Page 10 - index
P. 10
might be relevant to different kinds of incidents. For example, a case of financial fraud might
be detected by examining database logs from a credit card processing system, whereas a
case of data theft might be noticed through monitoring of network traffic. Proactively
monitoring network and system transactions can serve as a deterrent in discouraging
malicious insiders from sabotaging or stealing data, since they know that their activities
might be discovered.
Compromised Insiders
A compromised insider is really an outsider – it is someone who has access to your network
as an authorized user, but they aren’t who they are supposed to be. Compromised insiders
are a much more challenging type of insider threat to combat since the real attacker is on the
outside, with a much lower risk of being identified. Typically, no amount of deterrence will
discourage them from carrying out their attack. Furthermore, traditional security solutions
that focus on catching malware and exploits cannot identify unauthorized use of legitimate
accounts. In this case, closely monitoring network activity is really the only way to uncover
and shut down this type of threat.
Leveraging Network and Security Monitoring
Monitoring activity through various logs is really the key to successfully identifying and
shutting down all of these classes of insider threat. By leveraging network activity logs from
various technologies such as firewalls, IPS systems, SIEMs, packet capture and NetFlow,
organizations can more easily be aware of and subvert insider attack attempts. All of these
technologies have their strengths and weaknesses in terms of expense, level of network
visibility provided, and privacy concerns, but should all be evaluated as part of an effective
insider security strategy.
By collecting and analyzing metadata from throughout the entire network, NetFlow in
particular provides a wide breadth of visibility at a reasonable cost and without the privacy
concerns associated with full packet capture. NetFlow can be leveraged for both real-time
threat detection, as well as to create a network audit trail of previous transactions for use in
forensic investigations. Some NetFlow-based monitoring solutions such as Lancope’s
StealthWatch System also enable the integration of identity data so that organizations can
see exactly who is responsible for causing specific issues.
Being aware of the various insider threat profiles can help organizations use network logs to
zero in on certain behaviors on their network that could be indicative of an attack, such as
unusually large file transfers or attempts to access restricted areas. For example, excessive
amounts of traffic from one user’s computer to the printer could signify an attempted theft of
intellectual property. Or, if a user is frequently communicating with an unfamiliar IP address
in another country, it could indicate that the user’s computer is compromised.
10 Cyber Warnings E-Magazine – July 2014 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
