I

Insider Threat Software - An early indicator to prevent attacks

Whether it is from malicious, careless or exploited users, it’s commonly understood that the greatest risk to any organization comes from the insider threat.

Also keep in mind, almost every external attacker eventually looks like an insider. The use of compromised internal credentials by an external attacker is the most common threat action in data breaches (Verizon, Data Breach Investigations Report 2018). This underpins the value of identifying insider threats as early as possible.

No technology can completely eliminate the chance of an attack, but there is a way to drastically reduce the potential risks.

The Insider threat concerns all users

The CERT definition of Insider Threat is the potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization.

‘An individual’ means insider threats are more than just about privileged users. Anyone with access to data that’s considered valuable externally is potentially a threat. And when we say anyone, we do not just mean immediate employees. Consider the extended enterprise today of partners, contractors, supply chains... anyone who has access to your network.

So, how can organizations spot the insider – preferably before a threat action takes place?

User Activity is the Key to Spotting a Potential Threat

Insider threats are generally, difficult to spot. Simply logging all network activity is not sufficient to protect an organization from either malicious or careless activity. The goal is to look for leading indicators of improper, malicious or careless employee behavior.

This is found in watching for abnormal user activity – but it needs to be activity that suggests a potential threat, and not necessarily activity that suggests threat activity is in progress.

For example, you can watch for excessive copying of files, or surges in upload web traffic to spot potential data theft, but the reality is once these activities occur, it’s too late – the threat action has taken place.

What needs to happen is:

  1. Watch for activity that occurs well before threat actions are taken. The earlier detection occurs, the less damage the threat can do.
  2. Create as few false positives as possible. If detection parameters are too broad, IT spend their time chasing ghosts and not stopping threats.
  3. Don’t just detect the threat. Stop the threat - well before any malicious action takes place.

To do this focus your efforts on the one part of the attack that can’t be bypassed – the logon.

Detecting & Preventing Insider Threats with Logon Management

The simplest and most common activity to every insider threat action is the logon. Nearly all threat actions require a logon using internal credentials. Endpoint access, lateral movement between endpoints, external access via VPN, remote desktop access, and more all share the common requirement of a logon.

The concept of logon management centers around four primary functions – all working in concert to maintain a secure environment:

  • Policy & Restrictions – Establishes who can logon when, from where, for how long, how often, and how frequent (simultaneous sessions). It can also limit specific logon types (such as console- and RDP-based logons).
  • Real Time Monitoring & Reporting – Every logon is monitored and tested against existing policies to determine if a logon should be allowed. Reporting helps ensure detailed insights for any investigations.
  • IT and End-User Alerting – Notifies IT and the user themselves of inappropriate logon activity and failed attempts.
  • Immediate Response – Allows IT to interact with a suspect session, to lock the console, log off the user, or even block them from further logons.

In essence, logon management makes the logon itself a scrutinized and protected event.

Logon Management for Windows Active Directory

IS Decisions logon management solution, UserLock, provides a comprehensive layer of security over Windows-based networks at logon. Using a mixture of enforceable logon policies, alerting, and response actions, UserLock uniquely empowers IT organizations to leverage the active directory logon as a critical security checkpoint – before insiders take action.

The ability to successfully logon (and remain logged on) becomes more than just whether the right credentials are used. In doing so it offers effective protection against the insider threat.

A logon management solution will detect an abnormal access attempt based on the customized and granular logon policies that are set for that particular account (employee). It will act accordingly - either denying or approving the logon - and alert IT (or the appropriate user themselves) if stipulated.

Watch popular use cases on how UserLock’s logon restrictions protect against security breaches:

It's tough to identify malicious network access from phished, stolen or shared user login credentials. Your system believes that person on the network is who they say they are. But with UserLock you can build effective restrictions — personalized easily to each employee — that protect against unauthorized access, even when credentials are compromised.

Watch popular Use Cases

Logon Management is a simple, efficient and effective means of thwarting potential insider threats. It provides a protective layer at the logon, which logically exists before action occurs, to stop the threat entirely. No logon, no threat.

Some of the potential insider threat scenarios that are now thwarted include:

  • Compromised logins (from exploited users) are now useless to malicious insiders or external attacks.
  • Careless user behavior such as password sharing, shared workstations left unlocked or logging into multiple computers simultaneously is now eradicated.
  • Access to any data/resource is now always identifiable and attributed to one individual user. This accountability discourages an insider from acting maliciously and makes all users more careful with their actions.
  • Suspicious activity is alerted on offering IT the chance to instantly react.
  • Users are notified with tailor-made message and alerts – including alerts on their own trusted access. Informed employees are another line of defense.

Stopping Insider Threats at the Logon

The insider threat is real and it’s here. Today. On your network already. They are the employee’s you work with every day, where the shift to them becoming an insider may take little more than a broken-up relationship, passed up promotion, or personal hardship. So, having a proactive and cost-effective solution to address insider threats is as important as your endpoint protection, firewalls, and email gateway.

The common factor to every insider scenario is the logon. With logons as your key insider threat indicator:

  1. You have identified the threat potential very early in the process.
  2. False positives are avoided through granular policies (per account basis if needed) that defines what is and isn’t ‘normal’.
  3. The logon is denied, stopping the threat.

By leveraging Logon Management, you put the focus of your insider threat detection and response well ahead of any malicious actions that could take place, stopping the insider dead in their tracks, with IT in complete control.