Posts Tagged ‘Insider Threat’
Posted by Michael Applebaum in Cybersecurity, Network Intelligence, SIEM, Threat Management
You know that QRadar SIEM excels at collecting, correlating and reporting on unusual activity, but have you ever wondered how it performs user activity monitoring? Or what value this would have for your organization?
In this new 8-minute YouTube demo, we look at how the integration of identity and access management data enables real-time user activity monitoring. We show how QRadar can identify risky or abnormal activity of user groups such as employees with privileged access, contractors, or terminated employees.
What value would user activity monitoring provide? You might care about a number of use cases:
- A terminated employee taking action on your network (if terminated, how is he or she still on your network?)
- A privileged employee accessing databases she doesn’t usually access (is she performing malicious activity? was her account compromised by an attacker? or did her responsibilities just change?)
- Is an employee from one geography, who does not travel for business, seen performing activity in a different geography? (was his account taken over?)
- Is a contractor accessing a database or application that he doesn’t require for his job? Can he be trusted? do his actions require closer monitoring?
- And many more exmples specific to your business.
Without a SIEM solution that can correlate identity and access management data with network activity in real time, most organizations would miss these risks. But QRadar provides the visibility to know whenever a user performs activity that is risky or abnormal. Whether you want to be alerted to security and risk incidents in real-time or view automated reports periodically, QRadar makes it easy to take a proactive stance toward user risks and improve your security posture.
For more information, visit the Q1 Labs Resource Center today.
Posted by Tom Kendall in Cybersecurity, Network Intelligence, Risk Management, Security Intelligence, Threat Management
This past weekend I watched a documentary on More4 that delved into the Wikileaks scandal. “Wikileaks: Secrets & Lies” went into great detail explaining how Julian Assange served as a middleman in this scandal. Although Julian Assange is viewed as the face and spokesperson for Wikileaks, the documentary showed that Assange would not have had any global status if it weren’t for insiders who are willing to send sensitive information to the organization.
This programme was not broadcasting how a hacker could break into a network and steal information; it uncovered a deeper concern of how an insider can revolt, stealing privileged information from inside the network and causing havoc along the way.
This threat is a concern that should be top of mind for organizations. In a report published by Verizon on Business Data Breaches, they found that 48% of total data breaches were caused by insiders and 48% of breaches involved a misuse of an insider’s privileges.
Although identifying the risk of an insider threat was highlighted, the documentary really drove home the need for better security measures, so these incidents can be prevented or halted as they occur and the people responsible can be identified and punished.
For companies without proper security technology, identifying the “rogue insider” is not an easy task. Wikileaks is an excellent example of why traditional perimeter security defenses, such as firewalls and anti-virus software, are no longer sufficient in the “post-perimeter” world. To prevent these types of incidents, organizations should deploy automated technologies that continuously monitor and correlate user activities across various sources (such as network devices, OS logs and applications). This Total Security Intelligence will allow rapid detection of unusual activities such as a large number of sensitive documents being downloaded from a SharePoint server during off-hours or from a remote access location.
To learn more about how Total Security Intelligence can help combat these insider threats and how organizations are using QRadar as the key component for their IT Security, click here.
Posted by Melissa Stevens in Compliance, Cybersecurity, Q1 Labs, Risk Management, Security Intelligence, SIEM, Threat Management
Ever wonder what the “big deal” is with QRadar Security Intelligence? Watch this short video featuring Chris Poulin to understand what sets QRadar apart from other security inteligence solutions, and why thousands of customers large and small have chosen the QRadar Security Intelligence platform to meet their IT security needs. Learn how QRadar helps customers:
- Detect threats others miss
- Consolidate data silos
- Detect insider threats
- Predict risks against your business, and
- Exceed regulation mandates.
Posted by Michael Applebaum in Cybersecurity, Security Intelligence, Threat Management
Give up the façade of control. Trust no one. Verify everything. Resistance is futile.
Image attribution: http://bit.ly/r3Wnre under http://bit.ly/r9ywD2
Okay, I added the last statement, but the first three come straight from a recent Forrester Research report, “Applying Zero Trust to the Extended Enterprise” by John Kindervag. In today’s zero-trust environment – driven by mobile computing, cloud computing, social media and partner collaboration – it’s impossible to control the network perimeter, the number of users accessing the network or the configuration of devices connecting to the network. It’s also impossible to predict when an employee will attempt insider theft or fraud, rendering the notion of a trusted insider obsolete.
