• United States



by John Breeden II

Review: Hot new tools to fight insider threats

May 31, 201619 mins
Cloud SecurityMobile SecuritySecurity

Fortscale protects traditional networks, Avanan works in the cloud, PFU systems focuses on mobile devices

In the 1979 film When a Stranger Calls, the horror is provided when police tell a young babysitter that the harassing phone calls she has been receiving are coming from inside the house. It was terrifying for viewers because the intruder had already gotten inside, and was presumably free to wreak whatever havoc he wanted, unimpeded by locked doors or other perimeter defenses. In 2016, that same level of fear is being rightfully felt towards a similar danger in cybersecurity: the insider threat.

An entire industry has sprung up to provide a defense against insider threats. We tested products from Fortscale, Avanan, and PFU Systems, with each one concentrating on a different aspect of the problem.

  • Fortscale did an amazing job protecting a traditional network. It’s machine learning capabilities and concentration on access and authentication logs gives it an extremely high accuracy rate when ferreting out a threat, yet leaves any actual decisions to humans after providing them with the collected and sorted information. 
  • Avanan has a very good front-end interface and works completely within the cloud. It can even incorporate most other security tools that have been optimized by the company to work within cloud environments. Cloud-based insider threats can be even harder to detect than in traditional networks because of the uncontrolled and widely dispersed nature of the data, yet Avanan uniquely protects it from threats related to trusted insiders. 
  • PFU Systems, a Fujitsu company, applies insider threat security to mobile devices with their iNetSec system. It can help an organization implement a BYOD program without taking on the additional insider risks associated with mobile devices, such as having credentialed smartphones falling into the wrong hands.

All three performed well in our testing, which was conducted over several weeks with some network structures provided by the vendors and some provided by our in-house testbed. (See screen shots of these three products.)

Fortscale: Machine learning to the rescue

Compared to other enterprise security tools we have examined over the past few years, the Fortscale product is nearly complete and ready to go out of the box. It is installed on a network as a single server which is then linked into whatever security information and event management (SIEM) system is already being used. There are no rules to configure or programming to be done by administrators as Fortscale uses machine learning and complex algorithms to find anomalous or dangerous behavior associated with insider threats. And because it concentrates on access and authentication logs, data that most networks keep for at least a month, it is able to begin spotting danger on its first day, though it does get even more accurate over time.

+ RELATED: Fortscale’s user behavioral analytics solution provides full context when truly malicious behavior is detected  +

Fortscale is also very economical, with pricing at about $10 per user per year for a midsized enterprise with 20,000 seats. There are discounts for larger licenses and multi-year commitments.

Although the processes that Fortscale goes through to generate an alert are fairly complicated, in a sense it boils down to being able to process information very much like a human. If a user who is working in California in the morning suddenly logs into a protected system from the Ukraine at noon, that would be something that a human could easily recognize as an attack, yet computers have a more difficult time with it, especially if the examples are less obvious.

We found Fortscale to be similar in a sense to IBM’s Watson, able to make those connections and elevate problems to human users for mediation. The secret is that Fortscale concentrates on very specific information where threat patterns are already programmed, and which can be learned based on the specific environment it’s protecting. Specifically, it looks at OS authentication, VPN access, file access, data from existing security product logs and access to the “crown jewels,” the most important and dangerous parts of a network that most attackers try to access.

From the Fortscale interface, a user would never know that so much processing is going on in the background. Events that get elevated to humans for consideration need to have been backed by several of the factors that Fortscale examines. No single event is enough to trip an alert, a fact that keeps false positives to a minimum.

Another neat feature, and one that shows that Fortscale is really built for human users, is the fact that certain users can be pinned to the login splash page for extra scrutiny. Called Followed Users, these people are added to the far right column of the dashboard, complete with their pictures, titles and network groups, if such information is available.

There are no set criteria needed to add someone into the Followed Users pool either. It’s totally up to the system administrators. Perhaps investigators in the physical world or auditors suspect the employee for some reason outside of network activity, or perhaps Fortscale admins are seeing low-level anomalies tied to one account and want to mark that user just in case. It could even be a VIP on the network whose activities need to be protected at all costs, or a temporary contractor without security clearance. The reasons really don’t matter. Users can be added to the Followed Users group or removed from it at will.

