1
This e-book describes a new – and important – way
of looking at the greatest source of IT risk in your organization.
According to The 2015 Insider Threat Spotlight Report, 62 percent
of security professionals say insider threats have become more
frequent in that last 12 months (June, 2015). Insider threats are
greater than ever before, and must be evaluated – and
mitigated – by looking at the intersection of three
business-critical elements found in every organization:
people, activities and applications.
2
Users can make mistakes, be targeted by hackers and even deliberately cause
harm. Because they are granted access to sensitive data and systems, people
represent the greatest insider threat. It is critical to understand the various
types of users within your organization and the risk profiles of each.
Organizations should consider three categories of people:
The People Threat
External vendors – Many of the high-profile breaches of the past
year (including Home Depot and Target) were perpetrated using a
third party’s stolen login credentials.
Privileged users – The crippling cyber-attack at Sony has been traced
to the stolen credentials of a systems administrator.
Application users – A 30-year-old rookie financial advisor at Morgan
Stanley abused his access privileges to steal data on 350,000 Morgan
Stanley wealth management clients and post some of it to the
Internet.
Perhaps surprisingly, regular business users, not administrators, pose
the greatest data breach risk to most organizations. Recent research shows
this empirically; for example, the 2014 IBM/Ponemon Cost of Data Breach
report indicates that 84% of internal data breaches come from regular
business user accounts with no administrator privileges. The most important
factor explaining this reality is the fact that business users outnumber IT
administrators by 20:1 in the average large organization (source: Gartner 2013
Key IT Metrics Report). The sheer number of business users, their volume of
activity and their necessary access to critical/sensitive applications and data
combine to form a far greater overall risk to the organization.
Clearly, it is vital to profile the risk presented by each category of user, and
to implement solutions to mitigate these risks.
“Regular business users, not administrators, pose the greatest data breach risk to most organizations.”
3
Human activity is the most common threat vector; whether by negligence, carelessness or malicious intent,
employees and contractors alike can do things that threaten a company’s data and systems. It is extremely difficult
to identify unauthorized activity among authorized users, given the large number of actions performed every day
by all types of users. However, when organizations fail to notice abnormal activity patterns in the context of IT and
business user actions, both hackers and internal malicious users are able to steal, leak or destroy valuable data.
The Activity Threat
Making changes to configuration files that can cause systems to fail
Creating unauthorized local or remote access accounts (e.g., VPN or SSH)
Escalating privileges on Unix/Linux machines using sudo
Changing the administrator or root password
Using admin credentials on one machine to “leapfrog” to a more restricted machine
Installing “backdoors” to enable later penetration
Running malicious code that causes denial of service (DOS) to critical services
Tampering with data by intentionally modifying data or code
Examples of business user activities that can lead to insider threats:
Running a report in an application that exports a huge amount of sensitive data
“Innocently” uploading sensitive data to a third-party cloud application, exposing it in
various ways
Deliberately sharing sensitive data with others via email, cloud application, thumb drive, etc.
Installing a remote desktop application to work from home, thus opening a remote back
door into the network
Responding to a phishing email, thus granting network access to a hacker
Visiting unauthorized websites that could install malware on the network
Examples of IT administrator activities that can impact on the security of an organization include:
4
The Application Threat
“Many mission-critical business applications also present significant data breach risk.”
The applications used by employees and contractors are, themselves, a great
source of risk. While most applications are necessary for business functions, some
have no place in the organization and can lead to insider threats. Examples of
applications which may not be required include consumer cloud sharing, screen
capture, desktop sharing, file transfer (FTP), and peer-to-peer
file sharing (torrents).
However, many of the mission-critical business applications in use also
present significant data breach risk. Examples of these include financial/billing,
point-of-sale, patient records, CRM, call center, claims processing and portfolio
management systems. While obviously necessary for conducting business, business
users can potentially abuse these applications (accidentally or intentionally) to
expose huge amounts of sensitive data.
