Protect Your Assets
Showing results for 
Search instead for 
Do you mean 

Using behavioral analytics and HP ArcSight ESM to detect malicious insiders

‎08-13-2013 03:18 PM - edited ‎06-11-2015 09:14 AM

Malicious insiders do not run around the office wearing masks and logging onto systems with userids like BadGuy1.  They sit among us.  They have access to the same buildings and systems that we do.  So what chance do we have of identifying them before it is too late and our trade secrets are in the hands of the wrong people?

 

Behavioral analytics is a tactic that HP has successfully deployed to monitor for out-of-the-ordinary behavior and alert officials before it is too late.

 

Traditional insider threat systems will monitor high risk users (new employees, contractors, notice-given employees, executives) for specific behavior.  This behavior can include:  

  • Downloading and printing sensitive data
  • Exporting data to known malicious sites
  • Logging on to systems during off-hours 

These tactics are useful but can have limited effectiveness against those bent on doing harm.

 

Behavioral analytics combines the traditional signature-based Insider Threat Monitoring with Human Intelligence (HUMINT). By using HP Arcsight ESM, baselines of behavior can be created for users.  Once these baselines have been established, ArcSight ESM can trigger upon the detection of out-of-the-ordinary behavior and send an alert.

 

This adaptation of existing technologies has proven very effective with current implementations. Now you have the opportunity to learn more about how HP has deployed Behavioral Analytics Security Intelligence Cell (BASIC) at this year's HP Protect conference in Washington DC.

 

 

 

0 Kudos
About the Author

Kerry_Matre

Comments
Veerendra Y
on ‎08-29-2013 12:01 AM

Could you bring me up to speed on the current version of the ESM. E.g. Corr engine - Conditions - AGG- Actions- Threshold, I understand this in v 3.5
most restrictive condition first to reduce engine CPU usage etc.
Current Corr metrics?

How is it dealt with now?

Is smartagent flexagent the same as smartconnector and flex connector?

What are actors ? Is there any thing as actor?

Have assets been modified?

Pattern disc any changes.

Events
Each Month in 2016
Online
Software Expert Days - 2016
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
Sep 30
Seattle, WA
OpenStack Days Seattle
OpenStack Days Seattle, September 30, is the largest gathering of OpenStack users and prospective users in the Pacific Northwest region.
Read more
View all