Thwarting Insider Threats with StealthWatch
Everyone has come to terms with the fact that even the best perimeter defenses are permeable, but where does that leave us? What is going on inside the network? How do you detect data theft or sabotage by malicious insiders? This activity can be difficult to differentiate from legitimate network transactions and is often not detected by signature-based security systems that are designed to identify malware and the use of software exploits.
Insider Threat Detection
Delivering a complete picture of everything going on inside the network, Lancope’s StealthWatch System provides the internal visibility and full audit trail necessary to fill in dangerous network blind spots and detect damaging insider attacks.
By collecting and analyzing NetFlow, IPFIX and other types of flow data, StealthWatch can detect and alarm on suspicious insider behaviors such unusually large file transfers or attempts to access restricted areas.
Advanced levels of insight including virtual, identity, application and mobile awareness further enhance Lancope’s insider threat detection capabilities, helping to pinpoint exactly which users are conducting anomalous behaviors on the network, and with which devices and technologies.
StealthWatch integrates user information with network traffic statistics to deliver detailed visibility into user activity anywhere across the network. Administrators leverage username(s) or IP address(es) associated with an event and the StealthWatch Management Console returns the appropriate flow forensics for event investigation.
User-centric monitoring capabilities also allow network and security teams to run flow queries and
reports based on actual user names versus just IP addresses. Administrators can also search on user names, as well as obtain a User Snapshot outlining a specific person’s network activity – including any anomalous behavior or alarms triggered.
By identifying the user causing an event and other users affected, StealthWatch provides greater accountability and immediate insight into network events or user needs. The system also enables any necessary quarantine or other corrective actions to be taken sooner, and delivers powerful auditing capabilities for regulatory compliance.
Knowing exactly who is on the network and what they are doing, IT administrators can maintain optimum levels of performance and security without inadvertently impacting the experience of high-level users. Identity data can also assist with other efforts including forensic investigations, capacity planning, help desk and human resources.