Protect Your Assets
Showing results for 
Search instead for 
Do you mean 

Using behavioral analytics and HP ArcSight ESM to detect malicious insiders

‎08-13-2013 03:18 PM - edited ‎06-11-2015 09:14 AM

Malicious insiders do not run around the office wearing masks and logging onto systems with userids like BadGuy1.  They sit among us.  They have access to the same buildings and systems that we do.  So what chance do we have of identifying them before it is too late and our trade secrets are in the hands of the wrong people?


Behavioral analytics is a tactic that HP has successfully deployed to monitor for out-of-the-ordinary behavior and alert officials before it is too late.


Traditional insider threat systems will monitor high risk users (new employees, contractors, notice-given employees, executives) for specific behavior.  This behavior can include:  

  • Downloading and printing sensitive data
  • Exporting data to known malicious sites
  • Logging on to systems during off-hours 

These tactics are useful but can have limited effectiveness against those bent on doing harm.


Behavioral analytics combines the traditional signature-based Insider Threat Monitoring with Human Intelligence (HUMINT). By using HP Arcsight ESM, baselines of behavior can be created for users.  Once these baselines have been established, ArcSight ESM can trigger upon the detection of out-of-the-ordinary behavior and send an alert.


This adaptation of existing technologies has proven very effective with current implementations. Now you have the opportunity to learn more about how HP has deployed Behavioral Analytics Security Intelligence Cell (BASIC) at this year's HP Protect conference in Washington DC.




0 Kudos
About the Author


Veerendra Y
on ‎08-29-2013 12:01 AM

Could you bring me up to speed on the current version of the ESM. E.g. Corr engine - Conditions - AGG- Actions- Threshold, I understand this in v 3.5
most restrictive condition first to reduce engine CPU usage etc.
Current Corr metrics?

How is it dealt with now?

Is smartagent flexagent the same as smartconnector and flex connector?

What are actors ? Is there any thing as actor?

Have assets been modified?

Pattern disc any changes.

Nov 29 - Dec 1
Discover 2016 London
Learn how to thrive in a world of digital transformation at our biggest event of the year, Discover 2016 London, November 29 - December 1.
Read more
Each Month in 2016
Software Expert Days - 2016
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all