SBN CipherCloud Chronicles #7: Spot Your Insider Threats

Spot Your Insider Threats with UEBA and Insights Investigate

“When companies had an insider threat, in general, they were much more costly than external incidents. This was largely because the insider that is smart has the skills to hide the crime, for months, for years, sometimes forever.”  — Dr. Larry Ponemon

Consider this scenario:

Alisa, a CISO,  is worried about Insider Threats within her organization because related losses can be significant, and cost her the job. These include matters financial and reputational, and the impacts can be unrecoverable. So, while identifying an Insider Threat is difficult, she is attempting to take proactive measures.

We think that Alisa has made the smart choice by choosing CipherCloud as her organization’s CASB solution. And here’s why:

Applying UEBA (User and Entity Behavior Analytics)

Organizations are constantly challenged with errors, malicious activities from internal bad actors or even cloud-born threats in multi-cloud and multi-device environments.

To address this challenge, CipherCloud’s User and Entity Behavior Analytics (UEBA) performs continuous monitoring of users, devices, and application activities for real-time detection and remediation of anomalous user and entity behavior.

Examples of such anomalies might include an abnormally large number of downloads from an individual user, a higher than normal number of logins from the same user, or persistent login attempts by an unauthorized user. Related monitoring includes the locations from where these logins are taking place (geo-logins), source IP addresses, and any devices used. UEBA monitoring also includes activities such as content uploads and downloads, edits, deletes, logins, and logouts.

To enact this approach, CipherCloud’s UEBA system consists of:

  • Agents that collect information about user and entity activities
  • Central storage where all information is collected from all sources
  • An analysis module that performs event analysis (often in real-time) and responds to the most dangerous actions using predefined rules

Integration with other adjacent security infrastructure including DLP, IDM and SIEM, among others, also acts as an agent or repository of information about user activities. Very often an analysis module uses the infrastructure of multiple security applications to receive data and provide signals about identified suspicious activity.

Among the specific outcomes of this approach are the ability to:

  • Monitor and analyze behavior of users and other entities: collecting data from IT systems and create a behavioral baseline of entities on the network.
  • Detect anomalous behavior: alerting on deviations from the behavioral baseline that are significant and indicate an insider attack or some other form of security threat.
  • Leverage advanced analytics: making it possible to detect unknown threats and learn from large data sets, even if an attack has never been seen before.
  • Correlate multiple activities into one security incident: identifying security incidents across multiple users, entities, or IPs, and combining data from many different sources, such as anti-malware, firewall, proxies, DLP, and VPN.
  • Apply Near-real time analysis: collecting data and alerting on events immediately after an event has occurred.

Further, CipherCloud’s Insights Investigate capability specifically enables administrators to focus on those incidents that directly involve the most troublesome policy violations, assigning a severity level to those incidents, and specifying the appropriate response actions.

Importantly, this powerful feature provides a 360-degree view of all these incidents and related resources all in a centralized manner.

Now that Alisa is equipped with the right tools, including CipherCloud CASB+ UEBA and Insights Investigate, her organization’s approach to Insider Threats becomes targeted and continuous, allowing her to focus on other security challenges.

The post CipherCloud Chronicles #7: Spot Your Insider Threats appeared first on CipherCloud.

*** This is a Security Bloggers Network syndicated blog from CipherCloud authored by CipherCloud. Read the original post at: