Insider Threat Detection
Any employee using privileged credentials inside a network to collect and exfiltrate valuable data is an insider threat. It is much harder to detect malicious data theft by someone with legitimate credentials in your systems, since they don’t have to install malware or probe your network’s perimeter for weaknesses the way hackers do.
An insider’s behavior looks nearly identical to an outside threat, but they’re much more likely to conduct their activities from a single machine, rather than hopping around laterally to mask their actions. They still need to find high-value assets and determine how to exfiltrate them. The most effective way to spot an authorized user doing bad things is by tracking their behavior across the adversary campaign lifecycle, just as you would with an APT.
An Insider Threat’s behavior in your environment is nearly identical to that of an outside hacker or APT. They have a mission to complete, which generally involves finding important data (recon), bringing it together (collection), and removing it from the network (exfiltration). Detecting and connecting these behaviors is the most effective way to curb insider threats.
How Versive Detects Insider Threats
The Versive Security Engine uses adaptive machine learning on your data, automatically customizing itself to your unique environment to detect patterns of adversarial behavior that are usually masked in the noise of everyday operations. When a legitimate user’s behavior changes in a meaningful way, the Engine will notice. Whether they start communicating with hosts they never have before, or move large chunks of data into and out of odd storage locations, the Engine compares that behavior to what’s normal in your environment, and starts building a Threat Case to visualize the progress of the threat over time so that you can act.
A few examples of suspicious behaviors the VSE detects include the following:
1. Change in Internal File Transfer Volume: If a user that typically only moves 10 megabytes of data per day suddenly starts moving 100, that’s detected and added to a Threat Case.
2. Communication Between Unusual Hosts: If a host starts communicating at unusual levels with machines it has never previously talked to, that’s flagged.
3. Change in External File Transfer Properties: If a host starts pushing data to unusual sites, or transfers more data than usual to known domains, that’s flagged.