Top 10 Guide - A Guide to Selecting a SIM Solution for Insider Threat

8/3/2019 Top 10 Guide - A Guide to Selecting a SIM Solution for Insider Threat

1/14

A Guide to Selecting

a SIM Solutionfor Insider Threat

top10


2/14

?A Guide to Selecting a SIMSolution for Insider Threat

Insider threats are the easiest to perpetrate,hardest to detect and most politically-charged

to manage. And unortunately, there is no

security panacea or insider threats. There is

no piece o sotware that someone can install,

box that can be plugged in, policy that can be

written or guru that can be hired that makes

an organization 100 percent secure. Managing

insider threats is a merger o people,

process and technology that requires vigilance

and constant awareness. The most secure

companies in the world have discovered that

the right combination o these variables

achieves a strong security posture.

Insiders can take many orms. They may be

well-intentioned employees that simply made

a mistake that leads to a vulnerability which

can be exploited. They may be disgruntled

employees or contractors, cleaning crews, or

even plants rom competitors, oreign

governments or terrorist organizations. Some

insiders join an organization with surreptitious

intent, others typically subscribe to one or

more o the ollowing categories or their

motivation: greed, power, revenge, politics,

ear, boredom or excitement.

Luckily, security inormation management

(SIM) solutions are particularly well suited or

addressing insider threats. SIM is typically

deployed to look beyond traditional perimeter

devices such as rewalls, intrusion

detection and network devices, by processing

inormation rom the core inrastructure

such as critical servers, mainrames, applicationlogs, telephony and physical security devices.

This holistic perspective o an organizations

security posture allows or advanced correlation,

anomaly detection and the identication o

malicious patterns.

In addition to the technical capabilities o SIM,

it also has many eatures suitable or working

across disparate organizations such as human

resources, legal and executive management.

These are groups that requently lack the

coordination to manage internal threats. Someeatures or cross-departmental coordination

are: case management, reporting, workfow

integration with policies and procedures, access

controls or managing access to sensitive

inormation during investigations and interactive

visualization capabilities that allow non-technical

departments to easily understand complex

attacks. Together, this combination o technical

and business-relevant capabilities makes SIM the

ideal oundation or any insider threat program.

ArcSight has developed the followinglist of evaluation best practices to assist

organizations in making the right SIM choice

for their insider threat needs. This list has

been compiled directly from the experiences

of customers. These practices should be

used as an integral part of your evaluation

and selection process.

1


3/14

2

Insider Threats are

Different than ExternalThreats

Dont be ooled into thinking

that addressing insider threat is

like addressing external security

threats, but now youre collecting

logs rom the inside too. Risks

associated with internal attacks

are only mitigated by incorporating

the all-important combination o

people, process and technology

into a cohesive, extensible

and scalable solution. Just as

every organization has dierent

people, they also have diverse

technologies and processes.

The SIM solution should be

fexible to work with the myriad

o solutions you have and

plan to have. This doesnt just

mean collecting events, but

10 rather transorming that rawevent data into useul, actionable

inormation tied directly tothe insider threat. Once the

inormation is processed,

unctionality must exist to

make the insider threat-specic

scenarios understandable by

technical and non-technical

people. The SIM solutions

alerting, escalation and remediationcapabilities should parallel

your organizations own policies

and procedures. When

evaluating SIM vendors, ensure

that their solution has

specialized, insider threat-specic

content that is scalable,

works with your data sources,aligns with your workfow

and delivers inormation suitable

or detailed, technical analysis

and executive-level oversight.


4/14

3

9Detecting the Insider ThreatFrom a tactical perspective, the securityliecycle generally alls under three

broad categories: incident prevention,

incident detection and incident

management. While insider threat

prevention is critical, it simply isnt

sel-sustaining or scalableespecially

when addressing trusted or

semi-trusted users who have more

access than an outsider. This is why

incident detection and managementare needed. And this is why a SIM

is required. Based on holistic event

collection, the SIM solution should

be an early-warning system that

is triggered by suspicious actions and

automatically escalates threat levels

o malicious actions. Insider actions

cover the gamut o threats rom

inormation leakage through sabotagethus the solution must be extensible

to consider all types. It should

also provide out-o-the box content or

insider threats as well as customizable

solutions in terms o correlation,

anomaly detection and pattern discovery.

