How to spot threats — before you suffer a security breach

Wouldn’t it be great if you could catch insider threats and hackers who have gotten into your network — before they cause an IT security incident? Kind of like the way the psychics (“precogs”) in the movie “Minority Report” enable the police to prevent murders?

Well, advances in technology have a habit of turning science fiction into reality. All you need is information — a deep understanding of what each user tends to do day in and day out, and alerts that notify you know right away when anyone strays from their normal patterns. Then you could take action and actually prevent a data security incident before it occurs!

Consider the following scenario.

Joe has been a Windows administrator at the global organisation Acme Solutions for 10 years; he currently manages all the users based in Australia. One day, Joe’s manager calls him into his office. As soon as Joe sees Casey, the team’s Human Resources rep, there, his heart sinks. Yep, there’s bad news: Terry, the IT Director in the U.S. has decided that Joe’s position is being eliminated. He has until the end of the day to clean out his desk and he’ll get six weeks of severance pay to soften the blow.

At first, Joe is disappointed but understanding; after all, the severance terms are standard for the region. Mostly he’s just worried about whether he can get a new job quickly enough to still make his mortgage payments. But when he returns to his desk, his disappointment quickly turns to anger. Ten years of dedicated service to Acme and now someone on the other side of the planet is erasing his job, just like that? Joe doesn’t have a clear objective yet, but he decides to hunt around for information he might be able to use to help himself. He goes into Active Directory and grants himself access to the IT Director’s email account. Maybe he’ll find some dirt on Terry that he can use to keep his job, or at least make him suffer, maybe by sending a few choice emails to customers from Terry’s account. Joe is clearly acting irrationally, but he’s not worried since he thinks no one is checking on him. Who checks the checker? A security incident is quickly unfolding, and Acme’s security team is helpless to even spot it, much less block it.

Or are they? Turns out, the team implemented Quest Change Auditor Threat Detection a year ago. Since then, it has been gathering detailed information about the habits of each user in the environment and building up pictures of their “normal” behavior. As soon as Joe accesses a part of the environment he has never gone into before — before he even has had a chance to do anything malicious — Change Auditor Threat Detection sends an alert to members of the security team, who quickly block his account. With the reports they provide proving his actions, the company requires Joe to leave immediately and might well take legal action against him. Acme has avoided a security incident that could have had severe repercussions.

You can easily imagine similar scenarios — an executive who’s planning to leave for another company and wants to take along some critical IP, or a marketing person who decides to download the entire customer database for their own use. The fact is, everyone is trustworthy and not trustworthy at the same time. Given the right circumstances, anyone is capable of breaking the rules, and with the power of technology and electronic data, the consequences can be severe than ever. Therefore, monitoring everyone’s adherence to the rules is of paramount importance today.
There is a catch, though. With ordinary cyber security solutions, such as network intrusion prevention systems, organizations average 387 million alerts every 60 days! There’s no way any company can review and investigate that many alerts, so 44% are never checked out. Of course, most of them are false positives, but how many true threats are getting through every day?

To avoid burying true threats in an avalanche of alerts, what you need is artificial intelligence (AI) that’s capable of learning the normal behavior of users and systems on its own, so it can eliminate the false positives and zero in on the truly suspicious actions — like Joe granting himself access to the IT Director’s mailbox, or a hacker who has taken over a user account or created a new account with privileges to access your sensitive data. Change Auditor Threat Detection delivers user behavior analytics that can pinpoint those highly suspicious and threatening actions in the vast sea of user activity data and respond faster than any human could. (And if your organization is subject to any compliance regulations, you’ll have a huge leg up on passing your next cyber security audit or information security audit!)
Get one step ahead by pre-emptively spotting and blocking the true threats in your organization.

If you want to know more about state-of-the-art threat detection, check out what’s new at Quest:

Source: Results from using Change Auditor Threat Detection to monitor an 80,600-user AD environment over a 60-day period

Source: Ponemon 2017 Cost of Data Breach Study