Posted in News

Insider Threat Investigation with ObserveIT and QRadar

Reading Time: 3 minutes

Employees are the lifeblood of your business, and they need access to critical systems and data to succeed. Such critical systems and data range from your product roadmaps and intellectual property (IP) through sales forecasts to customer databases and key manufacturing systems. McKinsey found that 50% of all data breaches were insider related. Unfortunately, due to varied human motivations and poor security knowledge, employees, third-party vendors, contractors and partners can negatively impact the organization’s sensitive data and critical systems. 

Yet most security tools only analyze computer, network, or system data and are usually focused on external threats. ObserveIT monitors user and data activity at the endpoint, providing granular visibility into all user and data activities. The ObserveIT app for QRadar brings the power of user activity monitoring and insider threat investigation to your SIEM. By correlating your ObserveIT user and data activities with other data sources within your SIEM, we regularly hear customers reducing insider threat investigation time by 10x or more. Let’s explore how the ObserveIT integration into QRadar enables your business processes.

Establish User Attribution

Cyberattacks can have serious consequences for your organization. Alerting from most systems is only going to give you the What part of the story: what malware was installed, what data was exfiltrated, etc. But how do you know if it is a user directly causing the behavior or some process running on their workstation? ObserveIT fills in this critical Who. By correlating security alerts from other systems with ObserveIT’s user context and visual activity replay, you will know who accessed or manipulated the critical system or data. All that is available along with the alert.

Establish Intent

ObserveIT data will be your most valuable resource for forensic investigations. Suppose you get an alert that there has been a policy violation by a user on an endpoint. Sensitive data has been improperly shared, web traffic to a suspicious site has been detected, or maybe unauthorized infrastructure changes have been made. Is this event intentional or unintentional or just an unusual but necessary action? Is this just a matter of someone needing a policy reminder, or is something more nefarious going on? ObserveIT’s user activity monitoring fills in the human element of the story with granular user context and visual activity replay, accessible through your SIEM. Protecting the organization also involves improved security awareness. Many of our larger deployments configured real-time warning messages and application blocking to ensure accidental policy violations are avoided in the first place.

Insider Threat Investigation Walkthrough

Let’s say you have a Data Loss Prevention solution in place at your organization with alerts feeding into QRadar. If you are like most organizations, you are understaffed and struggling to investigate a large volume of alerts, most of which turn out to be false positives. You need to quickly triage and investigate these alerts so that security operations and incident response teams resolve them efficiently.  But they are tough to investigate. You know a file was uploaded, but why? Was it done by the user directly or maybe by an automated file sync process? Was this violation intentional? Accidental? Malicious? 

By correlating in the ObserveIT activity data from the endpoint, we can very quickly see that yes, it was the user deliberately uploading the sensitive file to the cloud service. A single click from the log details brings us into the ObserveIT player where we can see a visual activity replay of the user’s entire session, including the file upload in question. You’ve cut the insider threat investigation time from days and weeks to hours by gathering all the necessary and irrefutable evidence within minutes. This DLP event is attributed to a user, the action was clearly intentional, and you have the forensic evidence needed to escalate this event.

Ready to learn more? The No-Nonsense Guide to Insider Threat Management is intended to help get you up to speed on all things insider threat – fast.

Download Now


Article originally posted on IBM Security Community on August 2, 2019