Using behavioral analytics and HP ArcSight ESM to detect malicious insiders

bad guy.jpgMalicious insiders do not run around the office wearing masks and logging onto systems with userids like BadGuy1.  They sit among us.  They have access to the same buildings and systems that we do.  So what chance do we have of identifying them before it is too late and our trade secrets are in the hands of the wrong people?

 

Behavioral analytics is a tactic that HP has successfully deployed to monitor for out-of-the-ordinary behavior and alert officials before it is too late.

 

Traditional insider threat systems will monitor high risk users (new employees, contractors, notice-given employees, executives) for specific behavior.  This behavior can include:  

  • Downloading and printing sensitive data
  • Exporting data to known malicious sites
  • Logging on to systems during off-hours 

These tactics are useful but can have limited effectiveness against those bent on doing harm.

 

Behavioral analytics combines the traditional signature-based Insider Threat Monitoring with Human Intelligence (HUMINT). By using HP Arcsight ESM, baselines of behavior can be created for users.  Once these baselines have been established, ArcSight ESM can trigger upon the detection of out-of-the-ordinary behavior and send an alert.

 

This adaptation of existing technologies has proven very effective with current implementations. Now you have the opportunity to learn more about how HP has deployed Behavioral Analytics Security Intelligence Cell (BASIC) at this year's HP Protect conference in Washington DC.

 

 

protect.png

 

Labels: ArcSight
Comments
Veerendra Y(anon) | ‎08-29-2013 12:01 AM

Could you bring me up to speed on the current version of the ESM. E.g. Corr engine - Conditions - AGG- Actions- Threshold, I understand this in v 3.5
most restrictive condition first to reduce engine CPU usage etc.
Current Corr metrics?

How is it dealt with now?

Is smartagent flexagent the same as smartconnector and flex connector?

What are actors ? Is there any thing as actor?

Have assets been modified?

Pattern disc any changes.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation