Posted in Incident Response

How Incident Response Teams Leverage ObserveIT to Speed Up Insider Threat Investigations

Reading Time: 4 minutes

TL;DR: This post walks through how incident response teams can use ObserveIT’s new cloud-based Insider Threat Management Platform to quickly investigate incidents and collaborate with stakeholders.

In case you missed it, Proofpoint recently announced the next generation of our ObserveIT Insider Threat Management (ITM) Platform on top of our new cloud-based architecture. With unique context on the insider and their activity, investigators and incident response teams can decrease the time to respond to potential incidents. Faster response times decrease the cost of insider threats.

Today, piecing together the story of what happened and why is more complicated than ever. Employees, third-party contractors, and customers are constantly collaborating. They are using more and more applications. The usual security and endpoint logs are incomplete or non-existent with the myriad of applications. What’s more, an insider may use many different tools to exfiltrate data. This can happen either accidentally or maliciously. Identifying the common user leading up to an incident can often be tedious and manual.

How ObserveIT ITM supports you

  • Context into all insider activity on endpoints, files, data, applications and servers
  • Insider-specific detection of risky behavior
  • Easy to understand, user-level visibility

Often, an insider threat investigation within our platform starts with an alert that flags risky behavior. Teams can fine-tune these alerts to adapt them to their environment. Out-of-the-box, we provide insider threat-specific scenarios, based on research with CERT institute at Carnegie Mellon, NITTF and NIST standards. These cover:

  • Data exfiltration
  • Accidental data movement
  • Privilege abuse
  • Application and server misuse
  • Unauthorized endpoint activity
  • Anomalous system access

A walk through of how incident responders accelerate their investigations

  1. Start with a lead: As IR professionals and investigators, we’re coming in with a lead around an incident in our environment. Often with insider threats, we have the name of a misused asset or a user in question (for example, when an employee or contractor leaves the organization). In this case, we are investigating user ‘kdonovan,’ as they’ve suddenly left the firm and there is suspicion of data exfiltration.
  1. Immediate context with insider threat alerts: Through ObserveIT’s integration with the enterprise identity provider (often Active Directory), we correlate the user with their role in the organization. In this case, ‘kdonovan’ is a sales director. Based on conversations with HR, we expect that a competitor has poached this user. A key piece of evidence in any investigation is visual proof of the activity. In this case, we have a screenshot of the user uploading the file to a USB device. This context increases our suspicions of potential data loss to our competitor.
Insider Threat Alerts
  1. File activity context: When investigating data loss, we want to know as much as about the data in question, as well as the user’s activity timeline. In the above screenshot, we see that the file ‘vacation.pdf’ has an interesting and suspicious history. It was downloaded from our CRM system, renamed and then exfiltrated through two unsanctioned channels: USB and personal Gmail. Let’s investigate within the timeline view for ‘kdonovan’. 
  1. Irrefutable evidence in a timeline: By reviewing all their actions in one place, we           get a sense for any anomalous behavior among the normal, job-related activity in a user’s day. From a file standpoint, we track the entire lifecycle from origin, movement, renaming and eventual exfiltration. In the screenshot below, you can read that the user researched how to get past our organization’s security filters before downloading and exfiltrating sensitive customer information. With the timeline, we know the order of events and the date and time at which events occurred. On top of this, we provide screen capture of user’s endpoint to provide irrefutable evidence of intent. We don’t need to manually correlate logs from various sources.
  1. Collaborate easily with other teams: Insider threat investigations are a team sport involving HR, legal, compliance, cybersecurity and other business units. ObserveIT replaces cybersecurity jargon with timelines of events and pictures to help these teams determine if legal or other action is to be taken. Often, teams will export the incidents related to ‘kdonovan’ in a PDF to share with the other teams. However, we can also share this programmatically in CSV and JSON formats. 

Evaluate user risk based on context

As with the example above, a user’s risk level can’t be tied to a single activity. Often, if this activity coincides with other activities on that same file, now there is an indication of risky behavior. ObserveIT helps SOC analysts visualize user activities within a broader context to help investigate incidents. In our next post, we’ll focus on how ObserveIT can be used for proactive threat hunting.

Want to see the new, cloud-based ObserveIT in action? Get the demo