An effective method to detect insider threat without rules

Normally, security controls have to predefine ‘good’ and ‘bad’ behavior, yet this methodology definitely leaves space for people to dodge those rules, deliberately or otherwise. This is particularly risky with regards to establishing rules for insiders. Excessively prohibitive, and their work process is hindered. Too laissez-reasonable, and they open themselves up to effectively preventable threats.

For example, to forestall irregular RDP associations – inbound or outbound – traditional security tools like firewalls frequently predefine which destination ports to permit and which ports to confine. However, if an employee were to use a destination port not unequivocally restricted by the firewall, they could hypothetically exfiltrate data out of the network without raising any alerts.

After installing on the corporate network of an enormous manufacturing company, our innovation spotted a rogue device making RDP associations with an uncommon external host that ought to have been hindered by the firewall.

The organization's firewall was configured to prevent outbound RDP associations; however, the rule was overly simplistic and was defined by the destination port. By changing the port in use, the connections were allowed to proceed.

No other devices in the network had been observed connecting to that host. The activity represented a major deviation from the pattern of normality built by PW (PacketWorker) ML algorithms. The connections lasted over ten minutes and involved the download of nearly 10MB of data.


Upon examination, it turned out to be certain that an employee had connected their personal device to the corporate network and was endeavoring to send valuable intellectual property to a foreign party. The external host happened to be related to a contending manufacturing company.

It might entice infer that the organization essentially required a superior firewall, yet that overlooks the main issue. A legacy tool – regardless of how costly – still depends on rules, and every rule has an exception. Obviously, firewalls are as yet a basic part of modern cybersecurity, but organizations need to acknowledge that cyber-threats will always discover a way around these tools.

PW doesn't make any assumptions about perniciousness. It uses advanced ML algorithms to learn ‘normal’ for every user and device on a network. At the point when an undermining deviation emerges, PW integrates with third-party to facilitates and send an immediate response to quarantine the threat in real time. While some of these anomalies get stopped by firewalls and other rules-based tools, subtle insider threats like these frequently go undetected.

Binita kalpit is a free lancing writer for over an year with deep interest in Data Centers and Cloud computing. She is one those who like to share her knowledge with everyone to spread awareness. In her free time she likes to write songs.
4.7 Star App Store Review!***uke
The Communities are great you rarely see anyone get in to an argument :)
Love Love LOVE

Select Collections