Here are examples of specific mission-critical applications (other than email),
common in many organizations, which may represent significant risk to the
organization:
CONTACT/ CALL CENTER
Avaya
Siebel (Oracle)
Pegasystems
Amdocs
Unify
FINANCIAL SYSTEMS
NetSuite
Hyperion (Oracle)
Intacct
WORKFORCE MANAGEMENT
Workforce Central (Kronos)
Workday
PeopleSoft
CRM
Salesforce.com
Microsoft Dynamics
SAP
Siebel (Oracle)
IBM
ERP
SAP
Microsoft Dynamics
E-business suite (Oracle)
Epicor
DAM
NetXposure
Canto
FotoWare
Adgistics
SDL
5
Industry-specific mission-critical applications include:
INSURANCE
Stone River
Guidewire
Duck Creek
Claims Processing, Broker
Management, Quote Generation,
Online Quoting
INVESTMENT MANAGEMENTBloomberg Chat
ICAP
Reuters
Others: Investment Manage-ment,
Portfolio Management, FX Trading
Platform
RETAIL BANKING Internet Banking, Branch Bank-ing,
Loan Origination,
Cash Management, Electronic funds
transfer (EFT), Branch Manage-ment,
Fraud Management
TELCO Amdocs
Documentum
Ericsson
Comverse
Billing, Provisioning, Service,
Order Management, Customer
Management, Content
Management
ENERGY Maximo (IBM)
Ventyx
Invensys (Schneider Electric)
IFS
Gilbarco
Metering, Billing, Repair &
Operations, Process Control,
Quick Quote
HEALTHCARECerner
EPIC
Meditech
Allscripts
Patient Administration (Transfer.
Discharge), Electronic Medical Records
(EMR), Call Center
MEDIA Documentum
Fatwire (Oracle)
Vignette (OpenText)
MediaSilo
Filecamp
Others: Billing, Content
Management, Streaming
TECHNOLOGY/ SERVICES Customer Support & Service,
SaaS Offerings
MANUFACTURING/ SUPPLIERS SAP
Microsoft Dynamics
Oracle (e-business suite)
JDA
Ariba
Manhattan Associates
OpenText
Supply Chain Management, Inventory,
Billing, Digital Asset Management,
Enterprise Resource Planning (ERP),
Manufacturing execution system
(MES)
RETAILHybris (SAP)
Demandware
JDA
MICROS
Verifone
Point-of-Sale (POS), eCommerce,
Supply Chain Management,
Store Management, Inventory
Manage-ment, Order
Management, Billing
LEGAL / LAW FIRMSCounselLink
Advologix
Clio
Practice & Case Management
6
SIEM
SIEM
Firewall IDS IAM
Contractors
IT Users
Business Users
Apps Systems Data
i
Organizations have spent years implementing systems designed to secure their back-end servers and
databases, including firewalls, virtual private networks (VPN), intrusion detection system (IDS), identity and
access management (IAM) and database activity monitoring (DAM). These solutions collect a vast quantity of
system and infrastructure log data in order to monitor the systems and report on what is going on. In most
cases, the data coming from all these systems is fed into a security information and event monitoring (SIEM)
solution which correlates it all and tries to identify situations in which everything may not be safe and
secure.
Why are Organizations so Vulnerable?
7
The big problem with this current state of affairs is that the users – IT administrators,
external contractors and everyday business users alike – have direct access to the
organization’s most valuable digital assets via the applications they use. Of course
they do – they need to do their jobs! These users and applications are already inside
the security perimeter, rendering firewalls, IDS and SIEM systems effectively useless if
the authorized users (or unauthorized who have stolen account credentials) end up
stealing data, vandalizing systems or even leaking data unintentionally.
In other words: while IT security teams spend most or all of their IT security budgets
on securing their back-end servers and databases, they are ignoring the dangers
inherent with what users are doing via the front ends of the applications to which
they have access.
The key point is this: Once users log in to the business-critical applications that grant
access to the company’s sensitive data, most organizations have no idea what users
are actually doing. This is a massive gap in the security posture of most organizations.
“Once users log in to the business-critical applications that grant access to the company’s sensitive data, most organizations have no idea what users are actually doing.”
The Solution: User Activity Monitoring
In order to fully protect their organizations, those responsible for IT security must
immediately begin shifting a significant percentage of their budgets to securing the
potentially toxic user-activity-application combination. The best way to do this is to
monitor the front ends of the applications being used, and the user activity
performed within them.
User Activity Monitoring is a comprehensive, user-focused security solution
that provides the required insight into exactly what every user is doing on the
organization’s network. This type of solution enables security administrators to
immediately detect dangerous, unauthorized and out-of-policy user activity – and
to stop it in its tracks. These solutions also give administrators the ability to quickly
and accurately determine, after the fact, exactly who did what, when and how with
sensitive data, systems and applications.
