Collect, Detect, and Respond to Insider Threats with DFLabs and Securonix | DFLabs

Free community edition

Request a demo

Collect, Detect, and Respond to Insider Threats with DFLabs and Securonix

Back to all articles

insider threats

Insider threats continue to be the cause of some of the most high-profile and costly breaches reported today. Whether it is an employee clicking on a phishing link or sensitive data being accidentally exposed, these events can prove to be fatal to an organization’s security defences. With such unpredictable circumstances how can organizations ensure that they can quickly detect and respond to an insider incident once it occurs?

The Problem

Data breaches caused by an insider threat are among the costliest and hardest to detect of all data breaches. Many organizations focus heavily on preventing external threat actors from circumventing their security defences, but threats from inside of the organization pose an even greater risk.

Not all insider threats are criminal in nature. Although there is a risk of an employee going rogue, most breaches caused by an employee or contractor are due to negligence and human error. These lapses in judgement and oversight are nearly impossible to predict so organizations must be able to quickly detect and respond to an insider incident before the maximum amount of damage can be done.

Security operations managers need to be able to tackle this and often are faced with these common questions, seeking a solution to help overcome their challenges.

  • How can my organization reduce the risk from an insider threat?

  • How can we quickly and efficiently respond to a threat from inside of our organization?

  • How can we better detect an insider threat?

DFLabs and Securonix Solution

The DFLabs and Securonix solution provides organizations with the intelligence and extra manpower necessary to combat an incident involving an insider threat. Securonix utilizes real-time enrichment procedures to collect internal intelligence data and develops threat chains and risk scoring to detect these advanced threats.

With the power of automation and orchestration brought by DFLabs’ IncMan SOAR platform, organizations can quickly respond to an insider threat by enlisting their complete security stack to isolate and contain a user and their activities. This ability to quickly identify and contain a potential insider incident within seconds lends a much needed helping hand to our security teams when time is of the essence.

About Securonix

Securonix Next-Gen SIEM is a cloud- based software as a service (SaaS) solution which combines log management, user and entity behavior analytics (UEBA), and security incident response into a complete, end-to-end security operations platform. It collects massive volumes of data in real-time, uses patented machine learning algorithms to detect advanced threats, and provides artificial intelligence-based security incident response capabilities for fast remediation.

Use Case

Now let’s look at a simple use case in action.

An alert is received indicating that a large data transfer has been observed from an organization’s web server to an internal host. This activity automatically executes the Suspicious User Activity R3 Rapid Response Runbook within IncMan which begins to gather information on the destination host and its associated user account.

The IP address is checked through Securonix to determine the affected hostname and user information is pulled from Active Directory. The user information is fed back into Securonix to determine the suspected user account’s current risk score. If the user’s risk score is considered to be either medium or high, the incident priority is upgraded and Securonix is queried for additional alerts and events involving either the destination host or the associated username.

If the user’s risk score is low the incident priority stays the same, until the same query is issued to Securonix to determine if there have been any other alerts or events associated with the destination or its user. If the result of either of these queries find that additional alerts or events have been observed, the priority is adjusted to critical from the medium to high user risk score or elevated to high for the low risk score user. Once the priorities are adjusted, the R3 Rapid Response Runbook begins to take containment actions towards the observed activity.

For the users whose risk score is medium to high and additional alerts and events were observed, IncMan automatically quarantines the host to prevent it from any further communication on the network, disables the user’s account, and creates a new ticket in the organization’s ticketing system to be immediately followed-up by the security team. For the alerts which have been adjusted to high priority, the R3 Rapid Response Runbook disables the user’s account and creates a new ticket in the organization’s ticket system for additional follow-up.

Any alert that involves a user with a low risk score and has not been observed in any additional security alerts or events, IncMan will issue a user choice statement which temporarily pauses the Runbook and generates an email to the security team to let the team know that a large data transfer has been made and allows the analyst to decide based on the information provided whether they would like to execute containment activities against the user and its host. If the analyst determines the alert to be false positive, the R3 Rapid Response Runbook exits, and the incident is closed.

xnEacnT0d1GUc_8kltSx5LrPBXOWX597bJabP-rUERY7SKDJ5WGuIrDZxoUxhDaF9GZilVfPOoxZ2YdZbShsVsZEqZgrtjif3g9RcWgpWtqRUxtwdkWRZ506AzMIzyU7d1o4LpWA

Summary

The DFLabs integration with Securonix looks to assist organizations with levelling the playing field when it comes to insider threat detection and response. Through the use of Securonix Next-Generation SIEM platform and DFLabs IncMan SOAR solution, organizations can quickly operationalize the internal threat intelligence data provided by Securonix to identify high-risk users and their behaviors to drive automated and orchestrated responses to quickly contain the threat minimizing the impact.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo