TOP REASONS WHY SIEM CAN T PROTECT YOUR DATA FROM INSIDER THREAT

Transcription

1 TOP REASONS WHY SIEM CAN T PROTECT YOUR DATA FROM INSIDER THREAT Would you rather know the presumed status of the henhouse or have in-the-moment snapshots of the fox? If you prefer to use a traditional security system that monitors network infrastructure, you might as well let the fox run away with data. That s because contrary to popular belief, threats to data aren t all external. The fastest growing IT security risk actually comes from within: your employees and third-party users. Staff, privileged users in IT and management, and contractors all need access to applications, systems and data to properly do their jobs. But the conventional means of monitoring their digital actions through security information and event management (SIEM) doesn t offer a view of what s actually occurring in their user sessions. As insiders with access increasingly work offsite and after hours and use applications outside your company s firewall, they represent one of the biggest risks to your data. Of course, not every user is a threat, but at some point someone will carelessly click on a malicious link or unwittingly sensitive data to an unauthorized user. Moreover, odds are that someone with authorized access will indeed attempt to steal or manipulate data, and you can t afford to learn about it months later. Unfortunately, most organizations still rely on SIEM to provide insight into insiders activities, thinking they are standing watch over the henhouse, when in reality, they re not even close to protecting data from insider threat. SIEM focuses on infrastructure and fails to look at the actual user. If your organization is serious about security, that dynamic has to change. You need to know exactly what your users are doing with company systems and data. Adding User Activity Monitoring to your organization s existing security ecosystem closes this critical cyber-security gap and dramatically reduces the time it takes to identify and respond to suspicious user activity and data breaches. You ll know just what the foxes are doing and how and when they did it.

2 TRY AS IT MAY, SIEM CAN T SEE USER-BASED RISKS SIEM attempts to give a holistic view of an organization s security efforts. Security data is produced in multiple spots, so coalescing that information quickly is essential to getting real-time insight on insider threats. But even though SIEM tries to show what users are doing, it doesn t provide a true understanding of what they are really doing. As a result, organizations are deceived. They believe they can see everything with SIEM but in reality have a major security blind spot. That s why they never notice data breaches. SIEM processes information from the logs of infrastructure and devices. And there lies the rub: nowadays, many employees and third-party users rely on cloud applications that don t provide the insight organizations need to protect data. Cloud applications have greatly improved the ability to do work, as they allow employees to share files amongst themselves and clients and perform tasks that previously were limited to costly, on-site programs. SIEM which depends on logs for analysis doesn t mesh with this new way of work. SIEM fails to provide full insight on not just application use but insider actions within all devices and systems. Here are three reasons why: 1. Logging data is not always available from these apps or the devices they re used on. Many critical user actions do not generate any logs at all, so there is no data to analyze. 2. Available log data was designed mostly for debugging and tracking system changes. The data is not designed for determining user behavior and intent. At best, the data can tell administrators that something happened at a system or infrastructure level, but it offers absolutely no insight into actual user activity.

3 3. Logs can contain hundreds or thousands of discrete events in obscure technical language, making it just about impossible for anyone but a security expert with lots of time and a narrow purpose to determine what a user actually did to generate those log events. Indeed, tracking activities on the many apps and devices that employees use is difficult and resource intensive. Significant staff time is needed to correlate and review access and usage logs, but again that s only if those records are even available. With SIEM tools, organizations cannot quickly or easily answer what employees, privileged users or outside contractors are doing. It shouldn t be any surprise, then, that costly data breaches are on the rise across nearly every industry. A Verizon study found that 69 percent of information security incidents are attributed to inside threat. Yet, according to a 2015 SANS survey, 70 percent of internal audits and investments reveal that businesses have big deficiencies in monitoring insider threats, and, as a result, 75 percent of all insider threats go unnoticed. SIEM IS NOT UP FOR TODAY S CHALLENGES Aside from the widespread use of cloud applications, there are other ways that employees put data at risk. Here are some examples of how SIEM fails to recognize when insiders negligently and maliciously fail to keep information secure: MANY INSIDERS HANDLE CUSTOMER AND PATIENT INFORMATION Users with access to sensitive customer and patient records have little deterrent to leaking data to third parties or changing information. System logs from cloud apps such as SAP and Salesforce don t record user actions and provide no insight into how insiders handled information that must stay in-house. It s impossible to discover or audit who accessed, copied or modified this sensitive data. THE RECORD DOESN T REFLECT ALL IIS WEBSERVER CONFIGURATION FILE CHANGES Changing the IIS webserver configuration file can affect server operations in many different ways, potentially exposing the server to security risks. During the 20 seconds it takes a user to make a change, Windows will log 6,000 system events. Log entries, though, will only indicate that this file was changed with one log entry indicating that "web.config" was added to the "Recent Files" list in Windows. Talk about the law of diminished returns. GRANTING SUDO RIGHTS TO A NON-AUTHORIZED UNIX/LINUX USER Giving sudo rights to an account allows a user to access sensitive commands, services and data. Yet, when using auditctl and ausearch to get system event logs for actions, you will only see that the visudo command was run. Unless you re a pro, this logging is too technical: You can see the working directory from which it was launched, its process ID, and the fact that it finished with a success return value. However, there is no indication of what rights were granted or what the user did once those rights were assigned. USER ACTIVITY MONITORING PROVIDES 20/20 INSIGHT Don t worry. Your organization no longer has to rely on SIEM. You can get real-time, valuable insight into insider actions and stop data breaches before they cripple your business.

4 Adding User Activity Monitoring to your security ecosystem will greatly improve your organization s ability to rapidly detect and respond to security incidents. You ll no longer have to worry about the shortcomings of SIEM. With User Activity Monitoring, IT administrators and security staff get a clear, easy-to-understand picture of exactly what happened. Your organization will have the proper information to respond to an alert or piece together insider actions during an investigation. User Activity Monitoring uses screen-recording and analysis technology to capture all user activity regardless of environment or access method (local or remote) and to generate alerts for suspicious activity. Beyond providing video playback of all user activity, User Activity Monitoring leverages visual interpretation technology to turn the screen capture recordings into plain-english user activity logs that can be easily searched, analyzed, prioritized, audited and acted upon. This enables security teams to rapidly detect and respond to the threats of account hijacking, stolen passwords, remote vendor access, and insider actions from either negligent or malicious users.

5 Instead of inferring user actions from infrastructure data as SIEM does User Activity Monitoring focuses on actual user activity. The ability to track and understand user activity lets organizations benefit from an open business environment while protecting intellectual property and customer data. SIEM DOESN T PROTECT DATA; USER ACTIVITY MONITORING DOES Considering the deficiencies of SIEM and traditional infrastructure logging, it is crucial that organizations improve their data security measures and consider a solution that knows exactly what users are doing and sees the security risks their actions can cause. User-based threats are a major security concern that requires a new, user-centric monitoring approach. A usercentric approach is important not only for rapid response to breaches, but is also a proven way to proactively identify underlying behaviors that lead to data breaches. Surely, SIEM has its place in security monitoring, but, alone, it can t discover the user-based threats with the most potential to damage your company. Organizations need to bring user-focused security monitoring to the front and center of their security and risk management strategy by adding User Activity Monitoring to their existing security architecture.

6 ABOUT OBSERVEIT ObserveIT is an Insider Threat Solution. With ObserveIT, security and compliance teams can detect and respond to authorized users doing unauthorized things. ObserveIT protects enterprises from data loss, fraud and IP theft across third-parties, privileged users, and business users while maintaining privacy. ObserveIT analyzes exactly what the user does during a session using our proprietary metadata and contextual screen captures to assign the most accurate risk score to users and eliminate false positives from normal activity. We provide immediate notification and real-time calculation of users risk. When a risky action is performed such as exporting confidential customer information or accessing resources they shouldn t be accessing the user gets a score based on the severity of the activity. Our user behavior analytics and risk scoring will prioritize internal investigation so security teams can focus on which users are actually putting your business at risk on an enterprise-scale. ObserveIT is trusted by over 1,200 customers in 70 countries across all verticals. For more information on ObserveIT, visit or find us on TRUSTED BY CUSTOMERS OBSERVEIT IDENTIFY AND MANAGE USER-BASED RISK Start monitoring in minutes, free: