Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Insider Threat Report

by David Schwalenberg
November 8, 2016

Insider Threat Report Screenshot

Insiders are those users – be they employees, contractors, or partners – that already have access to the organization's network and resources. The threat is that these insiders may either accidentally or intentionally do something to harm the network, compromise resources, or leak private data. Insider threats are different from external security threats in that they come from what would normally be considered a "trusted source". Organizations trying to detect these threats face the challenge not only of differentiating attacks from "normal" traffic, but also of ensuring that security analysts and system administrators are not inundated with false positives from users performing legitimate tasks.

Identifying and combating the insider threat is difficult to do solely through technical means. Much of current network security is focused on keeping attackers out, not dealing with the people already inside making mistakes or acting maliciously. For example, perimeter defenses such as firewalls and intrusion detection systems will not stop malicious insiders already inside the network. The best an organization can usually do is to train their employees in security, keep them happy, and monitor for suspicious and anomalous activity.

This report brings together passive listening and host analysis to assist with monitoring users on the network. Potential suspicious activity is noted, as well as the top users engaging in activity of interest. Login activity by user and users per host is also presented. In these latter two cases, potentially suspicious activity is included on a per user and per host basis, in order to assist an analyst in connecting users to questionable activity and thus identifying insider threats.

Note that this report does not provide definite detections of insider threats, but only potential indicators and information that will need to be manually reviewed. The analyst can use this information to combat insider threats by verifying whether users are authorized to have a presence on the systems they are on, and whether they are authorized to access the resources and perform the actions that they are doing. This report can be modified as necessary to accurately reflect organizational requirements.

This report is available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The report can be easily located in the SecurityCenter Feed under the category Monitoring.

The report requirements are:

  • SecurityCenter 5.4
  • Nessus 6.9.0
  • PVS 5.1.0
  • LCE 4.8.1
  • Tenable Network Monitor
  • Tenable NetFlow Monitor

Tenable SecurityCenter Continuous View (CV) is the market-defining continuous network monitoring solution, and can assist an organization in knowing, managing, and securing the network. Active scanning periodically examines devices to determine vulnerabilities and compliance concerns. Agent scanning enables detection and scanning of transient devices. Passive listening collects data to continuously detect devices and monitor network connections and activity. Host data and data from other security investments is collected and analyzed to monitor activity, identify new assets, and detect anomalies and malicious behavior. SecurityCenter CV provides an organization with the most comprehensive view of the network, and the intelligence needed to safeguard critical assets and sensitive data.

Chapters

Executive Summary - This report assists with monitoring users on the network and combating the insider threat. The executive summary gives a brief overview of the information presented in the report.

Suspicious Activity - This chapter presents information on activity that has occurred on the network that may indicate an insider threat. This activity includes suspicious login attempts, spikes in logins or access events, intrusion events, and data leakage events. The information can alert analysts to potentially suspicious insider activity that should be further investigated.

Top Users - This chapter presents several lists of top users in various event categories that may assist in detecting insider activity. This includes users that are most active, users with the most file access and access denied events, and users doing potentially suspicious things. Analysts can use this information to determine if unauthorized users are on the network, or if any users are performing unauthorized activity.

Activity by User - This chapter presents recent login activity for each user detected on the network. Additional information presented per user includes recent file access and access denied events, and other events of interest. Analysts can use this information to determine if detected user logins and other user activity is authorized.

Users Discovered per IP Address - This chapter presents the users discovered per host IP address. Additional information presented for each host includes vulnerability detections of interest and detections of internal and external host connections. Analysts can use this information to verify that only authorized users are accessing machines and whether users may have the ability to inappropriately transfer data using the machines.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training