2020-12-17T10:14:00Z

Looking for recommendations and a pros/cons template for software to detect insider threats

KK
  • 4
  • 71
PeerSpot user
5

5 Answers

XS
Real User
Top 20Leaderboard
2020-12-23T11:19:16Z
Dec 23, 2020

I would suggest statistical methods (including machine learning): First, outlier detection. Then, approaches like “Association rules” (=not statistics to explain all the variance in a dataset but to find out tiny observations): for instance, they are useful for DNA prediction of diseases (one or two SNPs among millions of them), a forensic task.


When fraudsters know a tool (a template, a program), the solution is no longer valid. Research is the answer (research software rather than “production” software like in accountability). I mean, research as a step beyond production (only useful in the short term).

Search for a product comparison in Data Loss Prevention (DLP)
GJ
MSP
Top 10
2020-12-23T13:11:29Z
Dec 23, 2020

This is an inside-out --- outside-in --- inside-in question, as an insider can be an outsider as well. There is no short answer other than a blend of a PAM tool with Behavioral Analytics and Endpoint Management, to protect credentials, govern activities, and detect abnormal activities.


I have about 40 questions I would ask before spitting out a single solution. Without knowing more about your environment I would be slow to start throwing possible solutions, as this will take you days to sort out the differing capabilities and features. You can start by looking at the Gartner Quadrants for PAM tools like BeyondTrust, CyberArk, Centrify, Thycotic, MicroFocus and others. If you spear your specific requirements you may miss bigger threats in your circumference, so use a net, and remedy the surrounding threats in this process.

KS
Real User
2020-12-26T18:22:20Z
Dec 26, 2020

You'd need to break out better what you consider to be the types of insider threats. There is fraud; very different in an application system than insider activity that may be simply malicious or results in data loss. You need to identify a baseline of normal activity for each user across files, network, user behavior and the endpoint; correlate abnormal behaviour and lean false positives; that is your software and/or the CyOps team supporting you must. 


Doing that begins to give you some use cases that you can then test to determine if they are important to you and can be supported by your choice(s) of solutions. There may not be one, there may be layers needed, but depending on your choice you may be able to get more in one than with other options. Feel free to contact me off list (LinkedIn) if you'd like a matrix that could be used in a product comparison.

NF
Real User
Top 20
2020-12-30T18:03:49Z
Dec 30, 2020

Hello All,

I hope you had a merry Christmas.

In this case it is as simple as it is.
Just take Proofpoint ObserveIT - many companies in the public and financial sector have been using it for years.
By the way, it has GDPR conformity, that's especially interesting if you want to go for the EU or California.
It's easy to install, easy to administer, and comes with a huge number of use cases. So the need for customizing is reduced to minimum. It prevents, detects, alerts and tracks all inputs with a minimum of storage needed.

Few Steps
Phase 1, define the architecture and monitor all high-privileged users with the default setup. Then work with Proofpoint or local support to define gaps and customize use cases (only a few days)

Phase 2 roll out to next group of users and so on.

I apologize for this non-technical answer, but sometimes it really is this simple.
You don't need to invent the wheel a second time :)

Would like to wish everyone here a Happy New Year this way.
Please stay healthy


Best Regards


Norman

JF
Real User
2020-12-25T17:22:57Z
Dec 25, 2020

In addition to responsesfrom Xavier Suriol and reviewer1324719, also consider ObserveIT from Proofpoint.

Find out what your peers are saying about Microsoft, Forcepoint, Broadcom and others in Data Loss Prevention (DLP). Updated: March 2024.
765,386 professionals have used our research since 2012.
User Entity Behavior Analytics - UEBA
User and entity behavior analytics (UEBA) is a type of cybersecurity solution that uses machine learning to monitor and analyze the behavior of users and entities (such as devices, applications, servers, etc.) in a network. UEBA can detect anomalous or malicious activities in real time and alert security teams or take automated actions. UEBA solutions work by analyzing activity from network users and other entities, such as hosts, applications, data repositories, and network traffic. They...
Download User Entity Behavior Analytics - UEBA ReportRead more