Insider Threat Detection

Accelerate and simplify insider threat detection with all of the essential security capabilities you need in one easy-to-use console.

In the wake of high-profile breaches where trusted employees were involved, enterprises are increasingly concerned about the threats they pose, such as:

  • Disgruntled employees looking to damage systems or steal data
  • Users engaged in corporate or state-sponsored espionage
  • Unsuspecting users clicking on phishing e-mails
  • Users illegally downloading torrents

Insider threat detection can be challenging because it often spans across a multitude of systems. Even with security tools deployed, you still need to establish a baseline of normal activity. For example, HR users connecting to an employee database is probably a normal part of operations. But, if a user in marketing suddenly starts accessing a vast number of records within the employee database, something is likely very wrong.

AlienVault Unified Security Management™ (USM™) delivers essential Insider Threat Detection and Management capabilities:

Behavioral Monitoring

  • Network Intrusion Detection System (NIDS)
  • Network flow analysis
  • Network protocol analysis & packet capture

Privilege Escalation Detection

  • Host Intrusion Detection System (HIDS)
  • File Integrity Monitoring (FIM)
  • Detect unauthorized user access attempts

Event Correlation

  • Security Information and Event Management (SIEM)
  • Detect communications with malicious hosts
  • Centralized dashboard that prioritizes threats the way you want to see them

Behavioral Monitoring

Insider threat detection techniques lie in monitoring user activity as opposed to system activity. As such, you need to first establish what constitutes normal user behavior within your environment. Once you have obtained a baseline of normal activity, detecting outliers becomes easier.

AlienVault USM helps you understand normal activity in your network by building up a picture from the moment you install it. You’ll also get better visibility into the threats that come from legitimate users, helping you detect malicious insiders.

AlienVault USM’s Network Intrusion Detection System (NIDS) inspects traffic between your internal devices and critical systems, giving you visibility into what’s happening inside your perimeter. In conjunction with this, network flow analysis provides the high-level trends related to what protocols are used, which hosts use the protocol, and the bandwidth usage.

In addition to this, network protocol analysis and packet capture allows you to fully replay events that occurred so you can be sure of exactly what a malicious insider has done.

Privilege Escalation

Most companies will track the activities of privileged users as an essential security practice. In order to bypass this, insiders will seek to escalate privileges in order to gain access to information, subvert controls, damage systems or to facilitate exfiltration of sensitive data – all while flying under the radar.

AlienVault USM’s host intrusion detection system (HIDS) capabilities can detect and alert on privilege escalation that doesn’t have a corresponding change request. In addition, it correlates suspicious events to detect where user access to systems and applications may be malicious. This allows you to detect, respond and neutralize the insider threat posed by employees trying to bypass security controls by elevating their rights, or by compromised user credentials being hijacked for malicious purposes.

Event Correlation

Humans, unlike computers, are often unpredictable in nature. As such, identifying an insider threat usually involves having the ability to correlate seemingly benign events to detect insider threats that can take place across various systems. These insiders will often take into account existing security controls and attempt to keep their activity ‘low and slow’ to avoid triggering any alarms.

AlienVault USM correlates events related to malicious insiders, and is able to link disparate events across your network. The built-in SIEM capability within the AlienVault USM platform is able to automatically identify suspicious activity with over 2,000 pre-defined correlation rules. This helps eliminate the need for IT teams to create their own so they can spend their time mitigating threats rather than researching them.

That’s where the Threat Intelligence produced by AlienVault Labs steps in to assist. Think of it as an extension to your IT team – they are constantly performing advanced research on current threats and developing updates to AlienVault USM’s threat intelligence. In addition to the vulnerability signatures, you receive updates to SIEM correlation rules, IDS signatures, knowledgebase articles, and more.

Updating the AlienVault USM platform is extremely easy, designed to minimize downtime, and just requires a couple of mouse clicks. This ensures that AlienVault USM is continuously conducting network vulnerability scans for the latest threats without requiring in-house research or development of vulnerability data. This allows you to allocate your time and resources to other responsibilities and, do more with a smaller team.

  • System Compromise
  • Exploitation & Installation
  • Delivery & Attack
  • Reconnaissance & Probing
  • Environmental Awareness