Data anomalies can help you detect insider threats, both malicious and unintentional. Here are three important user and endpoint activities to monitor to help uncover potential breaches:
This is where you can spot potentially compromised user accounts. Look for users accessing systems they normally wouldn’t, logging on at unusual times or logging in from unusual geolocations—like a U.S.-based programmer repeatedly logging into the VPN from China. That’s how one company caught a U.S. programmer outsourcing his job to a Chinese developer back in 2013.
The company saw the anomalous activity on its virtual private network (VPN) log and asked Verizon to investigate, according to PCMag. How was it, Verizon wondered, that the programmer could be sitting at his desk when his VPN connection was live from China? After a look at the programmer’s Web history, it became apparent he preferred watching cat videos and shopping Reddit to writing code and fixing defects. He had outsourced his job at one-fifth his salary (according to the invoice PDFs recovered from his computer) and FedExed his RSA token to his Chinese dopplegänger.
Look for work activity outside normal work hours or outside established patterns of work activity. Here, it’s helpful to look at both individual behavior and spatial behavior, or that of a peer set, to help rule out false positives. For example, a Marketing employee accessing a confidential financial system might raise a flag, until you see that people from the Marketing department regularly access the same database.
Your network is full of clues to suspicious activity. For example, if you see a user installing unknown software, it could be as a backdoor for transmitting sensitive data outside the network. Here are other possible triggers:
- Network activity at unusual times or with unusual regularity
- Downloading large volumes of information
- Extraordinarily high number of database inquiries
- Unusual devices communicating with a given workstation
Had the Infosec team at Korea Credit Bureau been monitoring for anomalous device connections, they might have noticed the unusual USB activity of a consultant who copied credit card numbers, social security numbers and personal data from more than 105 million accounts over 11 months. They might have even been able to catch him before he sold the data.
Download the executive brief, Protecting Data in the Age of Employee Churn, to learn more about how endpoint backup can mitigate the risks associated with insider threat.