Clicking on a user within the Followed Users group will bring up all the information that Fortscale has collected about them over time, regardless of whether any of it amounts to an actual alert. This is no different from selecting anyone from the user pool. It just calls them out for extra scrutiny and easy access.

Other than the Followed Users area, the main interface looks a lot like a typical security dashboard. The top 10 open alerts are displayed prominently with red, yellow and green color codes. There is also information about the number of alerts being generated from various groups and the fix rate, where administrators close an alert and presumably fix the problem. All of that information can be collected and put into unique, graphical reports to show the overall security picture, down to the factors contained within a single alert to supervisors or auditors. The reports look good enough to be presented to C-level bosses and are fairly easy to understand.

Where Fortscale’s interface really gets good is when you drill down into alerts. The program does an excellent job of showing administrators the story behind the alert. Even a low-level or junior analyst could probably make sense of the story of the alert presented. It’s broken down by the indicators that caused the alert. In one case, there were seven indicators that went into generating an insider threat alert including a data usage anomaly, a high number of devices per day factor, a geolocation anomaly, a high number of source countries anomaly and a source device problem. In that case, it was easy to surmise that the employee in question was probably not a true insider threat, but instead someone who had their credentials compromised and was thus acting like one, likely without their knowledge.

But Fortscale can also detect events that are not so obvious, and then present its case to administrators to help them understand what is going on. In another example, one user on the protected system was doing a lot of snooping. All of their snooping was technically authorized by network policy, so they would not have triggered an alert. But Fortscale was able to catch them by linking activity time anomalies with a high number of targeted device anomalies and a few failure codes. Looking at the story presented as an alert by Fortscale, a human could get a pretty good idea that an administrator charged with responsibility in one area was logging on after hours to systems they were not responsible for maintaining.

Occasionally they were rejected from a system with a bad or invalid password, generating the error code anomaly, but because they stopped at that point it would not have generated a normal SIEM alert. But Fortscale was able to add that into the picture of what they were doing, information that would otherwise have likely been lost in the huge stream of seemingly unrelated network data.

In the second example, a true insider threat would have been caught even though they were for the most part following the rules. Fortscale does not make any judgements about the user, and thus takes no actions on its own, other than presenting the story of the alert to security personnel. Perhaps a user was helping out a friend in another department or perhaps they were simply curious or perhaps they were an actual spy or disgruntled employee. It’s up to humans to make that determination and take appropriate action, but Fortscale can shine the spotlight on their activities which might otherwise fly under the radar.

As a final example, Fortscale was able to flag insider activity that was taking a low-tech approach, in this case by examining printing logs. The program was able to identify an anomaly where a user first made an “all records” call to the Oracle database and then printed over 350 pages. Looking at their previous printer usage, they only sent a few pages to the printer over the past two months, and then suddenly sent a job that was more than 300 pages.

Fortscale took no action other than to alert administrators to the activity and present the whole picture of related events. Again, this might have been job-related, but it also could be a case where an employee was preparing to leave the company and wanted to take proprietary information with them using a very low tech way of capturing and stealing the data. But even the low-tech approach was not able to escape the watchful, and insightful, eye of Fortscale.

Avanan: Penetrating the cloud

Protecting data inside the cloud, especially from insider threats, is difficult because the data is housed in different places, and is not normally under the direct control of the organization that owns it. While cloud providers will help to keep data safe from external threats, they generally won’t do anything if an authorized user suddenly starts sending confidential files offsite. In fact, they may even open up more bandwidth to make that process go more smoothly.

+ ALSO: New cloud access security vendor offers the full security stack, with solutions from 60 leading vendors +

Avanan was formed in 2014 with a focus on cloud security. The system also runs completely in the cloud itself, so the setup has no physical components. It works with all the biggest cloud providers including Amazon, Google and Microsoft. Avanan is also extremely economical, with the base platform starting at $5 per user per month, and less for large deployments. The setup process for our test cloud only took a few minutes.

