Preventing Insider Threat with ObserveIT

ITM On-Prem (ObserveIT) addresses critical requirements of any Insider Threat Program by enabling security administrators to raise the security awareness of their users, dramatically reduce the risk caused by negligent users, easily track user behavior changes, and help to enforce company security policies.

ObserveIT's Insider Threat Intelligence platform is designed to prevent insider threat and increase security awareness by educating employees about out-of-policy behavior whether malicious or negligent. Through policy notification and enforcement, users can be educated to change their behavior. The ITM On-Prem (ObserveIT) User Risk Dashboard provides Security Analysts and Investigators with an easy way to track users that have experienced any type of policy notification or enforcement as a result of violating company policy or security rules. Every user notification message triggers an alert that notifies security specialists about the incident and updates the user’s risk score. Notifications can be set to trigger when users access a prohibited file, copy data to a USB drive, download programs, print sensitive documents, or other activities identified as posing risk to the organization.

User risk can come from insider users, employees, privileged users, and third-party vendors. Current or former employees, contractors, or other business partners, who have authorized access to your organizational data pose one of the greatest risks. These users usually have the authority to alter or delete critical organizational data. Identifying and pinpointing who or what is driving a data breach is crucial for successful remediation and recovery. Because most companies have little visibility into what users actually do once they are logged in, this type of security breach can often remain undetected for some time. ObserveIT's insider threat intelligence can detect behavioral irregularities, and alert IT security staff in real-time.

ITM On-Prem (ObserveIT) provides an extensive library of out-of-the-box detection scenarios that cover the most common scenarios of risky user activities that might generate alerts. These rules have built-in policy notifications that are designed to increase the security awareness of users, and reduce overall company risk. ObserveIT’s Library of alert rules can be applied on Windows and Unix/Linux machines. They are grouped according to security Categories to help navigation and management. For details, please refer to the ITM On-Prem (ObserveIT) Insider Threat Library.

ObserveIT's Insider Threat Platform mitigates user risk across enterprises by:

  • Increasing visibility into the application, which is the main vehicle for inside users to access sensitive data.

  • Tracking policy violations and user behavior changes.

  • Deterring and preventing users from violating security rules by posting real-time notifications and blocking users who are acting out of policy or performing malicious activity.

  • Educating employees about what is right or wrong according to a company’s security policy.

  • Detecting data exposure, data theft, and out-of-policy activities, that involve specific application field data (In-App elements) across desktop, web-based, and Unix/Linux applications.

  • Detecting potential data leaks when copying files or connecting USB devices

  • Scoring users based on their imposed risk.

  • Allowing you to build your own alert rules, or using built-in canned alert rules to detect risky user activity for Business users or Administrators, on either Windows or Unix/Linux machines.

The following are some examples of risky insider user activities for which you might want to generate real-time alerts, generate reports, and run ad-hoc searches in ObserveIT:

  • Logging-in locally or remotely to unauthorized servers by unauthorized users or from unauthorized clients

  • Sending sensitive documents to a local/network printer during irregular hours

  • Copying files or folders that are either sensitive or located in a sensitive location during irregular hours

  • Connecting a USB storage device (or mobile phone) in order to copy sensitive information

  • Using Cloud storage backup or large file-sending sites that are not allowed by company policy

  • Running unauthorized command by non-admin user in command line tools such as CMD, PowerShell, Putty and Terminal (Mac)

  • Typing text that contains workplace violence words that should not be used in digital communication

  • Typing text that contains sensitive intellectual property-related words in personal communication tools such as web mail, Chat, IM or Social Media sites

  • Storing passwords in files that can be easily detected by password harvesting tools

  • Clicking links within emails that open Phishing websites

  • Browsing contaminating websites with high potential security risk

  • Browsing websites with unauthorized content (gambling, adults, etc.)

  • Being non-productive by wasting time on Social Networks, Chat, Gaming, Shopping sites, and so on

  • Searching the Internet for information on malicious software, such as steganography tools (for hiding text-based information within images)

  • Accessing the Darknet using TOR browsers

  • Performing unauthorized activities on servers, such as, running webmail or Instant Messaging services

  • Running malicious tools such as, password cracking, port scanning, hacking tools, or non-standard SETUID programs on Linux/Unix

  • Hiding information and covering tracks by running secured/encrypted email clients, clearing browsing history, zipping files with passwords, or tampering with audit log files

  • Attempting to gain higher user privileges (for example, via the su or sudo commands, running an application as Administrator)

  • Performing copyright infringement by browsing copyright-violating websites or by running P2P tools

  • Changing the root password by regular user or searching for directories with WRITE/EXECUTE permissions in preparation for an attack (on Linux/Unix)

  • Performing IT sabotage by deleting local users or files in sensitive directories (on Linux/Unix)

  • Creating backdoors by adding users/groups to be used later un-innocently

  • Installing questionable or unauthorized software such as hacking/spoofing tools on either desktops or sensitive servers

  • Accessing sensitive administration tools or configurations, such as Registry Editor, Microsoft Management Console, PowerShell, Firewall settings, etc.

  • Adding new credential on SQL Server Management Studio that can be used later as a backdoor