icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

Insider Threat Report

by David Schwalenberg
November 8, 2016

Insiders are those users – be they employees, contractors, or partners – that already have access to the organization's network and resources. The threat is that these insiders may either accidentally or intentionally do something to harm the network, compromise resources, or leak private data. Insider threats are different from external security threats in that they come from what would normally be considered a "trusted source". Organizations trying to detect these threats face the challenge not only of differentiating attacks from "normal" traffic, but also of ensuring that security analysts and system administrators are not inundated with false positives from users performing legitimate tasks.

Identifying and combating the insider threat is difficult to do solely through technical means. Much of current network security is focused on keeping attackers out, not dealing with the people already inside making mistakes or acting maliciously. For example, perimeter defenses such as firewalls and intrusion detection systems will not stop malicious insiders already inside the network. The best an organization can usually do is to train their employees in security, keep them happy, and monitor for suspicious and anomalous activity.

This report brings together passive listening and host analysis to assist with monitoring users on the network. Potential suspicious activity is noted, as well as the top users engaging in activity of interest. Login activity by user and users per host is also presented. In these latter two cases, potentially suspicious activity is included on a per user and per host basis, in order to assist an analyst in connecting users to questionable activity and thus identifying insider threats.

Note that this report does not provide definite detections of insider threats, but only potential indicators and information that will need to be manually reviewed. The analyst can use this information to combat insider threats by verifying whether users are authorized to have a presence on the systems they are on, and whether they are authorized to access the resources and perform the actions that they are doing. This report can be modified as necessary to accurately reflect organizational requirements.

This report is available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The report can be easily located in the SecurityCenter Feed under the category Monitoring.

The report requirements are:

  • SecurityCenter 5.4
  • Nessus 6.9.0
  • PVS 5.1.0
  • LCE 4.8.1
  • Tenable Network Monitor
  • Tenable NetFlow Monitor

Tenable SecurityCenter Continuous View (CV) is the market-defining continuous network monitoring solution, and can assist an organization in knowing, managing, and securing the network. Active scanning periodically examines devices to determine vulnerabilities and compliance concerns. Agent scanning enables detection and scanning of transient devices. Passive listening collects data to continuously detect devices and monitor network connections and activity. Host data and data from other security investments is collected and analyzed to monitor activity, identify new assets, and detect anomalies and malicious behavior. SecurityCenter CV provides an organization with the most comprehensive view of the network, and the intelligence needed to safeguard critical assets and sensitive data.

Chapters

Executive Summary - This report assists with monitoring users on the network and combating the insider threat. The executive summary gives a brief overview of the information presented in the report.

Suspicious Activity - This chapter presents information on activity that has occurred on the network that may indicate an insider threat. This activity includes suspicious login attempts, spikes in logins or access events, intrusion events, and data leakage events. The information can alert analysts to potentially suspicious insider activity that should be further investigated.

Top Users - This chapter presents several lists of top users in various event categories that may assist in detecting insider activity. This includes users that are most active, users with the most file access and access denied events, and users doing potentially suspicious things. Analysts can use this information to determine if unauthorized users are on the network, or if any users are performing unauthorized activity.

Activity by User - This chapter presents recent login activity for each user detected on the network. Additional information presented per user includes recent file access and access denied events, and other events of interest. Analysts can use this information to determine if detected user logins and other user activity is authorized.

Users Discovered per IP Address - This chapter presents the users discovered per host IP address. Additional information presented for each host includes vulnerability detections of interest and detections of internal and external host connections. Analysts can use this information to verify that only authorized users are accessing machines and whether users may have the ability to inappropriately transfer data using the machines.