BACKGROUND IMAGE: shironosov/iStock

E-Handbook:

Crafting an insider threat program: Why and how

Get started Bring yourself up to speed with our introductory content.

Insider threat detection tools that sniff out dangers from within

Learn about the insider threat detection tools that can zero-in on anomalous user behavior. Malicious or accidental, the insider threat is one of the most dangerous and costly to companies.

Firewalls, intrusion detection and prevention systems, and antimalware are reasonably effective against external...

threats, but they don't detect unauthorized activity inside the network. A recent Crowd Research Partners survey found that when it comes to battling insider threats, organizations employ a combination of policies and training to fight security threats that originate from within. However, there are technologies available now that can strengthen an organization's ability to detect and respond to insider threats, as well as to prevent future malicious activity.

An overview of insider threat detection tools

Privilege escalation, abuse of privileged accounts and data exfiltration represent some of the most serious issues associated with insider security compromises. Identity and access management (IAM) and data loss prevention (DLP) are insider threat detection tools that aim to prevent many issues, but even they can't stop every incident.

Log files are an excellent source of user activity on a network, and most breaches can be discovered through log file analysis. However, the sheer amount of data an administrator must wade through to find evidence of a compromise makes this effort virtually fruitless, especially since the admin is searching for activity that doesn't fit a known pattern. That's where insider threat detection tools that incorporate analytical and machine learning capabilities come into play. These technologies scan for user behaviors associated with privilege escalation, data loss and so on, as well as a range of not-to-pattern activities that are highly difficult to detect through manual reviews.

The technologies garnering a lot of interest are the following:

  • User activity monitoring (UAM): This type of tool monitors and collects in real time all kinds of user activity data, such as email, chat and internet uploads and downloads. When integrated with a security information and event management system, administrators receive alerts when suspicious or anomalous activity is detected. Many products include machine learning algorithms and risk scoring to identify high-risk users and track the behaviors of lower-risk users that can become threats.
  • User behavior analytics (UBA): A big step up from UAM is UBA, which sifts through and analyzes different types of data logs to establish a baseline of normal user behavior and identify patterns of abnormal or anomalous behavior that may indicate an insider threat. The beauty of UBA is its ability to use algorithms to analyze a wide and deep pool of data, understand its context and make correlations. A UBA system provides actionable insights in the form of reports and dashboards that prioritize risks.
  • User and entity behavioral analytics (UEBA): The latest and most comprehensive of the three technologies is UEBA. It provides the same type of analytics as UBA but also analyzes endpoints, networks and applications -- whether on premises, in the cloud or mobile. In this respect, UEBA correlates user and entity behavior for more accurate and effective threat detection.

UAM has been around for a while, but keep in mind that the UBA and UEBA markets are in flux. For example, the line between UBA and UEBA is quickly blurring, with some UBA vendors incorporating new features and rebranding their product as UEBA.

Act now, expect results in the future

The key to behavioral -- and entity -- analytics is detection and analysis of patterns over time. Because behaviors differ among users, be aware that an insider threat detection tool can take weeks or months to gather enough data to create an accurate baseline of normal activity and to tease out difficult-to-detect anomalies.

In its Insider Threat Report 2016, Crowd Research Partners found that the 57% of organizations consider the combination of policy and training to be the most effective means for battling insider threats. However, coupling these two people-centric methods with technology products strengthens an organization's ability to detect and respond to insider threats, as well as to prevent future malicious activity. 

Next Steps

Accidents and negligence are often overlooked forms of insider threats

How hackers hide attacks using company employees

What to do when the employee clicks that link?

This was last published in January 2017

Dig Deeper on Security Awareness Training and Internal Threats-Information

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Which tools for handling potential insider threats is your company using, and what has been your experience with them?
Cancel
This is a great article but it doesn’t cover deception technology, which is now being used to find threats that bypass or evade prevention and other detection tools. Deception works by setting up decoys and planting deception bait that makes the entire network a trap. Deception is so advanced now that it can run the same production software as the company asset, making it undetectable to an attacker. Deception is extremely effective in detecting insiders as the try to conduct reconnaissance or move laterally to escalate their attack. It also reveals the attacker if they attempt to use the planted credential bait. Carolyn Crandall
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close