Because most cloud providers have access to functionally unlimited storage capacity, many keep up to a year or more of data regarding the various actions by users and programs within the cloud. Avanan can tap into that data and begin working right away, even identifying suspect insider threat activity that happened months ago, or linking new cases with a potential pattern going back months or years.

By itself, Avanan is a powerful tool for protecting against insider threats. However, another strength of the product is that it offers one-click installation of many popular security programs, even those that have not previously been optimized for use within the cloud. Avanan does not charge users to install those apps inside the cloud.

Users only need to pay whatever the other vendor charges, and their existing license may even cover cloud deployments. In the course of our testing we installed Check Point, Palo Alto and Symantec software into our test cloud. In all cases, we got full cloud functionality. Each program was also able to report directly into the Avanan main interface to add extra indicators into an insider threat investigation or to provide updates on the general security of the cloud like malware files stored inside.

There is no upper limit as to how many additional programs can be running in addition to Avanan. For example, multiple antivirus programs can be running without interfering with each other, and it supports more than 40 choices. It also supports sandboxing like FireEye, and SIEM programs like Splunk and ArcSight.

Once installed, Avanan gives full visibility into everything that is happening within the cloud it’s protecting. There is an automated policy engine that can be used to ensure that basic or common sense type user rules are applied. From there, administrators can set up unique rules for how various folders and data can be used, accessed and shared. Because these are file-level rules, they apply to both users and any programs that are installed.

In our test network, when a user with high credentials installed a program that required access to data within a protected area, it was halted even though the user had the proper credentials to install the offending program. This would prevent a user from accidentally installing something, even a commonly used program, that wants to access protected data.

When a user violates policy, there are several actions that can be defined in Avanan. Users could simply be notified of the possible security breach, with customized messages explaining why an action is being denied. In this way, users can become educated as to bad or undesirable behavior in the cloud and thereafter be less likely to become accidental insider threats.

Moving up the severity ladder, users can be alerted to the denial, but offered the chance to explain their actions. Perhaps they have a valid business reason for sending confidential data to a colleague. Administrators can then consider that reasoning in their response and can then allow or deny the suspected action. In either case, an audit trail is generated that can be used for any future investigations of that user, process or program. Finally, processes can be outright denied and security teams notified when a policy is broken, with or without tipping off the user.

The main Avanan console is basically like a SIEM itself, though it consolidates data from any other SIEM or security program running in the cloud. It also has a robust shadow IT function, which shows applications that have been installed within the cloud, who is using them and what they are doing. Entire applications can be denied and removed from the cloud regardless of the number of users, preventing any program from becoming an insider threat itself, or acting as a vehicle for things like prohibited file transfers or data sharing.

Avanan doesn’t quite present as neat a picture of individual insider threat activity as Fortscale does for traditional networks, but questionable activity can still be ferreted out with minimal training. In our demo, one user was attempting to access folders where they had rights, but then was trying to perform functions which were prohibited by policy, namely attempting to move files to a less secure area. In that case, the user was likely a true insider threat.

In another example, a user was again accessing legitimate folders, but was doing so from multiple locations around the world, which was shown on a graphical map within Fortscale. In that instance it was likely a case of compromised credentials. In both instances, Avanan prevented the insider threat from taking any detrimental action.

With so much data moving to the cloud, having a program like Avanan is almost a necessity these days. Besides the ability to protect data and files from insider threats, the value of being able to deploy a huge variety of security programs into the cloud with just one click can’t be overstated. And giving full visibility into all the user, program and access actions taking place in the cloud really demystifies it, allowing administrators to manage and protect it more like a traditional network, keeping cloud-based data safe from both outside and insider threats.

iNetSec Smart Finder: Agentless scanning of mobile devices

Mobility adds another wrinkle to security when users are allowed to access their networks using tablets, smartphones and other mobile devices. These mobile devices add more potential liability since they are essentially network clients that routinely leave the office and the control of administrators. In addition to normal insider threat issues, mobility also adds the possibility that a credentialed device could be lost or stolen, giving a potential window into a protected network.

+ RELATED: 5 active mobile threats spoofing enterprise apps +

PFU Systems, a Fujitsu company, aims to manage the increased potential for insider threats generated by mobility programs with their iNetSec system. Everything it does is focused on mobility, so an organization’s need for such a program would be dependent on how much they rely on mobility programs or BYOD deployments.

