Review: New tools to fight insider threats

Previous 1 2 Page 2

When a user violates policy, there are several actions that can be defined in Avanan. Users could simply be notified of the possible security breach, with customized messages explaining why an action is being denied. In this way, users can become educated as to bad or undesirable behavior in the cloud and thereafter be less likely to become accidental insider threats.

Moving up the severity ladder, users can be alerted to the denial, but offered the chance to explain their actions. Perhaps they have a valid business reason for sending confidential data to a colleague. Administrators can then consider that reasoning in their response and can then allow or deny the suspected action. In either case, an audit trail is generated that can be used for any future investigations of that user, process or program. Finally, processes can be outright denied and security teams notified when a policy is broken, with or without tipping off the user.

The main Avanan console is basically like a SIEM itself, though it consolidates data from any other SIEM or security program running in the cloud. It also has a robust shadow IT function, which shows applications that have been installed within the cloud, who is using them and what they are doing. Entire applications can be denied and removed from the cloud regardless of the number of users, preventing any program from becoming an insider threat itself, or acting as a vehicle for things like prohibited file transfers or data sharing.

Avanan doesn’t quite present as neat a picture of individual insider threat activity as Fortscale does for traditional networks, but questionable activity can still be ferreted out with minimal training. In our demo, one user was attempting to access folders where they had rights, but then was trying to perform functions which were prohibited by policy, namely attempting to move files to a less secure area. In that case, the user was likely a true insider threat.

In another example, a user was again accessing legitimate folders, but was doing so from multiple locations around the world, which was shown on a graphical map within Fortscale. In that instance it was likely a case of compromised credentials. In both instances, Avanan prevented the insider threat from taking any detrimental action.

With so much data moving to the cloud, having a program like Avanan is almost a necessity these days. Besides the ability to protect data and files from insider threats, the value of being able to deploy a huge variety of security programs into the cloud with just one click can’t be overstated. And giving full visibility into all the user, program and access actions taking place in the cloud really demystifies it, allowing administrators to manage and protect it more like a traditional network, keeping cloud-based data safe from both outside and insider threats.

iNetSec Smart Finder: Agentless scanning of mobile devices

Mobility adds another wrinkle to security when users are allowed to access their networks using tablets, smartphones and other mobile devices. These mobile devices add more potential liability since they are essentially network clients that routinely leave the office and the control of administrators. In addition to normal insider threat issues, mobility also adds the possibility that a credentialed device could be lost or stolen, giving a potential window into a protected network.

+ RELATED: 5 active mobile threats spoofing enterprise apps +

PFU Systems, a Fujitsu company, aims to manage the increased potential for insider threats generated by mobility programs with their iNetSec system. Everything it does is focused on mobility, so an organization’s need for such a program would be dependent on how much they rely on mobility programs or BYOD deployments.

The iNetSec Smart Finder system is deployed as a network appliance that generally sits between the LAN segments of a network and the VLAN segments used by mobile users. A single iNetSec appliance can support up to 16 VLANs. The iNetSec Smart Finder appliance starts at $8,410 and includes the management software, one year of support and one appliance with a capacity of 1,000 concurrent devices.

Once deployed, the iNetSec Smart Finder appliance discovers, classifies and manages all mobile devices in order to enforce network access policies. In addition to device management, it will graph and visualize all application traffic broken down by device to prevent bandwidth abuse and stop high risk applications from operating.

And while iNetSec is mostly concerned with insider threats, it can also scan internal network traffic to detect the presence of Advanced Persistent Threats (APT) based on behavioral correlation. It is able to do all this without the need to install agents on any mobile device, so users participating in a BYOD program won’t have to allow extra or unwanted software onto their personal devices.

The first step, once our iNetSec testbed went live, was to scan for every mobile device which was connected or had connected to the network. The iNetSec appliance actually was able to find any device with a MAC address, including routers and VoIP phones, and properly identify them in the main console. It does this in order to monitor traffic moving through the network gateway as well as any lateral movement that might be an indication of an active APT.

Pulling mobile devices aside, administrators can go through the process of allowing each one to connect to the network and setting up the circumstances and approvals needed to do so, or they can be denied all together. This can also be done by policy instead of looking at each individual device, which is nice if there are thousands of them on a network. With our smaller testbed, we simply looked at each one and the process went very quickly.

As a bonus, rules can be established regarding certain aspects of security, such as how often a mobile device needs to connect to the network to maintain its valid credentials. So you can set iNetSec to, for example, consider a device to be lost or stolen if it does not check in every seven days. This would help to prevent one insider threat possibility that doesn’t normally occur with non-mobile systems, namely an authorized device falling into the hands of an unauthorized user. Devices that try to connect after the set time limit can be forced to follow a different procedure to regain full network access, perhaps requiring direct approval from security personnel.

Once each device is approved or rejected, and a policy put in place to govern any new devices that want to connect, iNetSec begins monitoring what those devices and users are doing. The main dashboard displays every connected device and its current activity. You can even see, for example, which users are watching YouTube videos or goofing around with their devices. This is important because each application being used is assigned a risk level, even if it is not actively doing anything bad at the time. On our test network a file sharing application based in China shot up to very high concern levels as soon as it came online. Even some seemingly normal programs like Adobe SendNow were given high risk factors based on their potential for abuse.

Administrators can choose to permit or prohibit any application’s use on the network. While this would not remove them from the mobile device, which iNetSec has no direct control over, it would prevent them from being used to transfer files or to interact with a protected network. In cases an administrator considers to be extreme, the presence of certain programs or malware could trigger a device to be immediately denied network access all together.

Ironically, iNetSec uses Address Resolution Protocol (ARP) spoofing to be able to instantly deny mobile devices access to a network in an emergency, and also instantly allow them to rejoin later if needed. ARP spoofing is a technique sometimes used by attackers, so it was interesting to see it used cleverly for good.

In addition to suspect applications, iNetSec also looks at traffic patterns within the network that touches mobile users. So if someone is using their phone to move files or access prohibited areas, iNetSec might flag that behavior. However, without the presence of actual malware or some suspect application involved, a user doing something like that might be able to go for a while without iNetSec flagging them.

In this day and age, few organizations can afford to completely prevent their users from working on mobile devices, and even the most conservative companies have embraced some form of BYOD programs. But there is no denying that adding mobile devices adds security concerns and potential threats coming from those authorized devices once inside the network. The iNetSec appliance can go a long way to patching many of those security holes, giving administrators a clear picture of just what those users and devices are doing, and the ability to instantly respond to any perceived insider threat.

John Breeden is an award winning reviewer and public speaker with over 20 years of experience. He is currently the CEO of the Tech Writers Bureau, a group of influential journalists and writers who work in government and other circles. He can be reached at jbreeden@techwritersbureau.com.

This story, "Review: New tools to fight insider threats" was originally published by Network World.