Posts Tagged ‘Insider Threat’
What would you do if someone was repeatedly trying to break in your front door? Would you add an extra lock and hope that was enough? Would you completely ignore the back door? If you lived in a neighborhood where lots of homes had been broken into, would you do some research to see what the common entry points were and maybe take some precautions to better address those risks- even if your house had been safe so far?
I’d like to think you’d do just about anything in your power to protect your home, and definitely your business. But finger crossing and dead bolt- equivalents seem to be the approach a lot of organizations take when it comes to security, especially network security. Those organizations are resting on hope; hope that they won’t be targeted by a cyber attack, hope that no disgruntled insiders will take a shot, hope that their network security analysts won’t miss something in the piles of log data being generated every minute, and hope that their first generation solutions are working good enough to catch modern attackers.
Earlier this week I read an article in Network World about the failure of CSOs to properly evaluate risk in their security strategy. It asked the important question- “what happens if your security strategy doesn’t work?” I’m betting there’s a lot of organizations out there who don’t know the answer to that question, and if they did, they wouldn’t be happy.
To truly be secure, you need to know where your vulnerabilities are and then figure out how to fix them. Your team needs to be prepared to identify and respond quickly to attempted and successful breaches (because inevitably, some will get through). They also need to know how to minimize the damage that can be caused by an incident. They need to be able to find the who, the what, the when, the where and most importantly, the how- and they need this information in real time! This is the essence of Security Intelligence. Do you have it?
You know that QRadar SIEM excels at collecting, correlating and reporting on unusual activity, but have you ever wondered how it performs user activity monitoring? Or what value this would have for your organization?
In this new 8-minute YouTube demo, we look at how the integration of identity and access management data enables real-time user activity monitoring. We show how QRadar can identify risky or abnormal activity of user groups such as employees with privileged access, contractors, or terminated employees.
What value would user activity monitoring provide? You might care about a number of use cases:
- A terminated employee taking action on your network (if terminated, how is he or she still on your network?)
- A privileged employee accessing databases she doesn’t usually access (is she performing malicious activity? was her account compromised by an attacker? or did her responsibilities just change?)
- Is an employee from one geography, who does not travel for business, seen performing activity in a different geography? (was his account taken over?)
- Is a contractor accessing a database or application that he doesn’t require for his job? Can he be trusted? do his actions require closer monitoring?
- And many more exmples specific to your business.
Without a SIEM solution that can correlate identity and access management data with network activity in real time, most organizations would miss these risks. But QRadar provides the visibility to know whenever a user performs activity that is risky or abnormal. Whether you want to be alerted to security and risk incidents in real-time or view automated reports periodically, QRadar makes it easy to take a proactive stance toward user risks and improve your security posture.
For more information, visit the Q1 Labs Resource Center today.
This past weekend I watched a documentary on More4 that delved into the Wikileaks scandal. “Wikileaks: Secrets & Lies” went into great detail explaining how Julian Assange served as a middleman in this scandal. Although Julian Assange is viewed as the face and spokesperson for Wikileaks, the documentary showed that Assange would not have had any global status if it weren’t for insiders who are willing to send sensitive information to the organization.
This programme was not broadcasting how a hacker could break into a network and steal information; it uncovered a deeper concern of how an insider can revolt, stealing privileged information from inside the network and causing havoc along the way.
This threat is a concern that should be top of mind for organizations. In a report published by Verizon on Business Data Breaches, they found that 48% of total data breaches were caused by insiders and 48% of breaches involved a misuse of an insider’s privileges.
Although identifying the risk of an insider threat was highlighted, the documentary really drove home the need for better security measures, so these incidents can be prevented or halted as they occur and the people responsible can be identified and punished.
For companies without proper security technology, identifying the “rogue insider” is not an easy task. Wikileaks is an excellent example of why traditional perimeter security defenses, such as firewalls and anti-virus software, are no longer sufficient in the “post-perimeter” world. To prevent these types of incidents, organizations should deploy automated technologies that continuously monitor and correlate user activities across various sources (such as network devices, OS logs and applications). This Total Security Intelligence will allow rapid detection of unusual activities such as a large number of sensitive documents being downloaded from a SharePoint server during off-hours or from a remote access location.
