Users are the greatest single source of risk for data loss within an organisation. Research shows that two out of every three security incidents originate from internal users. These users can be employees or third party contractors and the forms of data loss sometimes are accidental but more often now the loss is deliberate, stealing corporate R & D, customer lists or financial data to name but a few.
What is an insider threat? It’s the risk of misuse of access privileges to steal, leak or destroy customer, company or employee data. The difficultly is how do you actually detect questionable actions once a user logs in? In general server systems generate a vast amount of data through normal user activities but lack of visibility into actual user behaviour makes detecting insider based threats to sensitive data nearly impossible to detect and certainly difficult to track. Insider threats represent a major security blind-spot for all organisations and with the continued growth of applications and cloud based services; the need to make detection easier is a must for companies not a ‘nice to have’!
The ObserveIT Insider Threat Platform detects and mitigates the risk of insider threats across all users in an organisation – privileged users, third-party vendors and business users.
ObserveIT is an Insider Threat Solution
ObserveIT allows security, compliance and forensics teams to detect and respond to authorised users doing unauthorised things. ObserveIT protects enterprises from data loss, fraud and IP theft across third-parties, privileged users and business users.
• User Behaviour Analytics and Risk Scoring: assesses the risk of every user, analyses and scores user activity to identify any actions that are out of role, suspicious, or in violation of security policies.
• User Activity Monitoring and Alerting: captures all user activity, generates textual audit logs, screen recordings and alerts for risky behaviour on desktops and servers.
• Field-Level Application Logging and Auditing: tracks what is happening within on-premise and cloud apps, including those with no internal logging facilities of their own.
• Live-Session Response and Visual Forensics: provides video replay and analysis of real-time and historic user actions, and provides the ability to actually stop user activity.
Complete Insider Threat Solution by ObserveIT analyses exactly what the user does during a session using proprietary metadata and contextual screen captures, and assigns the most accurate risk score to the hazardous users. Immediate notification and real-time calculation of a user’s risk is provided. When a dangerous action is performed – such as exporting confidential customer information, running SQL queries containing various keywords, or accessing resources that shouldn’t be accessed – the user gets a score based on the severity of the activity. The ObserveIT solution provides built-in detection via a library of stored alert rules that can be used to detect a hazardous user activity across applications, systems and users.
These stored-alert rules can be customised to match the unique needs of a company. User behaviour analytics and risk scoring prioritise internal investigations, so that security teams can focus on the users who are actually putting the business at risk. ObserveIT is the only solution that can effectively distinguish abusive behaviour from normal user activity.
ObserveIT offers a new application marking technology, which tracks in-application elements for data exposure and extraction. This new visibility provides the most accurate understanding of one of the biggest sources of insider threats – applications. With ObserveIT, you can select and mark sensitive information within applications – such as SAP – to record, detect and audit when users are inappropriately viewing, changing or exporting sensitive information. This allows security teams to uniquely understand risk at an application field-level and detect abnormal usage.
Example 1: Real-time Drill-down
Upon receiving an alert, the administrator can click a link to observe the suspicious user session, live, via a streaming video broadcast of the user’s screen. The administrator can rewind the video to earlier in the session or immediately review the user activity logs generated by the current session (and past sessions performed by the same user).
Example 2: User Messaging and Session Kill
If necessary, administrators can instant-message a user via the desktop to try to determine if the suspicious activity may be warranted – or if thought critical; instantly shut down the user’s session from within the same interface.
The ObserveIT Insider Threat Solution offers unique visibility to investigate unsafe user behaviour in real time and watch exactly what users are doing to respond to internal security events. With ObserveIT, you can view live screen scrapes of all activity for a user to understand the user’s intent, interact with users who are performing out-of-scope activity, and shut down malicious sessions.
ObserveIT’s Insider Threat solution has proven to accelerate investigations tenfold by showing exactly what users are doing with real-time visual screen-capture technology. There’s no guesswork.