Detect and Thwart Insider Threats
Cyber security has never been a more public concern than
it is today. Waves of high-profile data breaches over the
last few years have resulted in millions of dollars in lost
revenue and have kept many CISOs up at night. Advanced
persistent threats, organized cyber-crime and insider
threats are among the security industry’s top concerns.
Out of all of these, insider threats are perhaps the most
worrisome. They are one of the hardest threats to detect
and have the potential to compromise large swaths of
sensitive data. A report by Forrester Research suggests
that insiders are the top source of data breaches, with
36 percent of breaches stemming from accidental misuse
of data by employees and 25 percent resulting from abuse
by a malicious insider.1
Whether it is a negligent employee, a malicious insider or
an outsider who compromised legitimate credentials, many
organizations still do not have a security plan in place that
effectively addresses attackers from within. The best way
to combat insider threats is through early detection, and to
do so, security personnel need pervasive network visibility
and in-depth behavioral analytics.
Turn the Network into a Sensor with Visibility and
Behavioral Analytics
One of the biggest concerns surrounding insider threats
is that traditional network security tools are rarely able to
detect them. Oftentimes threat actors operate behind
firewalls and other perimeter defenses and are able to
collect the target data and exfiltrate it without detection.
Further complicating the situation, the rise of the Bring Your
Own Device (BYOD) workplace, in which employees often
utilize personal devices such as smart phones at work, has
increased the vulnerability of many corporate networks.
To detect insider threats, companies need to employ
comprehensive internal network visibility and security
analytics. By collecting and analyzing large quantities
of NetFlow and other types of security data, Lancope’s
StealthWatch® System enables organizations to harness
existing network infrastructure to identify behaviors that
could signify an insider threat.
One out of Four Breaches
is caused by malicious insiders.1
For instance, a user who collects an abnormally large
amount of data or attempts to access restricted network
segments could be preparing sensitive information for
exfiltration. Likewise, a user that suddenly sends a large
volume of traffic to the local printer could be printing
confidential documents in hopes of avoiding perimeter
security. Unlike most technologies, Lancope can detect the
lateral movement associated with insider threats or external
attacks proliferating throughout the network.
Without internal network visibility, it is difficult to identify
these activities or even investigate them after a breach has
already happened. But visibility is only half of the equation.
Without a way to store, organize and transform data into
actionable intelligence, it is nearly impossible to translate
visibility into real-world benefits.
The StealthWatch System’s robust analytics can quickly
process network traffic data and identify suspicious
and anomalous behavior. It collects NetFlow and other
sources of information, trims it down into streamlined data
objects and performs analysis via proprietary algorithms to
determine what activity is taking place. It then highlights
any activity that could represent a threat, allowing security
personnel to mitigate it before significant damage is done.
Forrester Research Report, Understand the State of Data Security and Privacy: 2013 to 2014, October 2013
1
www.lancope.com
1
The StealthWatch System turns the entire network into a security sensor
to identify these activities associated with insider threats:
Unauthorized Access
When a user attempts to access prohibited resources on the network.
Policy Violations
When employees use services that are in violation of company policies and may be intended
to bypass company monitoring.
Internal Reconnaissance
Before insiders can extract data, they must inventory it. The StealthWatch System can
identify activities associated with internal scanning.
Suspect Data Hoarding
When users begin collecting abnormally large amounts of data.
Target Data Hoarding
Similar to Suspect Data Hoarding, if large amounts of data are being extracted from a
specific host, alarms are triggered in the StealthWatch System.
Suspect Data Loss
When privileged users send abnormal amounts of data outside the network, signifying
potential data exfiltration.
Reduce MTTK with Contextual Awareness
Even with internal network visibility, insider threats can hide
their activity by splitting it up among multiple devices and
time frames. Even if the suspicious behavior is identified, it
doesn’t help much unless you can tie it to a specific user.
In fact, the lack of contextual information from security
tools is the biggest hurdle to determining if insiders pose
a threat, according to a Ponemon Institute study.2
The StealthWatch System is able to provide multiple layers
of security context in order to create a clear picture of
user activity and assist administrators in making informed
decisions. These include:
►►User Identity – Tying network activity to the user
responsible is critical to identifying insider threats.
►►Device Awareness – Device information helps identify
unauthorized or insecure devices, as well as quickly
identify machines that may be compromised.
►►Application-Level Visibility – The ability to see what
applications are in use can help pinpoint attacks and
malicious programs.
Lack of Context
The biggest hurdle to determining
if insider actions pose a threat is
a lack of contextual information
from security tools.2
Who
When
►►Threat Feed Data – Helps identify machines or users
who have been interacting with known malicious hosts.
Advanced attacks can take up to a year or more to
discover, lurking on the network and wreaking havoc in
the meantime. These additional layers of security context
can significantly reduce the Mean Time To Know (MTTK)
for a wide range of threats.
2
How
Where
What
The StealthWatch System provides the who, what, when, where and
how details needed to identify and investigate insider threats.
Ponemon Institute Research Report, Privileged User Abuse & The Insider Threat, May 2014
www.lancope.com
2
Discover the Scope of an Attack Through
Forensic Investigations
When a security threat is identified, it is vital to be able
to investigate how your network was compromised and,
more importantly, what data may have been obtained.
This is dif ficult to do unless you have a record of
network transactions.
Though NetFlow itself can produce large amounts of data
that can be difficult to store effectively, the StealthWatch
System is able to streamline flows and reduce data
requirements significantly without sacrificing important
information. Consequently, StealthWatch users can store
months or even years’ worth of traffic data to facilitate more
comprehensive forensic investigations.
The StealthWatch System is highly scalable to meet the
needs of even the largest organizations, analyzing up to
240,000 flows per second (fps) per collector, or 6 million
fps total. The StealthWatch Management Console (SMC)
provides an intuitive user interface that makes it easy to
query flow records with a variety of parameters and pivot
on elements that are pertinent to the investigation.
Today’s organizations face a wide spectrum of cyber
threats, but few are prepared to deal with attacks from
company insiders. Where traditional security solutions fall
short, the StealthWatch System excels at detecting insider
threats through the use of in-depth network visibility and
context-aware security analytics. The StealthWatch System
enables organizations to monitor, detect, analyze and
respond to the full range of threats before they lead to
irreparable damage.
Energy Provider Detects Insider Threats
with StealthWatch
A large Fortune 500 energy provider serving
millions of customers operates a large, distributed
network that is an attractive target for attackers.
Despite having many security tools in its arsenal,
the company realized that it had a critical network
visibility gap when it came to viewing east-west
traffic. This lack of visibility was hindering the
company’s ability to swiftly investigate and
troubleshoot security incidents.
The organization therefore turned to Lancope
to obtain the east-west visibility it was missing.
With the StealthWatch System, the energy
provider now has more complete insight into
communications taking place on the internal
network, enabling faster detection of insider
threats. The StealthWatch System also provides
additional security context that cannot be
provided by other sources such as firewalls and
IDS, allowing administrators to fully qualify and
better respond to security events.
LEARN MORE. REQUEST A DEMO.
[email protected]
©2015 Lancope, Inc. All rights reserved.
SOLUTION BRIEF | INSIDER THREAT v1-r05-12022015
www.lancope.com
3