As John first wrote last year:
“The concept that there are trusted and un-trusted users is errant and dangerous. This is something we call Zero Trust. … Some of the key components of Zero Trust are that all users are un-trusted and that all traffic, both internal and external, must be inspected and logged.”
This blurring of profiles between internal and external networks means organizations must perform comprehensive monitoring and analysis of all their networks, all the time.
John’s absolutely correct in my view (he was a security systems integrator before joining Forrester), but how do you do it?
Let’s consider three of the report’s recommendations, and apply practical Security Intelligence solutions for implementing them:
- Monitor what users are doing on the network. Forrester advises companies to monitor their employees’ activity on the network, because as the 2011 Verizon Data Breach Investigations Report notes, “insiders were at least three times more likely to steal IP [intellectual property] than outsiders.” This can be accomplished with a user activity monitoring solution that establishes baseline patterns of activity for each user, and then creates alerts when anomalous behavior is observed – applications/systems accessed, volumes of data sent/received, and so on. Security Intelligence solutions today provide a 360-degree view into what users are actually doing and the potential impact of their activities – by collecting and correlating not only log data, but also Layer 7 network flows, asset data, configuration information and vulnerability data to cover the pre-threat exposures.
- Inspect and log all traffic. As if you needed another reason to collect and analyze logs, Forrester highlights one of the Verizon breach report’s more striking observations – that good evidence of breaches usually exists in the victims’ log files. John therefore recommends “inspect[ing] and log[ging] all traffic… [using] threat mitigation controls such as firewalls and network IPSes, security information management (SIM) solutions, and network analysis and visibility (NAV) tools.” Logging is already well understood and commonly performed, but inspecting all traffic? That’s a whole other animal. One of the key points I take from this report is the importance of triangulating intelligence on risks and threats through multiple types of network data – logs from firewalls and IPSes, network flows from NAV solutions, and much more, all correlated and analyzed by a SIM/SIEM solution. Logs, even from multiple sources, aren’t enough any longer; deeper network insight is required. Security Intelligence technologies are equipped to provide just that through Layer 7 flow analysis which is incorporated into a holistic and strategic security solution.
- Deploy NAV tools to watch data flows and user behaviors. This recommendation elaborates on the need for situational awareness via proactive monitoring of internal networks. Would you know if an employee were stealing valuable product plans? Or downloading customer data to take to a competitor? Or if his system had been silently compromised by a bot? These are often difficult to detect until well after the fact, if ever. But a modern Security Intelligence solution will consume and correlate all the data you need to identify these scenarios in real time, by taking a 360-degree view of suspected incidents and ruling out false positives. That may sound like a tall order given the frequently massive data volumes involved, but current solutions are architected for just this kind of scale.
Ultimately, I suspect that most security and networking professionals realize “zero trust” is the right approach to take. The question is how to embrace that view and evolve one’s security operations.
Hopefully the ideas suggested here – and in my “Six Things You Always Wanted to Know About Security Intelligence but Were Afraid to Ask” blog series – will provide ideas and inspiration to enhance your own security posture. Please share any thoughts on how you are evolving your organization’s security operations to respond to the new zero-trust reality.
Posted by Tom Turner in Security Intelligence, SIEM, Threat Management
The recent trading fraud at UBS by a rogue employee bears a lot of similarity (not least in the amount of money lost) to a similar occurrence at Societe General in 2008. In both cases the alleged perpetrators were exchange-traded fund specialists, they both had back office experience prior to joining a trading desk (experience that helped them cover their tracks), and while they both had triggered internal trading alarms over the years, it was finally the turbulence in the markets of 2008 and 2011 that ultimately exposed their fraud and associated losses.
Now I am certainly not claiming that SIEM solutions would have caught these complex trade patterns and anomalies today, though there is some interesting research being conducted to extend correlation to trading patterns and there are specific fraud detection technologies for financial applications. What I am pointing out is the analogy- a very powerful analogy if you are trying to sell the value of implementing SIEM and Security Intelligence within your environment.
Before the world recognized them as rogue traders, these were trusted employees with sophisticated knowledge of the internal workings of company systems. Their trading activities had raised a number of alarms over the years, but these alarms lacked context about associated actions (the other trades they made to cover their tracks) and were likely lost in the noise of all the other alarms that may occur across a large trading desk. Does this sound familiar?
I believe the analogy is apt. Increasingly we see our customers wanting to monitor the actions of users and detect the anomalies in their interactions with applications and systems. The Wall Street Journal recently posted an interesting article about the challenge that users or trusted insiders present from a security standpoint. You don’t have to look much further than UBS or SocGen to understand the ramifications of fraud by trusted employees.
The latest on Cyber Security