Insider threats are one of the most important concerns for institutional security. Traditional methods to handle general security threats, such as signature matching and using correlation rules, are not enough to detect insider threats. Among the most challenging threats in cyber space, insider threats generally cause critical losses in institutions. Moreover, they also cause the loss of intellectual properties, leakage of sensitive data, and damage an institution’s reputation. Logsign SIEM enables insider threat indications to be discovered via identification and network-based analysis and allows security teams identify and reduce attacks.
With identification-based behavior analytics, Logsign SIEM detects suspicious remote accesses, extraordinary log-in activities, and accesses to extraordinary data and systems at unusual hours.
Logsign SIEM detects at what time and via which IP the user with permission accesses and sends alerts for suspicious behaviors. Logsign SIEM also identifies users who change or increase privileges for critical systems and detects the authorization increase of a current or new user at abnormal hours.
By enriching user behavior analytics data with the detection of DLP software, Logsign SIEM analyzes all suspicious activities. These include situations such as when confidential data is copied to USBs, when there are unauthorized cloud storage activities, and when data is transferred externally via e-mails. Logsign SIEM gives alerts for these and other abnormal activities.
Logsign SIEM detects when remote users access at different hours and from different locations, monitors users with VPN accounts from different regions, and gives alerts when it detects possible suspicious activities.
During an attack, the attacker may try to access systems with sensitive data from different machines and IPs. Even if the user has access permission, Logsign SIEM provides detection of access trials to data the user previously did not access or to systems the user has no permission to access.