Insider threat detection
AlienVault Unified Security Management (USM) accelerates and simplifies insider threat detection with all the essential security capabilities you need in one easy-to-use console.
Detect and Minimize Threats from Within
In the wake of high-profile breaches where trusted employees were involved, enterprises are increasingly concerned about the threats those employees pose, such as:
- Disgruntled employees looking to damage systems or steal data
- Users engaged in corporate or state-sponsored espionage
- Unsuspecting users clicking on phishing e-mails
- Users illegally downloading torrents
Insider threat detection can be challenging because it often spans across a multitude of systems and services. The rise of cloud services complicates insider threat detection efforts because many traditional security tools are incompatible with cloud architecture, creating blind spots in your security plan. The AlienVault® Unified Security Management™ (USM™) platform provides visibility into your on-premises, private cloud, and public cloud environments, enabling you to detect insider threats across your entire critical infrastructure.
AlienVault USM delivers essential insider threat detection and management capabilities, including:
Insider Threat Visibility Across Your Critical Infrastructure
- Network Intrusion Detection (NIDS)
- Cloud Intrusion Detection
- Cloud access logs (Azure: Insights, AWS: CloudTrail, S3, ELB)
Privilege Escalation Detection
- Host Intrusion Detection System (HIDS)
- File Integrity Monitoring (FIM)
- Detect unauthorized user access attempts
- Monitor critical SaaS services like Office 365 and G Suite
Event Correlation
- Security Information and Event Management (SIEM)
- Detect communications with malicious hosts
- Centralized dashboard that prioritizes threats the way you want to see them
Insider Threat Visibility Across Your Critical Infrastructure
Insider threat detection techniques rely on visibility into what’s happening across your critical infrastructure. However, the rise of the public cloud represents a security blind spot for many organizations because traditional security methods were not built with the cloud in mind. Effective insider threat detection requires a solution built to accommodate all the environments you need to secure.
That’s why AlienVault USM provides a unified platform to help you detect and understand activity across any combination of on-premises, private cloud, and public cloud environments, including threats that come from malicious or careless users within your organization.
On-premises, AlienVault USM’s Network Intrusion Detection (NIDS) inspects traffic between your internal devices and critical systems, giving you visibility into what’s happening inside your perimeter and detecting internal connections to external known bad actors. By deploying an agent such as the AlienVault Host Intrusion Detection (HIDS) agent, you can gain even more granular information about activity in your environments.
Cloud environments pose a unique challenge to insider threat detection efforts, both because traditional network security methods aren’t compatible with cloud infrastructure and because of the amount of damage a single user can inflict. (Imagine your root access keys getting into the wrong hands.)
AlienVault USM Anywhere™ provides full visibility into your cloud environments, using purpose-built sensors with direct hooks into cloud APIs to leverage the extensive controls service providers have built into cloud architecture.
In addition to enabling cloud intrusion detection capabilities for AWS and Azure, the USM Anywhere sensors support insider threat detection with detailed information about who logs into the management plane and what actions they take. For example, you can tell if someone has created or destroyed virtual machines, created new services, or changed the configurations of your virtual machines (say, from eight to sixteen gigabytes, or from one process to multiple).
You can use this data to detect insider threats such as careless or malicious use of your root access keys—before it causes your bill to skyrocket.
Privilege Escalation
Most companies track the activities of privileged users as an essential security practice. To bypass this, insiders will seek to escalate privileges in order to gain access to information, subvert controls, damage systems, or facilitate exfiltration of sensitive data—all while flying under the radar.
AlienVault USM provides the capabilities you need to identify privilege escalation and respond to it quickly, limiting the scope of a malicious insider’s impact on your organization.
You can use AlienVault USM to detect and alert on privilege escalation that doesn’t have a corresponding change request by deploying an agent to your systems, allowing you to collect critical information from your endpoint servers and workstations.
Events from the agent are forwarded to your USM deployment, allowing you to monitor admin groups for new users and take action if users are being added to groups inappropriately. You can also use file integrity monitoring (FIM) to track changes to your assets.
In addition, USM correlates suspicious events to detect when a user’s access to critical systems and applications may be malicious. This allows you to detect, respond, and neutralize the insider threat posed by employees trying to bypass security controls by escalating their rights, or by employees hijacking user credentials for malicious purposes.
If your organization uses Office 365, you can use USM Anywhere to monitor privilege escalation by auditing changes to roles or groups within Exchange Online. You can also keep track of activities like user access and mailbox management.
Because Office 365 users sometimes escalate privileges by delegating inbox access to another user (say, to an administrative assistant), it’s important to have forensic records in case an email gets into the wrong hands. With USM Anywhere, you can easily investigate who accessed the inbox or sent email messages.
Event Correlation
Humans, unlike computers, are often unpredictable in nature. As such, insider threat detection usually requires the ability to correlate seemingly benign events to detect insider threats that take place across various systems. Insiders will often account for existing security controls and attempt to keep their activity ‘low and slow’ to avoid triggering any alarms.
AlienVault USM can link disparate events across your on-premises, private cloud, and public cloud environments and correlate events related to malicious insiders. USM’s strong correlation engine uses built-in correlation rules to detect relationships between different types of events occurring in one or more monitored assets to identify suspicious activity. This eliminates the need for IT teams to create their own correlation rules, so they can spend their time mitigating threats rather than researching them.
That’s where the threat intelligence produced by the AlienVault Labs Security Research Team steps in to assist. Think of it as an extension to your IT team – they are constantly performing advanced research on current threats and developing updates to AlienVault USM’s threat intelligence. In addition to the vulnerability signatures, you receive continuous updates to SIEM correlation rules, IDS signatures, knowledgebase articles, and more.
Updating the AlienVault USM platform is extremely easy, designed to minimize downtime, and just requires a couple of mouse clicks. This ensures that AlienVault USM is conducting regular vulnerability scans for the latest threats without requiring in-house research or development of vulnerability data. This allows you to allocate your time and resources to other responsibilities and do more with a smaller team.