8
The most powerful way that User Activity Monitoring solutions help to secure
a company’s data and systems is by automatically and continuously profiling
the behavior of every user. After initially profiling the typical, expected behavior
of each type of user (and even individual users), these systems are able to
automatically detect behavioral anomalies that may indicate negligent or
fraudulent activities. This is not unlike the financial fraud detection systems
in place at most financial institutions.
For example, if a hacker gains access to a login account, his behavior will appear
very differently than the real business or IT user who normally logs in with that
account. Another example is a user who is suddenly accessing new resources for
the first time, or running unusually large reports. There are numerous types of
behavior anomalies that may trigger detection. Examples include:
User Behavior Analytics
running unusual applications
accessing unusual systems, files or others resources
performing unusual types of operations or running rarely-used commands
generating larger-than-usual reports
executing a larger number of actions than usual within a given time frame
accessing systems from unusual client machines
logging in outside normal/expected hours of the day or days of the week
User Behavior Analytics detect these behavioral irregularities and alert IT security
staff in real time. The security administrator can then observe the suspicious user
session via a streaming video broadcast of the user’s desktop, or review the user
activity logs generated by the current session (and past sessions). If deemed
necessary, administrators can instant-message the user via the desktop or
even shut down the session from within the same interface.
For lower-severity incidents, such as non-critical out-of-policy behaviors,
administrators can later review session transcripts and/or videos to determine
if irresponsible or dangerous activities had taken place.
“These systems are able to automatically detect behavioral anomalies that may indicate negligent or fraudulent activities.”
9
Additionally, security administrators can manually define any number of simple or complex “alert rules” to generate
real-time alerts about particular user activities that they want to know about, whenever they occur. Examples of such
alerts might include:
Configurable Real-time Alerts
any time a user connects remotely outside of regular business hours
any time a remote contractor logs in to a sensitive server
any time a user opens a particular file
any time a user runs a particular application on a particular computer
any time a business user manually modifies a Registry entry
any time an IT administrator edits a critical configuration file
any time an IT administrator changes a system password
any time a user escalates permissions using sudo
any time a user runs a particular SQL query against a production database
When user-based attacks occur, every second counts. The longer a threat goes undetected, the more damage a
company will incur in terms of both financial costs and brand reputation. Without the ability to monitor user activity in
real-time, companies will continue to suffer from undetected user-based breaches, significantly increasing the scope
and costs of those breaches.
Bullet-proof IT Forensics
Another advantage enjoyed by IT administrators after deploying a User Activity Monitoring solution is fast, easy and
incontrovertible IT forensics. Keyword-searchable user activity logs and session screen recordings are invaluable for
IT troubleshooting, root cause analysis and incident investigations. If user actions are responsible for a system failure,
data leak or any other incident, administrators will be able to quickly discover exactly who did what, where, when
and how.
The Deterrence Factor
Finally, User Activity Monitoring has an effect similar to “speed cams” on the highway: because users are informed
upon every login that their actions are being monitored and recorded, instances of unsanctioned and reckless activity
fall dramatically. This is not theoretical; system and security administrators consistently report that, after deploying
User Activity Monitoring, employees and contractors alike exhibit much more cautious behavior when accessing
sensitive data and systems.
10
ConclusionThe intersection of people, activities and applications represent the greatest IT
security risk to organizations today. While privileged IT users present a significant
threat to every organization, the sheer number of business users, their volume of
activity and their necessary access to critical/sensitive applications and data
combine to form a far greater overall risk to the organization.
Most organizations do a satisfactory job of securing and monitoring their back-end
servers and databases from external attacks. However, because the company’s
employees, administrators and contractors are authorized to operate inside the
security perimeter, traditional security mechanisms are nearly useless when it
comes to user-based risk. It is the activities of authorized users (or outsiders who
manage to gain access to authorized user accounts) within applications that pose
the greatest IT security risk. Both industry research and the rapidly-growing list of
incidents in the news confirm this unfortunate reality.
User Activity Monitoring specifically mitigates these risks: by providing
comprehensive monitoring, behavioral analytics, incident alerting, audit
reporting and IT forensics capabilities for the activities of users in the front ends
of applications, User Activity Monitoring closes the largest security gap found in
organizations today. This type of solution enables security administrators to
immediately detect dangerous, unauthorized and out-of-policy
user activity – and to stop it in its tracks.
“Traditional security mechanisms are nearly useless when it comes to user-based risk.”