Internal fraud continues to be a leading cause of data loss, and presents one of the most difficult challenges in risk mitigation. While many indications of fraud can be detected through careful analysis of host, application, and systems logs, there are many data loss vectors that remain difficult to monitor.
There are several options for protecting against insider threats, including:
While the use of SIEM is much more cost-effective, log data alone provides only limited information about insider activity, and even less information about how applications might be used to leak sensitive data. The ideal solution is to use a content-aware SIEM to look beyond log files and provide insight into how data is being accessed, and how it is being used.To adequately detect and prevent fraud using a SIEM, in-depth monitoring of applications, databases and protocols must be correlated against logs, events and network activity.
For example: fraudulent activity from an authorized user, accessing sensitive information in a legitimate manner, is difficult to detect. Is data being stolen? How? Unless that user does something out of the ordinary, such as running an unexpectedly large report, their activity seems benign. If that user also broke application usage violations — such as using peer-to-peer file sharing — that might be seen within logs, and raise a red flag to the suspect activity. However, if deep inspection of application activity shows the presence of credit card information within an email or chat session, the fraudulent activity becomes obvious.
Detecting fraud is therefore dependent upon collecting, correlating, and analyzing the right data. This means having a comprehensive monitoring solution with visibility into data access, applications, and even protocols such as file transfer protocols and printer protocols. This also means that the SIEM must be capability of collecting and analyzing much more information than usual, because the added visibility into application content and protocol activity will add significant load to the already overwhelming amount of security event and log information.
It isn't easy. When the limited detail found in database and application-level logs is supplemented with the much broader, in-depth detail obtained through dedicated application monitoring and payload analysis, a SIEM will be put to the test. That why it's important to support hundreds of thousands of events per second, with the ability to correlate, analyze and report on millions of events per second.
Log in
