Insider Threat Protection with NetFlow by Angela Frechette Cannon

Lancope’s director of security research, Tom Cross, recently spoke at the Emerging Threats and Cyber Defense Symposium on the topic of insider threats. Despite the fact that external attacks often get more attention in the media, recent data is proving that the threat posed by malicious, negligent or compromised insiders is indeed very real.

According to the 2013 Verizon Data Breach Investigations Report, 14% of breaches were perpetrated by insiders. Additionally, the report states that 76% of the breaches it analyzed used weak or stolen credentials to gain network access, and 29% used social engineering tactics – making insiders a key point of weakness when it comes to network security. And according to The CERT Guide to Insider Threats, IT sabotage, theft and fraud conducted by insiders is costing companies millions.

Network Visibility

While preventative security technologies and best practices such as perimeter defenses, access control, data encryption and user education can make some level of difference when it comes to thwarting insider threats, these controls are often no match against those that already have privileged access to the internal network and do not need to use exploits and malware to carry out attacks. Often times, the only real way to identify and halt insider threats is to have comprehensive visibility into what is going on inside the network. Obtaining a complete audit trail of network activity allows organizations to quickly pinpoint anomalous behavior that could signify risks.

Various technologies such as firewalls, SIEMs, IDS/IPS, packet capture and NetFlow can log network activity to provide insight into what is going on in the network. There are tradeoffs associated with each method, so it is important to consider the advantages and disadvantages of each approach. (See white paper for further details.)

Benefits of NetFlow

As demonstrated by the slide below, NetFlow provides a very broad, cost-effective and lightweight means of obtaining a comprehensive view of network activity. NetFlow provides a look at all transactions occurring on the network to enable quick detection of suspicious activities such as emails with large attachments being sent to third parties or unusually high traffic to a printer (which could be signs of data theft/exfiltration).

When leveraged with advanced technologies like Lancope’s StealthWatch System, NetFlow-based monitoring can also provide additional layers of context including device, application and identity awareness for more enhanced forensics and incident response. Lancope also announced new user-centric monitoring functionality today that enables administrators to investigate network behaviors and anomalies based on specific user names, further increasing protection against insider threats.

The best way to detect and prevent insider threats is to have in-depth visibility into the internal environment and a means of filtering and prioritizing the massive amount of data available on the network into concise, actionable intelligence. This is the main goal and premise of StealthWatch.

While technology alone cannot entirely solve the issue of insider threats (it has to be a cross-functional effort involving IT, HR and Legal), NetFlow can provide a key piece of the defense-in-depth strategy needed to successfully curb these types of attacks.

Click here to learn more about leveraging NetFlow to combat insider threats. Additional tips and best practices from Tom Cross for addressing insider threats can be found here.