Welcome to the Aanval Wiki. Snort, Suricata and Syslog Intrusion Detection, Situational Awareness and Risk Management.

Visit http://www.aanval.com/ for more information.

Library:The Enemy Inside the Gates: Utilizing SIEM Technology is the Best Way to Detect and Prevent Insider Attacks

From Aanval Wiki
Jump to: navigation, search

Back to Library Main

The Enemy Inside the Gates: Utilizing SIEM Technology is the Best Way to Detect and Prevent Insider Attacks.


According to the ISSA (Information Systems Security Association), “Insider attacks are one of the least understood and inadequately mitigated security-related risks facing organizations today. Although employees of an organization are unquestionably insiders, an ‘insider’ also applies to consultants, contractors, and third-party business partners. Many believe that anyone who is granted access to an organization’s computing resources is given an account and password is, hence, an insider.”

Regardless of the definition of what constitutes an “insider," The Sans Organization believes that “most companies focus their resources and defensive strategies on protecting the perimeter from outsider attacks but often the greatest damage can be done by someone already inside these defenses. It is imperative that companies implement internal controls to monitor, detect, and prevent access to sensitive resources to only those individuals that require it to perform their specific job function.”

Insider attacks are a serious and common occurrences. According to a recent report from MSNBC.com, the 2011 CyberSecurity Watch Survey conducted by CSO Magazine uncovered that more attacks (58%) are caused by outsiders than insiders (21%); however, 33% view the insider attacks to be more costly, compared to 25% in 2010. Insider attacks can include stealing an organization’s intellectual property, confiscating online bank accounts, creating and distributing malware, worms and viruses on other computers, posting confidential business information on the Internet, sabotaging the organization’s IT department, and disrupting the organization’s entire operations. Unlike external threats, the intruder is usually someone who has been entrusted with authorized access to the network and have privileged knowledge of the network architecture, server configurations, company policies, critical assets, and filing systems. Along with combating external threats, system administrators also have to keep authorized insiders from manipulating or accessing the network. The ISSA in a security journal has stated that best way to detect insider attacks is to utilize a capable SIEM (Security Information and Event Management) technology to aggregate log data and then perform event correlation analysis.

As opposed to detecting most external attacks, detecting internal attacks often depends on the discovery and analysis of small clues or small incidents for which an event correlation can provide tremendous help in reporting, forming event relationship patterns, and logging information. A capable SIEM tool can also identify, log, archive, and report subtle clues of an insider attacks such as failed log-in and password cracking attempts within an organization’s network overtime. Insider attacks are more difficult to detect as they involved authorized users accessing information within the realm of expected behaviors. However, with SIEM technology system administrators will be able to separate and distinguish between mistakes and an actual insider abuse.

In conclusion, being to able to quickly and efficiently detect and identify insider attacks can be achieved by utilizing SIEM technology. A SIEM can provide visibility on both internal and external security threats as well as deliver the vital evidence necessary to prosecute attackers.

To see how Aanval 7 can provide defense against internal and external attacks, please contact (800) 921-2584 or email sales.group [at] tacticalflex.com.