Security Products
Showing results for 
Search instead for 
Do you mean 

Using behavioral analytics and HP ArcSight ESM to detect malicious insiders

Kerry_Matre ‎08-13-2013 03:18 PM - edited ‎06-11-2015 09:14 AM

bad guy.jpgMalicious insiders do not run around the office wearing masks and logging onto systems with userids like BadGuy1.  They sit among us.  They have access to the same buildings and systems that we do.  So what chance do we have of identifying them before it is too late and our trade secrets are in the hands of the wrong people?


Behavioral analytics is a tactic that HP has successfully deployed to monitor for out-of-the-ordinary behavior and alert officials before it is too late.


Traditional insider threat systems will monitor high risk users (new employees, contractors, notice-given employees, executives) for specific behavior.  This behavior can include:  

  • Downloading and printing sensitive data
  • Exporting data to known malicious sites
  • Logging on to systems during off-hours 

These tactics are useful but can have limited effectiveness against those bent on doing harm.


Behavioral analytics combines the traditional signature-based Insider Threat Monitoring with Human Intelligence (HUMINT). By using HP Arcsight ESM, baselines of behavior can be created for users.  Once these baselines have been established, ArcSight ESM can trigger upon the detection of out-of-the-ordinary behavior and send an alert.


This adaptation of existing technologies has proven very effective with current implementations. Now you have the opportunity to learn more about how HP has deployed Behavioral Analytics Security Intelligence Cell (BASIC) at this year's HP Protect conference in Washington DC.





About the Author


Veerendra Y on ‎08-29-2013 12:01 AM

Could you bring me up to speed on the current version of the ESM. E.g. Corr engine - Conditions - AGG- Actions- Threshold, I understand this in v 3.5
most restrictive condition first to reduce engine CPU usage etc.
Current Corr metrics?

How is it dealt with now?

Is smartagent flexagent the same as smartconnector and flex connector?

What are actors ? Is there any thing as actor?

Have assets been modified?

Pattern disc any changes.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
1-3 December 2015
Discover 2015 London
Discover 2015 in London, the ultimate showcase technology event for business and IT professionals to learn, connect, and grow.
Read more
November 2015
Software Online Expert Days
Join us online to talk directly with our Software experts.
Read more
View all