One of CERT's 13 best practices for preventing and detecting insider threats recommends that you should "log, monitor, and audit employee online actions." Last week we looked at some of the operational challenges of implementing this best practice. This week we look at three log-management products that are well suited to detecting insider threats as they are emerging.
While insider threats aren’t as prevalent as attacks from outside a network, insiders' malicious activity tends to have far greater consequences. Insiders know precisely where to go to access the most sensitive information, and they often have ready means to carry out malicious actions. One way to detect and protect against such threats is to log, monitor and audit employee online actions. Today we'll look at three products that are well suited to detecting insider threats. (Compare Data Leak Protection products)
In April 2008, PacketMotion released its new PacketSentry 3.0 product. PacketSentry provides a thorough level of detail about what each user is doing on the network, and it presents that information in language business people can understand. Because the data is real-time, it’s possible to identify improper actions and respond immediately.
PacketSentry connects directly to Active Directory so that network activity can be traced to specific users instead of to IP addresses. A probe captures network traffic and merges it with the Active Directory information, creating "user-action records." Rules can be applied to the user-action records to define which activities are out of bounds in a business context. When a rule is being violated, an alert prompts an appropriate response.
For example, suppose a bank teller has full privileges to view customer account balances as part of her job. It would be unusual, however, for the teller to view the balances of hundreds of accounts in one day. This type of activity might indicate she is looking for a target account from which to siphon funds. An administrator can establish a rule to create an alert or other action if the teller views too many accounts in a period of time. PacketMotion calls this "actionable intelligence."
The PacketMotion product comprises two appliance components: the PacketSentry Manager and the PacketSentry Probe. A third component, the PacketSentry Branch Probe, is available for remote-site coverage. The probe component gathers user-activity records, and detects and can enforce policy. The manager component administers policy and collects the user activity data, and generates alerts for analysis. All user activity is captured, analyzed and controlled in real-time.
Along with its comprehensive reporting tools, PacketMotion has a simple, Google-like search feature that provides very quick access to all the records needed to tell what a person did during a particular time frame.
The PacketMotion product allows network security to be managed from a business and identity perspective, rather than by packets and ports. The result provides IT and security organizations comprehensive visibility and control of users and assets.
Prism Microsystems offers a product called EventTracker that focuses on security and compliance via a marriage of traditional log management and change tracking and control. EventTracker's log management has real-time correlation of security threats, as well as alerting and forensic analysis. Change monitoring enables companies to monitor file and registry changes on their critical systems. Together, these capabilities help to prevent losses to both internal and external threats.
EventTracker provides security-event correlation, host-based intrusion detection, and security that goes beyond the capabilities of stand-alone firewall and intrusion-detection systems. For example, EventTracker monitors all user activity and creates a user-pattern history that becomes a baseline of expected activity. The software continues to monitor what a user does, and performs threshold correlation to identify when he is performing "out of ordinary" activities.
For example, let's say an employee has just copied a copious amount of information to a removable USB device. Correlating this action with the fact that the employee is in the accounting department and has access to sensitive financial information might trigger an alert to investigate what was just copied off the network.
Or consider the case of a disgruntled employee who loads malicious software in the environment to wreak havoc and steal data. EventTracker recognizes that no changes involving EXE, DLL or INI files should be taking place on production servers without proper change-control procedures being followed. EventTracker maintains detailed snapshots of the system state for the files and registry, and its WhatChanged module identifies that there has been a change in the baseline and generates the appropriate alerts.
LogRhythm is another product that straddles log management and security-event management (SEM). SEM products generally focus on real-time security activity, while log-management products store logs for review or historical reporting; LogRhythm does both. LogRhythm collects log data and metadata from databases and applications, correlates the data, performs real-time anomaly detection, creates data visualization for long-term trending, and provides data mining for forensic analysis.
Because LogRhythm has extended metadata fields that can capture such data as quantities, amounts, session, bytes-in and bytes-out, and file size; and can collect and analyze database and application-level log data, anomalies that previously would have gone undetected now can provide the foundation for a system that gives an early warning of potential insider wrongdoing.
When LogRhythm correlates metadata with contextual information -- for example, the asset value of the affected host or application, the time of day an event occurred, the IP range of the originating host and so forth -- there can be real-time identification and alerting of anomalies within applications, databases and network activity. For example, LogRhythm can be used to pinpoint specific exceptions, for example, a transaction greater than a certain dollar amount in a financial application (including when it occurred, who was responsible and which account was modified). Such events can automatically trigger an alert to designated individuals via e-mail, pager, existing management applications or the LogRhythm console.
It's a sad state of affairs when a company can't trust its own employees, but as the old saying goes, it's better to be safe than sorry. With malicious insider activities on the rise and causing significant losses, it's time to apply technology to keep the good guys honest and the bad guys from getting away with anything.