Testing for insider threat behavior.
Security Information and Event Management (SIEM) insider threat Reviews
Showing reviews of the top ranking products in Security Information and Event Management (SIEM), containing the term insider threat
Splunk: insider threat
LogRhythm NextGen SIEM: insider threat
It has not only helped us meet requirements on a development program, but it has also allowed us to focus on insider threats as well as provide forensics capabilities to identify potential security risks.
Securonix Security Analytics: insider threat
Our primary goal is insider trespass. We have also been using the product for account privilege misuse as well as intellectual property and data theft. Going into the cloud, we have expanded our scope to cloud applications. We never supported the cloud but now that we are using SaaS we've been able to cover cloud applications and cloud infrastructure. That use case is picking up a lot of speed. But, traditionally, it's been used for insider threat and account misuse.
In terms of detecting cyber and insider threats, my primary focus is insider threats. It's excellent at that. The ability for the system to detect events is incumbent upon knowing your own threats and risks and predefining those, to a large extent. If you know your environment well enough to make up your own rules and define exactly what a risk or threat means in your organization, it's outstanding at detecting them.
While my primary focus is insider threats, one of the reasons we like SNYPR more than other brands is the entity analysis piece. We have picked up unnamed entities - an infected machine or a machine that had been taken over through a fishing attempt and had a bot installed on it. We have been able to detect malicious software with the system without even predefining the threat or risk model.
When it comes to the solution's behavior analytics helping to prioritize advanced threats, as long as you can pre-define what you want it to prioritize, I find it to be excellent at doing that. We have a very small team. It's very important for me to have the Securonix system highlight the most critical threats so that the analyst can see it.
We have two models. There are the people who are reacting to something negative in the company, such as someone sending a lot of things to a USB drive or trying to email out a lot of sensitive documents. Those people are easy to catch because their behavior is anomalous to themselves and to others. But for the advanced threats, we have different models in place that will highlight what we call "low and slow" behavior, where someone might be placed in the organization by a competitor or a foreign country, with the intention of removing small amounts of data over a long period of time. We have successfully built models that detect that, as well. Any system can catch the people who are going to "break the window" and steal as much data as they can in 24 hours. It's the advanced threat that's much more intricate, but we have had success with that model.
The solution benefits our company overall in the sense that we are protecting intellectual property which is the key to the company's success. But there has been a direct benefit to my team as a force-multiplier. At any given time, I have three or four analysts and we have 120,000 end-users. I feel confident in the increase in the value of cases we have found. We bring in fewer cases per year, overall, and that's attributable to the ability to tune Securonix and drop things that might be more of a "coaching-letter" type of event, rather than an investigation. We're able to tune those so that they are less of a priority than the significant data-loss events. We've been successful at catching the data-loss events.
And the functionality within the Spotter tool has helped us eliminate many hours required to create link analysis diagrams, which we used to create by hand.
It has easily decreased the time required to investigate alerts by 30 to 35 percent. The Spotter functionality, where we create link analysis diagrams within Securonix, takes about five seconds to do. We type in the pipe symbol, the word "link," and a couple of arguments and it puts the link analysis diagram right in front of us. Before, it was a manual download from three different systems and we would put things into Excel or i2 Analyst's Notebook and do the link analysis diagram that way. That single step alone is something we do for every single case which an analyst writes up, and it easily represents 30 to 35 percent of their time.
The solution has also helped us to detect threats that would otherwise have gone unnoticed. In the past, when we were using just a SIEM tool, we had reports on things like the top-ten people each day sending email to a competitor's domain, or top-ten people emailing to a personal domain, or the top-ten people copying data to a USB. We looked at six of these lists every day. When we first started using Securonix, they came to us with an event that their system had detected, something which was a fairly significant event. When I went back and looked at why we hadn't caught it ourselves first, what had happened was that Securonix was able to accurately able to identify, with its pattern-matching functionality, two personal email addresses from this person and correlate that with USB use and their sending of emails to a competitor's domain. Out of the four domains, none was high enough to get on the top-10 lists, but all four together - when they were correlated together as a single event - were very significant. That enabled an analyst to see it and react to it.
Securonix has helped to surface high-risk events that require immediate action. The preceding example is a good one. Another good example is correlating events with foreign travel, for instance. One of the things we have programmed in is HR data around a known last-day-worked. We've been able to correlate people whose last day at work was within 48 or 96 hours of having foreign travel booked. Those things, by themselves, don't really mean anything, but as part of a model they add to the score of someone who has data leakage events. We've used those factors successfully to increase the score of someone with leakage events and prioritize them so that we can react before the person has left the company and the country.
We moved to their software as a service and cut over to production, officially, in January of this year (about five months ago). It has significantly reduced the amount of time spent by the technical lead on my team doing hands-on patching, maintenance, and troubleshooting on the host server, as well as fixing the server when there were application incompatibility issues. The previous version we had sat on a standard, company Linux server. Securonix was an application package, a COTS, for the most part, that sat on top of a standard-built server. The server represented a cost to us when purchasing it and there was a cost to maintain it. Moving it to the software as a service model in the cloud has completely cut out all of that. It's a less expensive model for us to operate under.
The Hadoop-based platform has also provided operational benefits. With the on-premise version that we had before, we were limited in the number of data inputs. As soon as we moved it to their Hadoop-based platform, it became unlimited. It's scalable to whatever size we need. We were able to quickly add six data sources to the system, which were impossible to add before.
The customizability of the tool is valuable. We are able to customize the use cases and create them easily without a large amount of Securonix assistance. It's very flexible. We do not have to rely on Professional Services to modify or create a new use case.
The solution's behavior analytics, in detecting cyber and insider threats, are good. The tool does what it's supposed to, as long as the data coming in is accurate.
The solution's behavior analytics, in terms of detecting cyber and insider threats, are very effective. We are getting actionable results. When I say actionable results, not every finding is going to be a threat, but every finding is worth investigation. Depending on the investigation, some of them are real threats, some are just bad hygiene, and some are a good finding but not a threat for us. So there is work we still need to do. But whatever they are pointing us to is worth investigating. And that is what I expect from the product.
The solution's behavior analytics help to prioritize advanced threats. That's exactly what I mean by "actionable threats." One of the key pain points for us, previously, was that the solution we were using was giving us a lot of low-value indicators which we couldn't even act on. With this solution we have fewer alerts but they're actionable alerts.
From there on, it is on our analyst to then decide which ones are threats. And based on that, what we have done with a few things. In some cases we have changed our security policies so that we can have more rules in place to give us stronger access control and better governance around our workstation usage policy. There were certain things we could do to improve our employee behavior and it enabled us to take those steps. Based on some of the cyber-related threats it identified, we were able to upgrade the software we were using for our endpoints so that we had the strongest possible defense. There are certain things that are real threats and certain things that are bad hygiene and in both cases it's still valuable for us to take action.
Moving from on-prem to cloud, our analyst's time and effort have been reduced by half. I had to have two people working on the product before we got Securonix. We are a small company so we had two people dedicated: One was creating use cases, maintaining the application; the other was the analyst who was investigating. When we moved to the cloud, the operations part was taken care of by Securonix. They manage the use cases, they manage the upgrades. Now I don't need to have a dedicated person to do that. And my analyst gets higher-value threats to investigate.
In summary: First, I have been able to reduce my overhead by half. And second, my analyst is a lot more efficient and the noise in my environment is reduced by at least 70 percent. I was getting seven times more alerts to look at to get to the same results. Now my analyst can go deeper, versus having to rule out seven other things which are not useful.
Also, there were a couple of instances of insider threats where we had employee accounts compromised through phishing. Someone got an email from an email address that looked like a valid email address but it was not. It had the first name and last name correct, but the company name was misspelled. The employee clicked on it and his account was compromised. That compromised account was then used to access intellectual property in our environment. Securonix was able to detect that threat. If that data had been leaked, that would have been millions of dollars in losses for us because everything we do is our intellectual property. Securonix, with its behavior analytics, was able to detect that this account was behaving differently, that it was trying to scan all our shared folders and access a lot of documents in a very short period of time. They were all source code files and the employee whose account was compromised was not even a developer. That was one of the biggest threats it detected.
The other thing it is very good at identifying is that now, with everything in the cloud, there are no firewalls involved. People can, through social engineering, find out what your email address is and then try to guess your password and access your cloud environment. We see a lot of these brute-force types of activities in the cloud, and Securonix is able to detect a lot of those threats as well. We have some automation in place where we can block or challenge the user with additional credentials. We were able to put that in place as well, as a preventative measure, to stop our cloud environment from being compromised. That's is a big area of concern for us.
In terms of operational overhead, one of the benefits is configuration. With our previous product, the issue was that we had to figure out the use case. It was "do-it-yourself." But Securonix is providing us with packaged "apps" for insider threats or cyber threats. So now I don't have to create my own content. In addition, when we were doing this on-prem, we had to have hardware, to worry about patching the hardware. Then we had to worry about patching the operating system. Then we had to worry about patching the Securonix application. All of that, maintaining compliance, was a full-time job. Now, with SaaS, we don't need to do any of that. Securonix maintains it. The third advantage is availability. With on-prem, if you have a network issue, you tend to lose the data for that period of time. With the cloud solution, we have SLAs with Securonix for 99.9 percent uptime. That means I don't have to worry about an outage in the data center or a loss of data. I can hold the vendor accountable for that. So another overhead that I don't need to worry about is disaster-recovery planning for my implementation internally. That is something that the vendor takes care of and I can just focus on monitoring the SLAs that I have with them.
