3 top tools to fight insider threats

insider threat
Lurking inside

We tested three products, each concentrating on a different aspect of the insider threat problem. Fortscale did an amazing job protecting a traditional network. Its machine learning capabilities and concentration on access and authentication logs gives it an extremely high accuracy rate. Cloud-based insider threats can be even harder to detect, yet Avanan uniquely protects against threats related to trusted insiders within the cloud. PFU Systems applies insider threat security to mobile devices with their iNetSec system. (Read the full review.) Here are the individual reviews:

Fortscale: Machine learning right out of the box
Fortscale: Machine learning right out of the box

Fortscale is nearly complete and ready to go out of the box. It is installed on a network as a single server which is then linked into whatever security information and event management (SIEM) system is already being used. There are no rules to configure or programming to be done by administrators as Fortscale uses machine learning and complex algorithms to find anomalous or dangerous behavior associated with insider threats.

Fortscale’s `Followed Users’ dashboard
Fortscale’s `Followed Users’ dashboard

A neat feature is the fact that certain users can be pinned to the login splash page for extra scrutiny. Called Followed Users, these people are added to the far right column of the dashboard, complete with their pictures, titles and network groups, if such information is available.

There are no set criteria needed to add someone into the Followed Users pool. Perhaps investigators suspect the employee for some reason, or perhaps Fortscale admins are seeing low level anomalies tied to one account. Clicking on a user within the Followed Users group will bring up all the information that Fortscale has collected about them over time.

Fortscale’s printer catch
Fortscale’s printer catch

Where Fortscale’s interface really gets good is when you drill down into alerts. In our testing, the program was able to identify an anomaly where a user first made an “all records” call to the Oracle database and then printed over 350 pages. This could be a case where an employee was preparing to leave the company and wanted to take proprietary information with them using a very low tech way of capturing and stealing the data. But even the low-tech approach was not able to escape the watchful, and insightful, eye of Fortscale.

Avanan: Penetrating the cloud
Avanan: Penetrating the cloud

Avanan runs completely in the cloud, so the setup has no physical components. It works with all the biggest cloud providers including Amazon, Google and Microsoft. The setup process for our test cloud only took a few minutes. Many cloud providers retain up to a year or more of data regarding the various actions by users and programs within the cloud. Avanan can tap into that data and begin working right away, even identifying suspect insider threat activity that happened months ago.

Avanan’s added benefit
Avanan’s added benefit

By itself, Avanan is a powerful tool for protecting against insider threats. However, another strength of the product is that it offers one click installation of many popular security programs. Avanan does not charge users to install those apps inside the cloud. Users only need to pay whatever the other vendor charges, and their existing license may even cover cloud deployments. In the course of our testing we installed Check Point, Palo Alto and Symantec software into our test cloud. In all cases, we got full cloud functionality.

Avanan identifies Shadow IT
Avanan identifies Shadow IT

The main Avanan console is basically like a SIEM itself, though it consolidates data from any other SIEM or security program running in the cloud. It also has a robust shadow IT function, which shows applications that have been installed within the cloud, who is using them and what they are doing. Entire applications can be denied and removed from the cloud regardless of the number of users, preventing any program from becoming an insider threat itself, or acting as a vehicle for things like prohibited file transfers or data sharing.

iNetSec Smart Finder: Agentless scanning of mobile devices
iNetSec Smart Finder: Agentless scanning of mobile devices

PFU Systems, a Fujitsu company, aims to manage the increased potential for insider threats generated by mobility programs with their iNetSec system. The iNetSec Smart Finder system is deployed as a network appliance that generally sits between the LAN segments of a network and the VLAN segments used by mobile users. Once deployed, the iNetSec Smart Finder appliance discovers, classifies and manages all mobile devices in order to enforce network access policies. In addition to device management, it will graph and visualize all application traffic broken down by device to prevent bandwidth abuse and stop high risk applications from operating.

INetSec: APT protection
INetSec: APT protection

While iNetSec is mostly concerned with insider threats, it can also scan internal network traffic to detect the presence of Advanced Persistent Threats (APT) based on behavioral correlation. It is able to do all this without the need to install agents on any mobile device. Once our iNetSec testbed went live, the appliance scanned for every mobile device connected to the network. The appliance was able to find any device with a MAC address, including routers and VoIP phones. It does this in order to monitor traffic moving through the network gateway as well as any lateral movement that might be an indication of an active APT.

2inetsecdeny
INetSec: Denied

Once each device is approved or rejected, and a policy put in place to govern any new devices that want to connect, iNetSec begins monitoring what those devices and users are doing. The main dashboard displays every connected device and its current activity. Administrators can choose to permit or prohibit any application’s use on the network. While this would not remove them from the mobile device, which iNetSec has no direct control over, it would prevent them from being used to transfer files or to interact with a protected network. In cases an administrator considers to be extreme, the presence of certain programs or malware could trigger a device to be immediately denied network access all together.