Understanding Insider Threat Detection Tools

Every few months, a publicized breach reminds us that standard security tools are ineffective when it comes to detecting insider threats. That is because insider threats are much harder to detect and prevent compared to threats from outside the organization. Insiders have legitimate credentials and inherently have an elevated level of trust and access to get their jobs done. Standard security measures such as passwords, antivirus, encryption, or firewalls cannot prevent insider threats.

While an external attacker trying to gain access to the company network might raise a number of flags, a contractor who steals information to sell might not raise any suspicion at all. This leaves organizations vulnerable to insider threats, as they are unable to detect the attacker in action, only discovering the attack after it has occurred.

In this article you will learn about three different tools and methods that can help you detect insider threat:

• Employee monitoring
• Data loss prevention
• User and entity behavior analytics

Employee monitoring

Employee monitoring software provides an organization insight into employee’s’ computer activity, by monitoring behaviors like:

• Application or software usage
• Internet activity
• Social media use
• Login/logout
• Active vs idle time

Many organizations choose to deploy an employee monitoring solution in an effort to curtail insider threats. Employee monitoring gives organizations visibility into the day-to-day activities of insiders. From this, security teams try to identify patterns and deviations that may be a sign of suspicious user activity. If a breach occurs, employee monitoring can provide a record of the activity to help track the origin of the vulnerability.

Data loss prevention

Data loss prevention, or DLP, are tools and processes designed to ensure that sensitive data is neither lost, stolen nor misused. Security professionals choose to deploy DLP to thwart threats from hackers, as well as insiders. 

There are three main DLP tools available:

1. Network DLP — provides sensitive data protection within your organization’s network. Network DLP monitors all network communications around activities like email and file transfer protocol (FTP), flagging and alerting you of any suspicious activity within the network.
2. Endpoint DLP — monitors devices serving as access points capable of reaching your sensitive data, such as laptops, USB disks and external hard drives. An agent installed on an endpoint device prevents data leakage and provides users with visibility into endpoint activity.
3. Storage DLP — allows you to monitor access to sensitive files stored and shared by individuals who have access to your network, including on-premises and cloud-based networks.

DLP solutions can dramatically reduce the risk of data loss from accidental employee behavior and disrupted business processes, the cause of the vast majority of data loss incidents. With DLP, security professionals can stop data loss on their networks, preventing otherwise costly security events.

User and entity behavior analytics

User and entity behavior analytics (UEBA) tracks, collects and analyzes data gathered from computer and user activities. UEBA uses several techniques to distinguish between normal and suspicious behaviors.

UEBA learns the normal patterns of behavior, once a baseline is created, it can flag suspicious activities that do not fit these guidelines. UEBA solutions can detect suspicious activities that might indicate insider threats, such as irregular online behavior, unusual access activities, credential abuse and abnormally large uploads or downloads of data.

The most critical function of UEBA is the ability to detect suspicious activities that might be the result of malicious intent and flag the individuals who perform them as insider threats before they can cause significant damage. With UEBA, security analysts can monitor for deviations such as irregular online behavior, unusual access activities, credential abuse, and large uploads or downloads of data as these deviations might indicate insider threats.

Unfortunately, insider threats are not going to disappear anytime soon, but with the right tools in place, your organization can be prepared to detect them.

To find out more about how to prepare your organization to detect insider threats, read our blog post “Insider Threat Indicators: Finding the Enemy Within.”