All o these solutions should be able

to work with any event inormationentering the SIM. For example, correlate

OS, application, access control and

physical security badge reader logs or

causal threat determination. Correlation

acilitates the discovery o known

behaviors, pattern discovery uncovers

patterns based on trends and anomaly

detection detects deviations rom

the norm. This combination o detective

capabilities should urther leverage a

threat model that considers not only

the events, but also vulnerability

inormation associated with the targets,

and asset inormation about the

target such as geography, logical

location, applications, services,

operating system, business use, time

parameters, sensitivity o content,

relationships to regulatory complianceand so orth. Based on all these

variables, the SIM should be able

to assign a priority score to eciently

identiy malicious insider activity.


5/14

Managing the Insider Threat

A senior employee with twenty years

experience appears to be doing

something malicious. What do you

do? What you dont want to do is

dene the policies and procedures

ater the incident. An insider threat

program completely based on

technology will ail. Successul

insider threat solutions leverage

your companys unique policies andprocedures. A robust SIM solution

will have native case management

and integration with third-party

solutions. It will have a notion o

hierarchy and escalation based on

the parameters o the threat. It will

also have an integrated knowledge

base that can guide the respondingindividuals through a step-by-step

process to ensure that their actions

are inline with company policies.

The knowledge base is essential

because with insider threats there

are oten major delays between

detection and response due to thelack o policies and procedures.

Not only can SIM shrink the window

o vulnerability by easily integrating

with these rameworks, but this

integration will yield the ability

to dene risk based on what is

important to your business. Further,

you can train employees in

eective response and remediation

centered in the SIM inrastructure.

With this design, events will

consistently have the involvement

o relevant stakeholders and will

help to achieve operational

eciencies through automation,

create a repeatable and measurable

insider threat mitigation program,decrease investigative ineciencies

and alse positives and ensure that

legal protocols are being ollowed.

4

8


6/14

5

7Providing Intelligent,Insider-Aware Response

Capabilities

Historically the automation o

response has been a delicate

subject with poor controls

around change management,

authorization, auditing and

general change documentation.

This was typically becausetechnologies were unable to

eectively reduce alse positives

and accurately detect attacks.

With the decreasing vulnerability

threat window, automated

response is gaining renewed

momentum. This is particularly

relevant or insider threats

since insiders by denition have

elevated levels o access and

trust, their attacks progress

quickly and they are the hardest

to prevent. Thus, every insider

threat SIM solution needs toprovide intelligent, rapid response

capabilities that utilize:

Human-assisted or completely

automatic response based on

organizational policy

Integrated response verication,

escalation, authorization andchange rollback

Vendor-neutral network

quarantining as well as layer-3

and layer-2 blocking

Active directory to disable

accounts preventing logical and

even physical access

Tracking eatures ensuring

that all responses are auditable

anddocumentedevery time


7/14

Leveraging Real-time and Forensics

Analysis to Pinpoint InsidersWhen insiders are discovered there is typically a strict

set o ormal actions that ollow. Common questions that

lead the investigations are how long has it been going

on, what else has been done, who else might be involved

and more. Since insider detection occurs in both real-time

and can be detected through historical data, these

capabilities are essential or addressing insider threat.

Within the SIM, real-time and orensics analysis must work

together seamlessly. Any eature that can be applied in

real-time analysis needs to also be available or orensic

analysis. It shouldnt matter i events are coming in rom

live eeds are rom a database archive. Oten, pattern

discovery on historical data illustrates trends that are moresubtle than real-time analysis which is why it is critical

or the SIM to support a mission-critical, enterprise-level

database and data retention/reactivation mechanism.

6

6


8/14

7

Understanding that Insiders are People

Insiders are people; theyre not IP addresses, MACaddresses, laptops or applications. One o the most dicult

processes in insider threat identication is getting rom

a food o events to the actual malicious insider. Without an

enterprise-level SIM and supporting database, relationships

may never be discoveredor it may take an inordinately

long time to investigate. SIMs must have the ability to keep

dynamic lists o relevant inormation such as: targets,attackers, accounts, attack types and the like. In addition to

supporting a wide range o products already discussed,

SIMs must also track user-centric inormation through

identity, content and policy management solutions. They

should also consider roles, reporting structures, departmental

relationships, geographies, time and other metrics that

may be important in determining insider threat activity. Allthis inormation comes together to allow or more advanced

correlation, create baselines, identiy outlier anomalies and

ultimately connect a ace to the suspicious actions.

5


9/14

Converging Insider Threat with IT

Governance and Regulatory ComplianceWhile security and compliance are not identical,

when you look at their juxtaposition there

is signicant overlapespecially as it relates to

insider threat. Many o the systems interesting

to insiders contain data that would all under

regulatory compliance, such as nancial data,

healthcare records and personal inormation.

