Skip Links

Products to help detect insider threats

3 products that are well suited to detecting insider threats

IT Best Practices Alert By Linda Musthaler and Brian Musthaler, Network World
July 07, 2008 12:07 AM ET
Sign up for this newsletter now!

The CIO-level business angle on the latest tech

Network World - While insider threats aren’t as prevalent as attacks from outside a network, insiders' malicious activity tends to have far greater consequences. Insiders know precisely where to go to access the most sensitive information, and they often have ready means to carry out malicious actions. One way to detect and protect against such threats is to log, monitor and audit employee online actions. Today we'll look at three products that are well suited to detecting insider threats. (Compare Data Leak Protection products)

In April 2008, PacketMotion released its new PacketSentry 3.0 product. PacketSentry provides a thorough level of detail about what each user is doing on the network, and it presents that information in language business people can understand. Because the data is real-time, it’s possible to identify improper actions and respond immediately.

PacketSentry connects directly to Active Directory so that network activity can be traced to specific users instead of to IP addresses. A probe captures network traffic and merges it with the Active Directory information, creating "user-action records." Rules can be applied to the user-action records to define which activities are out of bounds in a business context. When a rule is being violated, an alert prompts an appropriate response.

For example, suppose a bank teller has full privileges to view customer account balances as part of her job. It would be unusual, however, for the teller to view the balances of hundreds of accounts in one day. This type of activity might indicate she is looking for a target account from which to siphon funds. An administrator can establish a rule to create an alert or other action if the teller views too many accounts in a period of time. PacketMotion calls this "actionable intelligence."

The PacketMotion product comprises two appliance components: the PacketSentry Manager and the PacketSentry Probe. A third component, the PacketSentry Branch Probe, is available for remote-site coverage. The probe component gathers user-activity records, and detects and can enforce policy. The manager component administers policy and collects the user activity data, and generates alerts for analysis. All user activity is captured, analyzed and controlled in real-time.

Along with its comprehensive reporting tools, PacketMotion has a simple, Google-like search feature that provides very quick access to all the records needed to tell what a person did during a particular time frame.

The PacketMotion product allows network security to be managed from a business and identity perspective, rather than by packets and ports. The result provides IT and security organizations comprehensive visibility and control of users and assets.

Prism Microsystems offers a product called EventTracker that focuses on security and compliance via a marriage of traditional log management and change tracking and control. EventTracker's log management has real-time correlation of security threats, as well as alerting and forensic analysis. Change monitoring enables companies to monitor file and registry changes on their critical systems. Together, these capabilities help to prevent losses to both internal and external threats.

Linda Musthaler is a principal analyst with Essential Solutions Corporation.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News