INSIDER THREAT DETECTION Detecting a conspiracy PERSONAM detected a conspiracy to steal client data from an overseas office of an international IP law firm. The four employees involved in the activity included one of the senior partners of the firm. Download the Case Study Download the case study
Passive Network Monitoring
Human & Device Behavior Profiling
Signature-less Threat Detection
What it is
Personam’s advanced insider threat detection technology is a powerful and cost effective solution for identifying malicious activity on your network. In a world where insider attacks are growing more frequent, bolder, and more successful, insider threat monitoring and detection must be part of a comprehensive security plan. Personam’s solution provides a continuous defensive posture internally, complementing the perimeter defenses.
How it works
Personam is addressing this widespread vulnerability with an entirely different approach, one specifically designed to detect an insider threat on a computer network. The key is to understand the behaviors of all the actors on a network (e.g. employees, contractors, automated processes, network-enabled devices, etc.), and identify the actors that are working outside the organizational norms. We do this by applying advanced machine learning techniques that use the network data to learn the behavior patterns of the actors and of the organization. Our technology can identify a threat even if the actor is using an unknown attack method, or is exfiltrating the data “low and slow” to avoid tripping traditional monitoring controls.
Advanced, patent-pending machine learning algorithms and big-data analytics methods are used to find even the most subtle attack activities hidden in the noisy environments of enterprise networks.
Personam is not an endpoint solution, and does not require the deployment and management of thousands of software agents to desktops, laptops, tablets and other devices. Behaviors are learned as identities access the organization’s centrally controlled IT resources. This provides a cleaner, more efficient deployment package without impacting operational networks.
Can Be Deployed Rapidly
Personam’s appliances are rack servers easily installed in your data center. It uses simple port-spanning packet collection, and doesn’t require any configuration, data entry, document tagging, or re-calibration over time. It learns everything it needs to know from the network data itself. When you need an operational solution quickly, Personam is your best bet.
Behavior profiles are developed based on how individuals use network resources, not on the things they write in emails, chat sessions, documents or any other communications. Because the content of network traffic is not inspected, employee privacy can be respected.
Personam does not use event data as a source, in the way that other analytics-based technologies do, so we don’t require you to have SIEM products installed. Using packet data instead, we have a much larger data source (the more data we have, the better we can detect the subtle threat behaviors), and we’re not blind to any activities that don’t generate pre-defined, pre-configured events.
Continuous and Real-time
Behavior profiles and cohort groups are continuously updated with each new packet of data observed by the insider threat detection appliance.
Can Detect Pre-Existing Attack Activity
Typical signature-less technologies look at historic baselines to detect abnormal changes in recent behaviors. If that is all we did, we would miss the threats that are already active when the system is deployed (i.e. the threatening behavior is part of the baseline). But we don’t limit our monitoring to past baselines – we also compare current behavior to the behaviors in the cohort group. This allows us to detect a pre-existing threat.
Works in encrypted environments
Even if the network packets are encrypted, threats can be detected because the Personam behavior profiles are based on packet headers, not the contents of potentially encrypted payloads.
Uses Signature-less Threat Detection
Threats, whether internal or external, have proven that they can innovate new attack approaches faster than the rules can be produced. Rule and signature libraries are finite, and can only include those items for which the authors can think of in advance. Personam doesn’t use rules or signatures of any kind; the technology identifies outliers that can represent threats.
Personam technology is not a simple anomaly detector. Network environments, and the people that use them, generate enormous numbers of anomalies every day. Personam technology evaluates not just the routine behaviors, but also the numbers and types of anomalies each identity typically generates and folds these anomaly meta-patterns into a more robust behavior profile. Alerts are generated when an identity’s profile changes (the routines and the anomalies). It makes the system extraordinarily accurate, and requires far less time and effort chasing false positives.