Protecting those systems rom insiders with SIM

can also address IT governance and regulatory

compliance. Some ways that SIM should be able

to provide double duty include: use audit trails

to track an incident, monitor and log security

activity, create incident reports, provide built-in

audit capability within the SIM itsel and retain the

events or later examination.

8

4


10/14

9

Demanding ROI & ROSI for

Your Insider Threat Program

There has been an increasing

trend over the last ew years

security programs are being

evaluated against broader business

objectives. Organizations are

searching or ways to make security

a competitive dierentiator, an

enabler or business initiatives,a actor in increasing operational

eciencies and an instrument

or reducing costs, all while

the primary ocus remains risk

mitigation. There are two principal

areas that need to be measured.

For ROI, your SIM vendor should

be able to help in calculating the

dollars based on your custom

insider threat needs merged with

best practices rom a multitude

o customersespecially

those in your business. Beware

3 o boilerplate templates. Insiderthreat ROI needs to be an

interactive discovery processthat your vendor assists you

withnot a ll-in-the-blank orm.

This discovery process should

result in quantitative numbers

illustrating the insider threat

programs impact on cost savings

and the overall eciency o the

investment. For ROSI (returnon security investment), your SIM

vendor should be able to help

dene more qualitative variables

tied to risk reduction that

will result rom your insider threat

solution. As with ROI, this is a

discovery process that will yield

specic advantages related

to areas such as brand image,

better analysis capabilities,

increased operational eciencies

and aster remediation.

perormance and eatures.


11/14

10

Converging Insider Threat with Physical Security

Insider threat has a clear integration path with traditionalIT security solutions and compliance. However, one

historically overlooked area that is gaining rapid appeal

is the convergence o physical and logical security.

Insider threat is a leading reason why organizations are

going this direction. A mature SIM solution should have

the extensibility o not only integrating with these devices

by collecting inormation rom them, but also be able toleverage the capabilities such as correlation, visualization,

reporting and the like to render useul inormation.

In addition, the SIMs reporting, alerting and case

management system should act as a vehicle or improved

communication between physical and inormation

security teams. SIM solutions that are simply ocused on

perimeter security products and network devices

lack the maturity and capabilities o scaling to be a truly

holistic solution or the ever expanding security posture

o todays organizations.

2


12/14

Proving that the Vendors Insider Threat

Claims are ValidEvaluate your SIM vendors insider threat solution by

looking at their customer base, evaluating third-party

reviews, talking with like organizations that have

implemented the solution and kicking the tires by going

to trial. Ensure that the solution is truly vendor-neutral

and can integrate with all the disparate data sources in

your environment. Terms like correlation, normalization

and anomaly detection are loosely thrown around in the

SIM space, so ask to see a demonstration o the

capabilities that are most important to you and see how

their solution will improve your insider threat program.

Finally, ensure that they have specialized insider threat

content to truly provide value out-o-the-box such asintegration with insider-relevant data sources, graphical

dashboards and reports, as well as visualization, auditing,

measurement, escalation, alerting and remediation

capabilities that consider insider threat scenarios.

11

1


13/14

12

Get Started Today

ArcSight oers an enterprise-class security inormationmanagement solution that can cost-eectively

address a broad range o insider threat requirements.

We welcome you to test our amily o insider threat

products head-to-head against any on the market.

Our account executives can provide more details that

address your specic criteria, show you a productdemo and provide a trial or an in-depth look into our

solution. Its no coincidence that leading publications

recognize ArcSight ESM or its superior fexibility,

unctionality, scalability and ease o use. For help

with your insider threat needs, contact ArcSight at

[email protected], call (408) 864 6150 or visit usonline at www.arcsight.com.

Start


14/14

ArcSight, Inc.

5 Results Way, Cupertino, CA 95014, USA

Email: [email protected]

Phone: 408 864 2600

2006 ArcSight, Inc. All rights reserved. ArcSight and ArcSight ESM are

trademarks of ArcSight, Inc. All other product and company names may be

trademarks or registered trademarks of their respective owners.

08/06

About ArcSight

ArcSight, a leader in Enterprise Security Management,provides solutions that serve as the mission

control center or real-time threat management,

compliance reporting and automated network

response. By comprehensively collecting, analyzing

and managing security data, ArcSight solutions

centrally manage and mitigate inormation risk orsecurity, insider threat and compliance. ArcSights

customer base includes leading global enterprises,

government agencies and MSSPs.

Now

Top 10 Guide - A Guide to Selecting a SIM Solution for Insider Threat

Documents

Transcript of Top 10 Guide - A Guide to Selecting a SIM Solution for Insider Threat