Insider Threat Detection

What are Insider Threats?

Insider threats are one of the most important concerns for institutional security. Traditional methods to handle general security threats, such as signature matching and using correlation rules, are not enough to detect insider threats. Among the most challenging threats in cyber space, insider threats generally cause critical losses in institutions. Moreover, they also cause the loss of intellectual properties, leakage of sensitive data, and damage an institution’s reputation. Logsign SIEM enables insider threat indications to be discovered via identification and network-based analysis and allows security teams identify and reduce attacks.

Detecting Compromised Users

With identification-based behavior analytics, Logsign SIEM detects suspicious remote accesses, extraordinary log-in activities, and accesses to extraordinary data and systems at unusual hours.

Detecting Compromised Users

Managing the Privileged Accounts

Logsign SIEM detects at what time and via which IP the user with permission accesses and sends alerts for suspicious behaviors. Logsign SIEM also identifies users who change or increase privileges for critical systems and detects the authorization increase of a current or new user at abnormal hours.

Managing the Privileged Accounts

Data Exfiltration

By enriching user behavior analytics data with the detection of DLP software, Logsign SIEM analyzes all suspicious activities. These include situations such as when confidential data is copied to USBs, when there are unauthorized cloud storage activities, and when data is transferred externally via e-mails. Logsign SIEM gives alerts for these and other abnormal activities.

Data Exfiltration

Suspicious Activity Detection

Logsign SIEM detects when remote users access at different hours and from different locations, monitors users with VPN accounts from different regions, and gives alerts when it detects possible suspicious activities.

Suspicious Activity Detection

Lateral Movement Detection

During an attack, the attacker may try to access systems with sensitive data from different machines and IPs. Even if the user has access permission, Logsign SIEM provides detection of access trials to data the user previously did not access or to systems the user has no permission to access.

Lateral Movement Detection