A guest post by Mike Tierney, COO of SpectorSoft, Inc.
Insider threats are a big topic – in the news and here at SpectorSoft. We give webinars advising companies on how to reduce their risk of an insider incident, have published articles on the topic, and offer solutions that improve insider threat detection and facilitate insider incident response.
Today we are announcing a partnership aimed at dealing with a threat that starts and ends on the outside, but behaves very much as an insider threat at its core.
The imposter is dangerous, but with the right tools and focus they can be caught and stopped. Since user credentials or network credentials may be compromised, focus on user behavior and network behavior is needed to detect the imposter.
Given our focus on user behavior and activity, we sought a partner that offered unique, powerful capability in detecting anomalous network behavior – one that focuses on network traffic from a pure security perspective. We found that partner in FlowTraq and its powerful network behavioral intelligence engine.
There are typically three phases to the imposter’s approach – and combining network behavior intelligence and user activity intelligence gives you the insight you need to minimize the impact of the attack.
Initial malicious activity often includes scanning, password cracking or attack propagation. Although a skilled imposter shouldn’t have to resort to “noisy” techniques like this, 60 percent of “bad” network behavior fits into these categories. And due to weak passwords, forgotten default credentials and/or poor firewall policies, they’re surprisingly successful. But, with FlowTraq’s advanced network behavior intelligence, these are an easy catch.
2. Data Gathering
Once in, an imposter will look like a legitimate user from an authorization and authentication perspective, but won’t behave like a normal user. The amount and frequency of data accessed will be unusually high compared to a legitimate user – because the imposter isn’t interested in processing information as a user would. And while the data will appear to be going to a safe, internal system/user, the reality is that this is a precursor to a potential data exfiltration. SpectorSoft’s unique user activity intelligence capability seeks out these types of anomalies – making it simple to detect, alert, and respond to insider threats.
3. Data Exfiltration
With data in hand, the imposter doesn’t have access to “physical” exfiltration options — removable media, laptop, or printing — so the data needs to be moved to a remote server (often cloud-provisioned, temporary accounts). FlowTraq’s advanced network anomaly detectors will flag this immediately – its unique filtering, combined with its full-fidelity storage, ensures that no traffic flies under your radar. SpectorSoft’s Spector 360 Recon solution flags shifts in user behavior related to cloud storage usage, ensuring nothing slips through the cracks.
To learn more about how to prevent the imposter from getting in and out of your organization undetected, send an email to firstname.lastname@example.org with the subject line “The imposter.”