About Real-time session analysis and continuous monitoring

  • 2 minute(s) read
Prev Next

The Segura platform's Behavior Engine monitors every privileged session, RDP, SSH, Web, Database, API, local commands, among others, in real time. Capturing detailed signals and events from the beginning to the end of the session. This continuous analysis allows for the identification of normal patterns, behavioral deviations, and emerging risks without delays.

What is captured

  • Typing patterns: analyzes speed, rhythm, and typing style during the session.
    • Detects inconsistencies, such as operator changes, use of automatic scripts, or non-standard commands.
  • Command flow and navigation
    • Monitors the sequence of commands, accessed files, and navigation paths in applications or terminals.
    • Detects atypical executions, unexpected jumps between resources, or automation patterns.
  • Session duration and context
    • Evaluates if the session is compatible with the baseline usage time.
    • Identifies excessively long, short, or unusual time sessions.
  • Device, location, and network context
    • Registers the endpoint, geolocation, IP address, VPN, and user environment.
    • Cross-references this data with the user's history to detect access from new locations or suspicious devices.

Adaptive analysis and profile update

  • Dynamic profile: the user profile is constantly updated, incorporating legitimate changes and identifying rapid adaptations (e.g., travel, shift changes).
  • Proactive risk identification: any sign of relevant deviation, such as a new command, use of atypical credentials, access outside of hours, or device change, is immediately evaluated by the analytical engine and can trigger automatic responses.
  • Real-time update: there is no delay in the response. The system reacts in real time to suspicious activity, reducing the window of exposure to threats.

Use cases

  • Takeover/imposter detection: changes in typing patterns, command usage, or timing may indicate that the account has been compromised.
  • Unauthorized automation identification: repetitive sequences, without human variation, are quickly detected, preventing misuse of scripts.
  • Unauthorized or improvised access: Sessions initiated from new devices, unexpected remote locations, or times incompatible with the user's profile generate automatic alerts and may require immediate MFA.
  • Forensic tracking: every anomalous event is recorded with detailed context, supporting auditing, compliance, and post-incident investigations.

Integration with policies and responses

  • Adaptive policies: rules and workflows can be configured to react automatically to anomalies, escalating the response according to the detected risk.
  • Response orchestration: integration with SIEM, SOAR, and other Segura platform modules allows for triggering automatic playbooks, additional MFA, session pause/blocking, forwarding for analysis, notification of security teams, and much more.
  • Zero standing privilege: continuous analysis ensures that any privilege granted can be dynamically revoked in case of risk, aligning with zero-trust best practices.