SIEM & UEBA

Expand all | Collapse all

How Do You Recognize Insider Threats?

  • 1.  How Do You Recognize Insider Threats?

    GROUP ADMIN
    Posted 29 days ago
    Risk exposure from users within an organization-whether the behavior is intentional or inadvertent-can be a serious blind spot for security operations.   The shift to using cloud-based applications such as Office 365 and Salesforce, while clearly an overall value for most organizations, have made it even more challenging to stay on top of monitoring how sensitive corporate data is being accessed, used, and copied.   And now COVID-19 has shifted significant portions of many organization's workers and leaders to remote home networks, including many with privileged access to executive resources, intellectual property, and even IT administration.

    The FortiSIEM team at Fortinet believes the time is right to solve a difficult problem with some very powerful math.   User & Entity Behavior Analytics can quickly and easily profile your users to understand what makes them "them".  UEBA employs machine learning and statistical models to quickly understand and baseline the way each specific user behaves in their daily routines on each specific endpoint.  When something strange happens, the SOC team can be alerted.  No rules required, no signatures, no "knowns" -- we're talking "unknowns" here -- just a lightweight agent that can pick up exactly (and only) the telemetry needed to build the behavioral profile and spot anomalous behavior.   Wacky new processes, unusual communications, whole customer databases being copied to a local USB drive -- the stuff that should probably be noted, even when they aren't connected into the VPN.

    So, how do YOU recognize Insider Threats?  We would love to hear your successes and failures, what technologies you have found most helpful, or try to address any questions you may have on the subject.

    For an interesting and quick overview about insider threats, check out our eBook: The Many Faces of Insider Threats
    We have also put together an Insider Threats Poll where you can give your take on a few questions as well as see the results pile up over time.

    Jon



  • 2.  RE: How Do You Recognize Insider Threats?

    Posted 26 days ago
    We detect insider threats by locking down our internal systems, detecting unusual user behavior, we set traps or audit alerts on items and we are f course monitor traffic via DLP, IDS and other internal smoke detectors.  Once strange activity is detected we remotely investigate for what the user account is doing.