How to Spot Insider Threats Before They Wreak Havoc
Attackers are already inside, whether you know it or not. In fact,
according to the Cyber Security Intelligence Index, insider threats
represent 60 percent of all attacks. How quickly can you spot and block
an employee or contractor who is misusing their privileges? What about
an intruder using compromised credentials gleaned from a phishing
attack? Or ransomware that’s steadily encrypting your valuable files? As
the minutes tick by, your risk of a costly data breach skyrockets. How
costly? Well, the Ponemon 2017 Cost of Data Breach Study pegs the
average cost of a breach at a whopping $3.62 million.
Insider threats represent 60 percent of all attacks. How
quickly can you spot an insider abusing their privileges or an
attacker using compromised credentials?
There are many solutions on the market that claim to help. But most of
them follow a simple rule-based approach that drowns you in a flood
of (mostly false) alarms that you have no hope of investigating. For
example, in an effort to spot brute-force attacks, they’ll alert you every
time any user enters an incorrect password seven times in a row, even
though most of those incidents are insufficiently caffeinated (or overly
caffeinated) employees making typing errors or folks just back from
vacation and unable to remember their credentials. To hone in on the
true threats, a solution needs to take into account the broader context of
a user’s normal behavior and the current sequence of actions, not just an
isolated event.
3
Change Auditor
Threat Detection
Change Auditor Threat Detection is different.
It uses machine learning and user and entity
This ebook describes nine of the most
important patterns of suspicious behavior that
Change Auditor Threat Detection can alert
you to:
1. Abnormal AD activity
behavioral analytics (UEBA) to pluck out
2. Brute-force attack
the activity truly indicative of a rogue user
3. Snooping user
or compromised account from the vast sea
of audit data. Then it shows you the most
4. Data exfiltration or destruction
suspicious users and alerts so you can
5. Privilege elevation
respond quickly and efficiently. Specifically,
the solution establishes a baseline of each
user’s normal behavior — their usual logon
times, what folders and files they typically
access, the types of changes they make to
Active Directory (AD), and so on. Then it uses
unsupervised machine learning, user behavior
analytics, SMART correlation and an array
46 million
Raw events
6. Scripted use of privileged account
443
Threat indicators
55
SMART alerts
42
Risky users
7. Abnormal system access
8. Malware
9. Lateral movement
Figure 1. Change Auditor Threat Detection
distills the vast sea of audit data down to
a manageable number of SMART alerts
and highlights the riskiest users in your
environment.
of predefined threat indicators to analyze
subsequent user activity in real time and spot
the true threats.
For example, in one actual 7,000-user
environment, over a 45-day period, the
solution distilled 46 million raw events down
into just 42 risky users (see Figure 1).
4
Change Auditor Threat Detection identifies suspicious
activity indicative of rogue users or compromised accounts —
without drowning you in a sea of alerts.
Please complete the form to gain access to this content
