Review: Hot new tools to fight insider threats

Fortscale protects traditional networks, Avanan works in the cloud, PFU systems focuses on mobile devices

In the 1979 film When a Stranger Calls, the horror is provided when police tell a young babysitter that the harassing phone calls she has been receiving are coming from inside the house. It was terrifying for viewers because the intruder had already gotten inside, and was presumably free to wreak whatever havoc he wanted, unimpeded by locked doors or other perimeter defenses. In 2016, that same level of fear is being rightfully felt towards a similar danger in cybersecurity: the insider threat.

An entire industry has sprung up to provide a defense against insider threats. We tested products from Fortscale, Avanan, and PFU Systems, with each one concentrating on a different aspect of the problem.

  • Fortscale did an amazing job protecting a traditional network. It's machine learning capabilities and concentration on access and authentication logs gives it an extremely high accuracy rate when ferreting out a threat, yet leaves any actual decisions to humans after providing them with the collected and sorted information. 
  • Avanan has a very good front-end interface and works completely within the cloud. It can even incorporate most other security tools that have been optimized by the company to work within cloud environments. Cloud-based insider threats can be even harder to detect than in traditional networks because of the uncontrolled and widely dispersed nature of the data, yet Avanan uniquely protects it from threats related to trusted insiders. 
  • PFU Systems, a Fujitsu company, applies insider threat security to mobile devices with their iNetSec system. It can help an organization implement a BYOD program without taking on the additional insider risks associated with mobile devices, such as having credentialed smartphones falling into the wrong hands.

All three performed well in our testing, which was conducted over several weeks with some network structures provided by the vendors and some provided by our in-house testbed. (See screen shots of these three products.)

Fortscale: Machine learning to the rescue

Compared to other enterprise security tools we have examined over the past few years, the Fortscale product is nearly complete and ready to go out of the box. It is installed on a network as a single server which is then linked into whatever security information and event management (SIEM) system is already being used. There are no rules to configure or programming to be done by administrators as Fortscale uses machine learning and complex algorithms to find anomalous or dangerous behavior associated with insider threats. And because it concentrates on access and authentication logs, data that most networks keep for at least a month, it is able to begin spotting danger on its first day, though it does get even more accurate over time.

+ RELATED: Fortscale's user behavioral analytics solution provides full context when truly malicious behavior is detected  +

Fortscale is also very economical, with pricing at about $10 per user per year for a midsized enterprise with 20,000 seats. There are discounts for larger licenses and multi-year commitments.

Although the processes that Fortscale goes through to generate an alert are fairly complicated, in a sense it boils down to being able to process information very much like a human. If a user who is working in California in the morning suddenly logs into a protected system from the Ukraine at noon, that would be something that a human could easily recognize as an attack, yet computers have a more difficult time with it, especially if the examples are less obvious.

We found Fortscale to be similar in a sense to IBM's Watson, able to make those connections and elevate problems to human users for mediation. The secret is that Fortscale concentrates on very specific information where threat patterns are already programmed, and which can be learned based on the specific environment it's protecting. Specifically, it looks at OS authentication, VPN access, file access, data from existing security product logs and access to the "crown jewels," the most important and dangerous parts of a network that most attackers try to access.

From the Fortscale interface, a user would never know that so much processing is going on in the background. Events that get elevated to humans for consideration need to have been backed by several of the factors that Fortscale examines. No single event is enough to trip an alert, a fact that keeps false positives to a minimum.

Another neat feature, and one that shows that Fortscale is really built for human users, is the fact that certain users can be pinned to the login splash page for extra scrutiny. Called Followed Users, these people are added to the far right column of the dashboard, complete with their pictures, titles and network groups, if such information is available.

There are no set criteria needed to add someone into the Followed Users pool either. It's totally up to the system administrators. Perhaps investigators in the physical world or auditors suspect the employee for some reason outside of network activity, or perhaps Fortscale admins are seeing low-level anomalies tied to one account and want to mark that user just in case. It could even be a VIP on the network whose activities need to be protected at all costs, or a temporary contractor without security clearance. The reasons really don't matter. Users can be added to the Followed Users group or removed from it at will.

Clicking on a user within the Followed Users group will bring up all the information that Fortscale has collected about them over time, regardless of whether any of it amounts to an actual alert. This is no different from selecting anyone from the user pool. It just calls them out for extra scrutiny and easy access.

Other than the Followed Users area, the main interface looks a lot like a typical security dashboard. The top 10 open alerts are displayed prominently with red, yellow and green color codes. There is also information about the number of alerts being generated from various groups and the fix rate, where administrators close an alert and presumably fix the problem. All of that information can be collected and put into unique, graphical reports to show the overall security picture, down to the factors contained within a single alert to supervisors or auditors. The reports look good enough to be presented to C-level bosses and are fairly easy to understand.