To learn more about how Total Security Intelligence can help combat these insider threats and how organizations are using QRadar as the key component for their IT Security, click here.
Ever wonder what the “big deal” is with QRadar Security Intelligence? Watch this short video featuring Chris Poulin to understand what sets QRadar apart from other security inteligence solutions, and why thousands of customers large and small have chosen the QRadar Security Intelligence platform to meet their IT security needs. Learn how QRadar helps customers:
- Detect threats others miss
- Consolidate data silos
- Detect insider threats
- Predict risks against your business, and
- Exceed regulation mandates.
Give up the façade of control. Trust no one. Verify everything. Resistance is futile.
Okay, I added the last statement, but the first three come straight from a recent Forrester Research report, “Applying Zero Trust to the Extended Enterprise” by John Kindervag. In today’s zero-trust environment – driven by mobile computing, cloud computing, social media and partner collaboration – it’s impossible to control the network perimeter, the number of users accessing the network or the configuration of devices connecting to the network. It’s also impossible to predict when an employee will attempt insider theft or fraud, rendering the notion of a trusted insider obsolete.
As John first wrote last year:
“The concept that there are trusted and un-trusted users is errant and dangerous. This is something we call Zero Trust. … Some of the key components of Zero Trust are that all users are un-trusted and that all traffic, both internal and external, must be inspected and logged.”
This blurring of profiles between internal and external networks means organizations must perform comprehensive monitoring and analysis of all their networks, all the time.
John’s absolutely correct in my view (he was a security systems integrator before joining Forrester), but how do you do it?
Let’s consider three of the report’s recommendations, and apply practical Security Intelligence solutions for implementing them:
- Monitor what users are doing on the network. Forrester advises companies to monitor their employees’ activity on the network, because as the 2011 Verizon Data Breach Investigations Report notes, “insiders were at least three times more likely to steal IP [intellectual property] than outsiders.” This can be accomplished with a user activity monitoring solution that establishes baseline patterns of activity for each user, and then creates alerts when anomalous behavior is observed – applications/systems accessed, volumes of data sent/received, and so on. Security Intelligence solutions today provide a 360-degree view into what users are actually doing and the potential impact of their activities – by collecting and correlating not only log data, but also Layer 7 network flows, asset data, configuration information and vulnerability data to cover the pre-threat exposures.
- Inspect and log all traffic. As if you needed another reason to collect and analyze logs, Forrester highlights one of the Verizon breach report’s more striking observations – that good evidence of breaches usually exists in the victims’ log files. John therefore recommends “inspect[ing] and log[ging] all traffic… [using] threat mitigation controls such as firewalls and network IPSes, security information management (SIM) solutions, and network analysis and visibility (NAV) tools.” Logging is already well understood and commonly performed, but inspecting all traffic? That’s a whole other animal. One of the key points I take from this report is the importance of triangulating intelligence on risks and threats through multiple types of network data – logs from firewalls and IPSes, network flows from NAV solutions, and much more, all correlated and analyzed by a SIM/SIEM solution. Logs, even from multiple sources, aren’t enough any longer; deeper network insight is required. Security Intelligence technologies are equipped to provide just that through Layer 7 flow analysis which is incorporated into a holistic and strategic security solution.
- Deploy NAV tools to watch data flows and user behaviors. This recommendation elaborates on the need for situational awareness via proactive monitoring of internal networks. Would you know if an employee were stealing valuable product plans? Or downloading customer data to take to a competitor? Or if his system had been silently compromised by a bot? These are often difficult to detect until well after the fact, if ever. But a modern Security Intelligence solution will consume and correlate all the data you need to identify these scenarios in real time, by taking a 360-degree view of suspected incidents and ruling out false positives. That may sound like a tall order given the frequently massive data volumes involved, but current solutions are architected for just this kind of scale.
Ultimately, I suspect that most security and networking professionals realize “zero trust” is the right approach to take. The question is how to embrace that view and evolve one’s security operations.
Hopefully the ideas suggested here – and in my “Six Things You Always Wanted to Know About Security Intelligence but Were Afraid to Ask” blog series – will provide ideas and inspiration to enhance your own security posture. Please share any thoughts on how you are evolving your organization’s security operations to respond to the new zero-trust reality.