Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

User behavior analytics is key to identifying nefarious use of insider credentials

Idan Tendler, CEO and Co-Founder, Fortscale | Jan. 28, 2016
What to look for when shopping for these new tools.

* Compromised service account. Service accounts are used by operating systems and various applications to perform automated background tasks. These accounts, usually unmonitored, own high access rights and are under constant risk of attack and compromise.  Their activity should be monitored to ensure they are not accessing systems they shouldn’t be, or transmitting data to unauthorized recipients, etc.

* Exfiltration attempts. Data exfiltration is a big concern in many organizations. Detecting data leaks has become more difficult as additional technologies and methods to transfer data emerge. Monitoring for abnormal user behavior such as accessing data that’s not normally dealt with by the user, or transmitting data to unusual destinations can detect data exfiltration attempts. 

* Credential sharing. Studies show that more than 20% of employees share their passwords with someone else, even though it’s strictly against policy. Monitoring for simultaneous, remote, or unusual usage of user accounts can help detect and mitigate credential sharing.

* Snooping users. In search of sensitive or valuable data, rogue insiders and malicious outsiders scan corporate systems hoping to find and access information they can sell or use for their own gain.  Detecting and investigating such unusual user behavior can ward off impending cybercrimes.

* Departing employee. Employees who are preparing to leave an organization may pose a security threat. Even though departing employees may carry a high risk of data exfiltration and even sabotage, very few tools can effectively monitor their actions and detect suspicious behavior. Security personnel need to implement solutions designed to specifically and automatically monitor the accounts of departing employees and raise alerts if their behavior is suspicious.

* Privileged account abuse. Since privileged accounts are the prize possession for cybercriminals, monitoring their use for unusual behavior is extremely important. Automated, remote or simultaneous access can indicate an insider threat, as can unusual login times, systems accessed, and data transmissions.

* Unauthorized third party access (business partners and other suppliers). Contractors, business partners, and other service providers often have access to sensitive corporate data. However, they are not usually subject to the same security practices and policies as the hosting enterprise.  As a result, applications or devices may become infected with malware designed to steal logon credentials. It’s especially incumbent on the hosting enterprise to monitor the behavior of all third party users.

* Network misconfiguration. By monitoring normal user behavior, an anomalous act can often detect an improperly configured security setting. For example, if an employee accesses a system that’s outside of their normal work pattern, it often indicates a hole in the security policies or settings. Correcting the misconfigurations in a timely manner can prevent imminent and future attacks.

Detecting insider threats is essential in today’s environment and doing so calls for the diligent use of a number of cybercrime prevention techniques. Whether it’s a malicious employee or an outsider using compromised credentials, businesses must be on alert and maintain vigilant monitoring, focusing their attention internally on user behavior and suspicious activity to thwart potential insider attacks.


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.