Where Fortscale's interface really gets good is when you drill down into alerts. The program does an excellent job of showing administrators the story behind the alert. Even a low-level or junior analyst could probably make sense of the story of the alert presented. It's broken down by the indicators that caused the alert. In one case, there were seven indicators that went into generating an insider threat alert including a data usage anomaly, a high number of devices per day factor, a geolocation anomaly, a high number of source countries anomaly and a source device problem. In that case, it was easy to surmise that the employee in question was probably not a true insider threat, but instead someone who had their credentials compromised and was thus acting like one, likely without their knowledge.

But Fortscale can also detect events that are not so obvious, and then present its case to administrators to help them understand what is going on. In another example, one user on the protected system was doing a lot of snooping. All of their snooping was technically authorized by network policy, so they would not have triggered an alert. But Fortscale was able to catch them by linking activity time anomalies with a high number of targeted device anomalies and a few failure codes. Looking at the story presented as an alert by Fortscale, a human could get a pretty good idea that an administrator charged with responsibility in one area was logging on after hours to systems they were not responsible for maintaining.

Occasionally they were rejected from a system with a bad or invalid password, generating the error code anomaly, but because they stopped at that point it would not have generated a normal SIEM alert. But Fortscale was able to add that into the picture of what they were doing, information that would otherwise have likely been lost in the huge stream of seemingly unrelated network data.

In the second example, a true insider threat would have been caught even though they were for the most part following the rules. Fortscale does not make any judgements about the user, and thus takes no actions on its own, other than presenting the story of the alert to security personnel. Perhaps a user was helping out a friend in another department or perhaps they were simply curious or perhaps they were an actual spy or disgruntled employee. It's up to humans to make that determination and take appropriate action, but Fortscale can shine the spotlight on their activities which might otherwise fly under the radar.

As a final example, Fortscale was able to flag insider activity that was taking a low-tech approach, in this case by examining printing logs. The program was able to identify an anomaly where a user first made an "all records" call to the Oracle database and then printed over 350 pages. Looking at their previous printer usage, they only sent a few pages to the printer over the past two months, and then suddenly sent a job that was more than 300 pages.

Fortscale took no action other than to alert administrators to the activity and present the whole picture of related events. Again, this might have been job-related, but it also could be a case where an employee was preparing to leave the company and wanted to take proprietary information with them using a very low tech way of capturing and stealing the data. But even the low-tech approach was not able to escape the watchful, and insightful, eye of Fortscale.

Avanan: Penetrating the cloud

Protecting data inside the cloud, especially from insider threats, is difficult because the data is housed in different places, and is not normally under the direct control of the organization that owns it. While cloud providers will help to keep data safe from external threats, they generally won't do anything if an authorized user suddenly starts sending confidential files offsite. In fact, they may even open up more bandwidth to make that process go more smoothly.

+ ALSO: New cloud access security vendor offers the full security stack, with solutions from 60 leading vendors +

Avanan was formed in 2014 with a focus on cloud security. The system also runs completely in the cloud itself, so the setup has no physical components. It works with all the biggest cloud providers including Amazon, Google and Microsoft. Avanan is also extremely economical, with the base platform starting at $5 per user per month, and less for large deployments. The setup process for our test cloud only took a few minutes.

Because most cloud providers have access to functionally unlimited storage capacity, many keep up to a year or more of data regarding the various actions by users and programs within the cloud. Avanan can tap into that data and begin working right away, even identifying suspect insider threat activity that happened months ago, or linking new cases with a potential pattern going back months or years.

By itself, Avanan is a powerful tool for protecting against insider threats. However, another strength of the product is that it offers one-click installation of many popular security programs, even those that have not previously been optimized for use within the cloud. Avanan does not charge users to install those apps inside the cloud.

Users only need to pay whatever the other vendor charges, and their existing license may even cover cloud deployments. In the course of our testing we installed Check Point, Palo Alto and Symantec software into our test cloud. In all cases, we got full cloud functionality. Each program was also able to report directly into the Avanan main interface to add extra indicators into an insider threat investigation or to provide updates on the general security of the cloud like malware files stored inside.

There is no upper limit as to how many additional programs can be running in addition to Avanan. For example, multiple antivirus programs can be running without interfering with each other, and it supports more than 40 choices. It also supports sandboxing like FireEye, and SIEM programs like Splunk and ArcSight.

Once installed, Avanan gives full visibility into everything that is happening within the cloud it's protecting. There is an automated policy engine that can be used to ensure that basic or common sense type user rules are applied. From there, administrators can set up unique rules for how various folders and data can be used, accessed and shared. Because these are file-level rules, they apply to both users and any programs that are installed.

In our test network, when a user with high credentials installed a program that required access to data within a protected area, it was halted even though the user had the proper credentials to install the offending program. This would prevent a user from accidentally installing something, even a commonly used program, that wants to access protected data.

1 2 Page 1
Page 1 of 2