Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

User behavior analytics is key to identifying nefarious use of insider credentials

Idan Tendler, CEO and Co-Founder, Fortscale | Jan. 28, 2016
What to look for when shopping for these new tools.

This vendor-written tech primer has been edited by Executive Networks Media to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

Almost all data breaches involve use of legitimate logon credentials. Guarding against these “insider threats” requires the ability to detect when cybercriminals are using stolen credentials. Sadly, traditional network security tools are not effective in identifing or mitigating these threats.  However, a new breed of user behavior analytics solutions has been designed for this specific purpose and is proving effective.

The expression “insider threat” usually conjures up images of rogue employees or criminally minded contractors or business partners that are authorized to access company data. But the term is also used in a much broader sense to mean any threat or attack that abuses the logon credentials or privileges of legitimate employees or other insiders.

It’s true that employees or other insiders can often be traced to a data breach. In addition to disgruntled or malicious individuals intentionally stealing information, security misconfigurations, negligence in following company policies, succumbing to phishing or social engineering attacks, or other unintentional acts often result in theft of sensitive information.

However, the largest and most damaging data breaches are generally at the hands of outside hackers, organized crime, opposing governments, competitors or hacktivists. While they are not insiders themselves, these criminals almost always depend on obtaining logon credentials belonging to insiders, especially those that have administrative privileges. The number one objective of a cybercriminal is to obtain logon credentials for individuals with access to sensitive data. Once that has been accomplished, the imposter poses as a privileged insider, penetrates the system and copies the information he’s after.

Whether by outsiders or from within, the unauthorized or negligent use of insider logon credentials and privileges are the common denominators in nearly all cybercrimes. Any associated hazard can be viewed as an insider threat.

Given this broader definition of insider threats, there are numerous activities related to the use of logon credentials and user activities that must be monitored to guard against cybercrime.  Here are some of the more common behaviors that indicate the use of stolen credentials or other unauthorized and suspicious insider threats. A good user behavior analytics solutions will need to detect each of these:

* Suspicious geolocation sequence.  Many users work from multiple remote locations, such as their homes, hotels, airport kiosks, satellite offices and customer locations. When accounts are used to logon from remote locations, enterprises need to determine if they are legitimate users or remote attackers who have managed to obtain valid user credentials. Monitoring the geolocation of each access attempt and validating it against what’s physically possible given the time elapsed since a connection from another location, as well as verifying what is normal behavior for the legitimate account owner is critical in determining if user credentials have been stolen and are being used by remote hackers.


1  2  Next Page 

Sign up for CIO Asia eNewsletters.