You log into your workstation to start your day, when you discover the bad news. Your organization is the latest to be hit by an insider threat caused data leak. Vital information is now streaming out to whomever wants it, and you have no idea what happened.
Common Questions To Ask Yourself:
- What was leaked?
- When did it go out?
- Who did it, and why?
- What is the extent of the damage?
- Can anything be done to mitigate the risk of further problems?
- Where can you go for answers?
These are all valid questions, and security professionals know better than anyone: investigating a potential insider threat incident can be a time consuming (and stressful) endeavor. Without the right security tools, processes, and people, the mean time to detect (MTTD) to the mean time to resolve (MTTR) can be extensive.
Most security teams need to pull data and logs from multiple systems and locations to try and analyze what actually happened, and piece together irrefutable evidence of who did what, why, when, and how. They’re, as the saying goes, “under the gun.” Management expects answers, and right away, which can be a big problem.
You know you can’t answer with an “I don’t know,” “I’m not sure,” or “I’ll get back to you in a few days.” So, what can you do?
How to Speed Up Insider Threat Investigations
Obtain Video Playback
When people talk about insider threats, they talk about three core principles: detection, investigation, and preventions. To do any of the three, a security team first needs to have visibility into user activity.
Insider threat management tools like Proofpoint ITM deliver this much needed visibility to teams by collecting “click-by-click” user activity data on individual endpoints (desktops, laptops, servers). The data collection process takes snapshots of each action, that can be played back in the event a potential insider threat incident has been detected, giving you step-by-step visual proof into what actually occurred.
Detect Insider Threats in Real Time
Once you have visibility into user activity on an endpoint, it is possible to configure real time alerts that warn the appropriate parties when a potential insider threat incident has been detected.
Proofpoint’s insider threat detection tools are fully customizable, enabling security teams to identify who did what, on which computer, when, and from which client, and then send alerts based on the triggers that you find most useful. (It is even possible to pop-up notifications, block applications, or even close processes on the user side!)
Generate User Activity Logs for Applications that Don’t Have Them
Not all applications have the ability to capture user activity data via log files.
Consider eliminating a huge security blind spot by generating user activity logs for applications without their own logs, including cloud, custom and legacy applications. Correlate human behavior logs with system logs in a SIEM – this will give you a 360-degree view of every event.
Require Secondary Authentication
Once you have the tools and processes in place to increase your visibility into user activity, understanding that you can identify individual users is a must!
With Proofpoint, you can require individual identification for administrators and remote vendors logging in via a shared account (e.g., administrator, root). This will allow you to later search and review user activity monitoring session summaries and recordings by individual user, regardless of the initial login account used.
Know Who is Logging in to Your Servers – and Why
Prevent users from logging in to a server without first entering a valid ticket number (from an external ticketing system), to ensure that every login is connected with a specific, pre-approved purpose.
Be Mindful of Third-Party Vendors or Contractors
Oftentimes the biggest problem with managing remote vendor security, is a lack of visibility, just like with your employees. But they’re potential insider threats as well, with access to vital systems and data. Tools like Proofpoint ITM help you obtain visibility into vendor user activity as well as your own employees!
Without the right security tools, processes, and people in place, it can be near impossible to improve the mean time to detect (MTTD) to the mean time to resolve (MTTR) timeframe.
Subscribe to the Proofpoint Blog