1+ Views

An effective method to detect insider threat without rules

Normally, security controls have to predefine ‘good’ and ‘bad’ behavior, yet this methodology definitely leaves space for people to dodge those rules, deliberately or otherwise. This is particularly risky with regards to establishing rules for insiders. Excessively prohibitive, and their work process is hindered. Too laissez-reasonable, and they open themselves up to effectively preventable threats.

For example, to forestall irregular RDP associations – inbound or outbound – traditional security tools like firewalls frequently predefine which destination ports to permit and which ports to confine. However, if an employee were to use a destination port not unequivocally restricted by the firewall, they could hypothetically exfiltrate data out of the network without raising any alerts.

After installing on the corporate network of an enormous manufacturing company, our innovation spotted a rogue device making RDP associations with an uncommon external host that ought to have been hindered by the firewall.

The organization's firewall was configured to prevent outbound RDP associations; however, the rule was overly simplistic and was defined by the destination port. By changing the port in use, the connections were allowed to proceed.

No other devices in the network had been observed connecting to that host. The activity represented a major deviation from the pattern of normality built by PW (PacketWorker) ML algorithms. The connections lasted over ten minutes and involved the download of nearly 10MB of data.

PacketWorker determined this was undermining enough to require a quick reaction. PacketWorker integrated with third-party security technology triggered an autonomous response that blocked all outgoing traffic from the device for 10 minutes, giving the security team time to recognize the rebel device and stop the RDP activities.

Upon examination, it turned out to be certain that an employee had connected their personal device to the corporate network and was endeavoring to send valuable intellectual property to a foreign party. The external host happened to be related to a contending manufacturing company.

It might entice infer that the organization essentially required a superior firewall, yet that overlooks the main issue. A legacy tool – regardless of how costly – still depends on rules, and every rule has an exception. Obviously, firewalls are as yet a basic part of modern cybersecurity, but organizations need to acknowledge that cyber-threats will always discover a way around these tools.

PW doesn't make any assumptions about perniciousness. It uses advanced ML algorithms to learn ‘normal’ for every user and device on a network. At the point when an undermining deviation emerges, PW integrates with third-party to facilitates and send an immediate response to quarantine the threat in real time. While some of these anomalies get stopped by firewalls and other rules-based tools, subtle insider threats like these frequently go undetected.