- The feature that is most valuable is the fact that it's an open platform, so it allows us to modify policies and tune policies as needed.
- There's also a feature called Data Insights which allows us to create different dashboards on specific things of interest for us.
- Finally, there is Spotter. Spotter allows us to search and investigate different events of interest for us.
In terms of behavior analytics, we're using cyber more than insider threats. With UEBA being a relatively new space when we looked at it close to two years ago, we were concerned about how well it worked and whether they were truly behavioral-based rules or if that was just marketing terminology for the "latest greatest system." But it exceeds what our initial expectations were for being able to detect different cyber threats. We're doing a lot around the network firewall and endpoint detection for rare process connections, rare network connections, etc.
The machine-learning algorithms are the most valuable feature because they're able to identify the "needle in the haystack."
Also, the solution's behavior analytics in terms of detecting cyber and insider threats is fairly good.
Netsurion EventTracker: insider threat
The solution saves me at least half an FTE, some 20 hours a week. If I didn't have the managed services, I would have to have another half an FTE just to do the work that they do for us.
EventTracker has assisted our server administration team as well. If they're having software problems or access problems or the like, they have the ability, with all the logs now centralized in one place, to go to one place and do those searches, rather than to go individually, server by server by server, and try to figure it out.
It's also tied into our enterprise firewall, which is Palo Alto. It really helps them in their troubleshooting time if they're having an issue.
So one side of it is the information security side: It helps us if we have an incident, if we have something going on that we need to look into to see if it's a false-positive or something that needs to be taken care of. But the other side is the operational efficiency, where it would really take a lot of time to try to figure it out server by server. They can go to one place which has all those server logs. Plus there's an archive copy of them, so they don't have to keep as many logs locally on the individual servers. Once it makes it to EventTracker, they can keep that window pretty small and don't have to burn a lot disk space on the local servers.
I also feel that EventTracker has better integration. Almost any product could integrate with just about anything else, given enough time and resources. But that's part of the managed services that we contract with EventTracker. We've actually got it tied into Sophos for antivirus. We've got tied it into Office 365. I mentioned earlier, the Palo Alto firewalls, and it's also tied into our Cisco networking equipment. So we've got all the critical infrastructure pieces integrated and all of those were integrations out-of-the-box-that I probably could have figured out if I had enough time. But I tell them what I'm trying to do and either they have a white paper which gives me one, two, three steps to do it, or they actually take over. I give them a service account. They take over, they do it, we do some testing and we go live with it.
Everything we have is a real-time feed. We don't have anything that is just batch and then it reads it in later. Especially on those real-time alerts that I mentioned, I know about each of those literally within minutes after it happens, because it's a real-time feed. The alert fires and sends me an email or a text, whichever I have set up.
We're also very impressed with EventTracker SIEMphonic. That's what they've renamed their SIEM tool. We use it quite a bit now. They've got something called potential insider threats that we look at on a pretty regular basis. Those are things like account creations and the like. A SIEM tool doesn't necessarily know, just because an account is created, whether it shouldn't have been created or if somebody created it to try to hide their tracks. Also, seeing things like logs being cleared on servers has been very helpful to us. We would have no other good way to get visibility into those types of things. An extension of that is the alerts that we talked about. It's really been really invaluable for us to get insight into our environment. There'd be no other way for us to really get that without either SIEMphonic or one of its competitors.
Devo: insider threat
I run an incident response, digital forensics team for OpenText. We do investigations into cyber breaches, insider threats, network exploitation, etc. We leverage Devo as a central repository to bring in customer logging in a multi-tenant environment to conduct analysis and investigations.
We have a continuous monitoring customer for whom we stream all of their logging in on sort of a traditional Devo setup. We build out the active boards, dashboards, and everything else. The customer has the ability to review it, but we review it as well, acting as a security managed service offering for them.
We use Devo in traditional ways and in some home grown ways.
For example, if there is a current answer response, I need to see what's going on in their environment. Currently, I'll stream logs from the syslog into Devo and review those. For different tools that we use to do analytics and forensics, we'll parse those out and send that up to Devo as well. We can correlate things across multiple forensic tools against log traffic, network traffic, and cloud traffic. We can do it all with Devo.
It's all public cloud, multi-factor authentication, and multi-tenant. We have multiple tenants built in as different customers, labs, etc. Devo has us set up in their cloud, and we leverage their instance.
We are using their latest version.