The iNetSec Smart Finder system is deployed as a network appliance that generally sits between the LAN segments of a network and the VLAN segments used by mobile users. A single iNetSec appliance can support up to 16 VLANs. The iNetSec Smart Finder appliance starts at $8,410 and includes the management software, one year of support and one appliance with a capacity of 1,000 concurrent devices.

Once deployed, the iNetSec Smart Finder appliance discovers, classifies and manages all mobile devices in order to enforce network access policies. In addition to device management, it will graph and visualize all application traffic broken down by device to prevent bandwidth abuse and stop high risk applications from operating.

And while iNetSec is mostly concerned with insider threats, it can also scan internal network traffic to detect the presence of Advanced Persistent Threats (APT) based on behavioral correlation. It is able to do all this without the need to install agents on any mobile device, so users participating in a BYOD program won’t have to allow extra or unwanted software onto their personal devices.

The first step, once our iNetSec testbed went live, was to scan for every mobile device which was connected or had connected to the network. The iNetSec appliance actually was able to find any device with a MAC address, including routers and VoIP phones, and properly identify them in the main console. It does this in order to monitor traffic moving through the network gateway as well as any lateral movement that might be an indication of an active APT.

Pulling mobile devices aside, administrators can go through the process of allowing each one to connect to the network and setting up the circumstances and approvals needed to do so, or they can be denied all together. This can also be done by policy instead of looking at each individual device, which is nice if there are thousands of them on a network. With our smaller testbed, we simply looked at each one and the process went very quickly.

As a bonus, rules can be established regarding certain aspects of security, such as how often a mobile device needs to connect to the network to maintain its valid credentials. So you can set iNetSec to, for example, consider a device to be lost or stolen if it does not check in every seven days. This would help to prevent one insider threat possibility that doesn’t normally occur with non-mobile systems, namely an authorized device falling into the hands of an unauthorized user. Devices that try to connect after the set time limit can be forced to follow a different procedure to regain full network access, perhaps requiring direct approval from security personnel.

Once each device is approved or rejected, and a policy put in place to govern any new devices that want to connect, iNetSec begins monitoring what those devices and users are doing. The main dashboard displays every connected device and its current activity. You can even see, for example, which users are watching YouTube videos or goofing around with their devices. This is important because each application being used is assigned a risk level, even if it is not actively doing anything bad at the time. On our test network a file sharing application based in China shot up to very high concern levels as soon as it came online. Even some seemingly normal programs like Adobe SendNow were given high risk factors based on their potential for abuse.

Administrators can choose to permit or prohibit any application’s use on the network. While this would not remove them from the mobile device, which iNetSec has no direct control over, it would prevent them from being used to transfer files or to interact with a protected network. In cases an administrator considers to be extreme, the presence of certain programs or malware could trigger a device to be immediately denied network access all together.

Ironically, iNetSec uses Address Resolution Protocol (ARP) spoofing to be able to instantly deny mobile devices access to a network in an emergency, and also instantly allow them to rejoin later if needed. ARP spoofing is a technique sometimes used by attackers, so it was interesting to see it used cleverly for good.

In addition to suspect applications, iNetSec also looks at traffic patterns within the network that touches mobile users. So if someone is using their phone to move files or access prohibited areas, iNetSec might flag that behavior. However, without the presence of actual malware or some suspect application involved, a user doing something like that might be able to go for a while without iNetSec flagging them.

In this day and age, few organizations can afford to completely prevent their users from working on mobile devices, and even the most conservative companies have embraced some form of BYOD programs. But there is no denying that adding mobile devices adds security concerns and potential threats coming from those authorized devices once inside the network. The iNetSec appliance can go a long way to patching many of those security holes, giving administrators a clear picture of just what those users and devices are doing, and the ability to instantly respond to any perceived insider threat.

John Breeden is an award winning reviewer and public speaker with over 20 years of experience. He is currently the CEO of the Tech Writers Bureau, a group of influential journalists and writers who work in government and other circles. He can be reached at