this illustrated in the screenshot below.

Network Asset Investigation view in Aura identifying location

Identifying Internal and External User Locations

Aura dynamically calculates and keeps track of both internal and external locations of your users over time, as well as any changes. There are several ways in which these locations can be viewed and leveraged within Aura. One of the simplest ways to quickly identify these locations is to enter the user ID into the User Identity Investigation view and Aura will geolocate both locations and present this information to you on a map. We can see this illustrated in the screenshot below.

User Identity Investigation view in Aura identifying locations

Identifying Abnormal Locations

Knowing all these locations are great, but recent security attacks have illustrated how this location information might be useful for identifying and possibly preventing similar attacks on your network. On any given day, the location of either a user or asset may not change that much. For example, a user might work from the same office, work remotely from the same home address every day. On the other hand, workers who travel will almost certainly change locations. Aura keeps track of this location information over time, allowing for the identification of abnormal location patterns and activity. For example, a user associated with two different country locations on the same day, when they typically never change location or no travel has occured. Aura can help you identify use cases and patterns like this as well as so much more.

One of the ways Aura helps to identify abnormal external user locations out-of-the-box, is through the use of the User External Location Insights view. This illustrates all of the external locations associated with your users over time and helps to identify users associated with multiple locations and unusual activity patterns. We can see this illustrated in the screenshot below.

External Location Insights view in Aura identifying external locations

Let’s Recap

In this post we outlined the importance of location when it comes to both assets and users. There is a very close relationship between the assets and who is using those assets and without a full understanding of this locational information, it is hard to gain a full understanding of how and where assets are being used. Locational information often forms a critical element in identifying unauthorized network activity. We showed some examples of how easy it is within Aura to view this locational information and then also illustrated how the data could be used to flag anomalous activity. There are many other ways in which the location data collected by Aura can be leveraged to detect abnormalities or to support security investigations. Contact us today to find out more and to see Aura in action.

Aura Asset Intelligence runs on Splunk. If you would like to find out more or get a demo or free trial, please contact us today.