Dealing with insider threats requires a different strategy from other security challenges because of their very nature. Insiders have a significant advantage. They are aware of the organization’s policies, procedures, technology and vulnerabilities. They often have access to important systems, business IP and sensitive data. As such, they can cause a business the most damage compared to external attackers such as hackers.
Companies have adopted various solutions to manage insider threats. Some are using log analytics and SIEM (Security Information and Event Management) type software to look for abnormalities in their IT system and network. For example, privilege escalation, sensitive file transfers, access to new network zones – all are early signs of potential insider activity. Others have been adapting more nimble and purpose-built solutions such as user activity monitoring, user behavior analytics and data loss prevention (DLP) technologies to identify and prevent insider threats.
We looked at a dozen or so solutions and identified the top five with a mix of technologies and use cases such as user activity monitoring, advanced analytics, auditing systems and log aggregators. In our assessment, this will make the list suitable for any business, either an SMB or a large enterprise.
The review below is written by us using publicly available information on respective vendor sites, demo, trials, documentation, and online reviews. If any product has changed or you notice any inaccuracies, please let us know and we will correct them.
Within only a few years of its foundation, Teramind has made a name for itself in the industry with its unique user activity monitoring, insider threat detection, forensics and compliance solutions. Teramind’s insider threat detection solution uses real-time user activity monitoring to detect early signs of insider threats. Its behavior-based rules engine provides active defense from all kinds of malicious insider activity like data leak and exfiltration, IP theft, fraud, industrial espionage, sabotage and other risks.
Teramind UAM lets you conduct threat analysis, forensic investigation and auditing utilizing its unique Session Mining with video and audio recording with complete metadata. Alerts, keylogging, incident tagging and other powerful features not only identify rule violation incidents but help your team build a proper threat response plan. Finally, it can be extended with built-in integrations with Active Directory, SSO, SIEM, PM and log analytics systems or utilizing its rich set of RESTful APIs.
- Screen and audio capture with live view and history playback.
- OCR, fingerprinting, tagging capabilities.
- Smart policy & rules engine with hundreds of pre-built templates.
- Powerful business intelligence (BI) dashboard.
- Not as powerful as its Teramind DLP solution.
- No monitoring support for mobile devices.
- Mac support is somewhat limited.
- Project management features not very powerful.
Forcepoint Insider Threat
Owned by US defense contractor Raytheon, Forcepoint has a long history of developing cybersecurity, firewall and cross-domain IT security products. The central premise of the solution is to help security analysts gather forensic data and build a case to identify risky users. It is part of a bundle of security solutions under Forcepoint CASB platform designed specifically for enterprises using cloud applications such as Office 365, Salesforce, Google Apps etc.
To get the most out of Forcepoint Insider Threat, customers will need to purchase multiple SKUs and manage add-on modules available on Forcepoint’s marketplace. For example, Forcepoint DLP Discovery is needed for auto discovery and classification of sensitive data. Similarly, Forcepoint DLP Network provides visibility and control for data in motion via the web and email.
- Simple, case-centric insider threat investigation.
- Granular control over data collection to protect users’ privacy.
- Tightly integrated with other Forcepoint security solutions.
- Distributed architecture suitable for large deployments.
- Management dashboard looks dated and not very user-friendly.
- Not very capable by itself without other Forcepoint products.
- No productivity analysis features.
- Limited deployment options, e.g. no private-cloud support.
Exabeam Advanced Analytics
A known name in the security industry, Exabeam claims to have the world’s most-deployed UEBA (User & Entity Behavior Analytics) security solution. Its Advanced Analytics product works by collecting data from various sources such as Active Directory, SIEM, DLP and log analytics solutions and aggregate them to identify insider threats and security risks.
The software can identify compromised users, suspicious employees or malicious insiders by correlating disparate activities through its Stateful User Tracking system that assigns risk scores to each activity. For example, privilege escalation, abnormal job searches, remote login etc. The events are tracked across networks and assets then combined into a session timeline. A security analyst can then investigate the timeline for potential insiders and drill-down to further analyze their activities.
- Intuitive, easy to use dashboard.
- Support for MITRE ATT&CK Framework.
- Unique session model which automates analyst investigation and lateral threat movements.
- Tight integration with other Exabeam products such as its SIEM and SOAR solutions.
- Missing common features such as screen recording, activity blocking etc.
- Very specialized software that is dependent on other solutions to deliver its value.
- Deployment can be complex. No hosted cloud deployment (available as VM only).
- Relatively expensive.
Netwrix Auditor is primarily designed as a tool to help IT managers keep track of what is going on across their network environment. By detecting aberrant behavior, network sniffing and other nefarious attacks such as ransomware, it can identify both insider and outsider threats to an organization.
It works with Active Directory, file servers, database servers, SharePoint and network infrastructure systems. Similar to Exabeam’s solution, Netwrix Auditor collects event and Syslog data to audit user activity such as service calls, user logons, remote sessions, credential changes etc. It can then raise alerts comparing scenarios with a predefined list or patterns supplied by the user.
- Comprehensive auditing capabilities with support for major IT analytics and SIEM solutions.
- Can detect ransomware penetration.
- Out-of-the-box compliance reports for GDPR, NERC, GLBA etc.
- Non-intrusive architecture.
- Primarily an audit tool repurposed for insider threat detection.
- Sensitive data discovery and protection requires additional software.
- Need expert resource to utilize its advanced queries feature.
- Can cause network performance issues as number of users grow.
ObserveIT Insider Threat Management
Established in 2006 in Israel, ObserveIT originally focused on providing remote vendor monitoring software but later moved to insider threat detection, employee monitoring and data loss prevention market. One of ObserveIT’s unique features is the ‘Investigate’ module, using which an administrator can explore the chain of events for an alert caused by a user.
Another interesting feature of ObserveIT Insider Threat Management is its support for Unix/Linux based workstations. This might be useful for customers who need to monitor server systems like telecom providers, banks, governments etc. While the software is one of the most capable user activity monitoring solutions out there, many of its powerful features such as activity blocking, locking out user etc. are only available under Linux.
- Supports a wide range of platforms including Windows, Mac, Linux and Unix.
- Investigate feature to identify chain of incident related events.
- Risk analysis features.
- Hundreds of pre-configured indicators and alerts.
- No advanced capabilities such as data classification or OCR.
- Some of the rule-violation actions are limited to Linux/Unix only.
- No private-cloud support.
- Very limited productivity reporting capability.
There are quite a few solutions we liked but could not include on our list due to space limitation. Some of them worth mentioning are: Veriato Cerebral, Varonis, Egnyte and Erkan. You can check them out if you have the time.