Top 5 Technologies That Detect Insider Threats

Technology Associated With Education

Every security expert at solution providers serious about maintaining a lengthy relationship with their clients told CRN that technology alone will not adequately mitigate threats. Deploying a security appliance or software without understanding the data assets being protected may give executives peace of mind, but it's not going to prevent an attacker from gaining access to systems containing sensitive data, said J.J. Thompson, managing director and CEO of Rook Security. "The channel may not like to say it, but the key to organic growth is not by selling more appliances," said Thompson, whose business specializes in security risk assessments and managed security services.

Reducing internal threats begins with creating a culture of security, says Thompson and other security experts. It takes a sustained security awareness program. It takes a consistent message that executive leadership values data security and employees must embrace strong security practices for long-term success.

CRN has brought together five technology areas that should be coupled with security training and data identification and classification projects.

5. Database Activity Monitoring

Database activity monitoring is a mature technology that helps audit and track database logs, keeping track of changes that could signal a security incident and prevent unauthorized activity. Most of the deployments have been driven by compliance mandates, but organizations are increasingly deploying database activity monitoring software to reduce the risks posed by internal threats.

Security experts warn that the software requires tuning and proper configuration to get it to efficiently perform monitoring functions. Rules can be fed in to alert on issues unique to the company, but complex rules can bog down performance.

4. Whitelisting

Whitelisting technology works to ensure that only authorized executable code can run on endpoint systems. The software can give system administrators more control over the applications that can be installed and run by users.

Some security experts say that maintaining whitelists of authorized programs is difficult to manage, but security vendors point out that the technology has improved, giving administrators the ability to approve the most popular software based on the organization's risk profile.

At a high level, the software can alert on every executable that arrives on endpoint systems and bar them from running. Security experts say this prevents malware from targeting open software vulnerabilities. The technology also can monitor the underlying system processes for suspicious activity. The latest systems are integrated with network security appliances that have file analysis capabilities to examine suspicious file behavior.

3. Network Flow Analysis

Technologies that monitor network traffic to alert on suspicious activity can help detect internal threats and are increasingly being marketed to help uncover advanced threats. It gives IT networking security professionals an in-line view of the corporate data flowing through network routers and switches. Tools can capture communication between an infected PC and a botnet command-and-control server.

Applying analytics on network traffic also can help detect threats. RSA's NetWitness platform pulls in network data and adds external threat intelligence feeds and analytics to gain insight into network behavior. It competes head on with Solera Networks, acquired this year by Blue Coat Systems, which uses a different engine for data analysis. Both platforms have long been favorites of computer forensics investigators during a breach investigation to trace the scope of a security incident. But the appliances increasingly are being used as for near-real-time detection of threats.

2. Security Information Management, Log Analysis

The annual Verizon Data Breach Investigations Report, which analyzes more than 600 data breaches, has consistently advocated for companies to not only deploy security information event management (SIEM) systems, but proactively monitor them. The firm's research analysts say that proactive monitoring of system logs could have recognized a vast majority of the threats behind breaches, helping incident responders contain threats before data is stolen.

SIEM systems are no magic bullet but, if proactively monitored, they can spot problems much more quickly than relying on a single appliance to spot an intrusion, say solution providers. SIEM systems are designed to pull in log data from a variety of network devices and security software. Some systems combine threat intelligence data with the analytics engine to help spot suspicious activity. A SIEM system also can identify vulnerabilities and configuration weaknesses that are often the target of attackers.

1. Data Loss Prevention

Data loss prevention software helps organizations enforce data handling policies and ensure employees handle data securely at the endpoint. In addition, it can help discover confidential data and identify the data owners to secure exposed data and stop data leaks.

The software also automates the process of managing data loss policies. It can monitor outbound email and be set to block messages potentially containing sensitive data. In addition to personally identifiable information, DLP systems can be tuned to alert on the potential exposure of intellectual property and trade secrets. It also can prevent employees from copying data onto a flash drive. Cloud-based DLP systems can ensure that data uploaded to authorized Web-based services used by employees is encrypted before it leaves the corporate network.

Security experts recommend that businesses implement DLP in small, incremental stages to avoid disrupting end users. Businesses can start with a single egress point, such as email, and policies should be kept to a minimum to avoid too many alerts.