Within the enterprise, occassionally insiders use their access to information for wrong behavior such as stealing sensitive data, committing theft, fraud or misusing information systems. This security risk is known as the insider threat. In other cases, external hackers access information using stolen identities, impersonating legitimate users using a technique called phishing. This is another internal security problem called identity theft or phishing
To address these insider risks, all computer systems must be continuously monitored for suspicious user activity. Anomalous behavior is often an indicator of a possible security breach. An effective internal security solution should detect and contain fraudulent internals. Shalom meets these requirements by using real time anomaly detection and intelligent authentication technology to detect and prevent fraudulent insiders
Nowell Shalom addresses the insider security threat. Shalom is constantly on the look out for highly suspicious user behavior, authenticates and reports suspicious insiders, and denies access to identity phishers. Shalom focuses on securing each computer account. It first learns how each user behaves over time, mastering their computer behavior (applications used, time of use, day type, accessed network shares, physical location, etc) while using their computers. This is called user profiling or behavioral modeling.
Shalom also interviews each user, collecting personal information (e.g. year of birth) and uses this to authenticate for identity verification if they behave very suspiciously. During this interview, Shalom learns multiple specifics about the user's personality, background, and anything the user wishes to share. Authentication information collected varies from user to user.
Suspicious user behavior is always a key indicator of a possible insider security breach. Shalom watches each user and host-system account for anomalies with respect to their processes and applications executed, time of use, day-type, geo-location, network activity, and other hardware specific variables. Any behavior that is highly deviant from the normal user behavior of the real account owner is considered suspicious [anomaly detection].
If Shalom detects suspicious user activity, it first reports, then authenticates the user by asking questions using authentication information collected. If the user passes the questioning, Shalom grants continued access to the user, but still reports the unusual activity to administrators. These reports can then be reviewed to check for possible unauthorized activity by insiders.
Each report states the attackers' exact anomaly including the time of incident, applications used, geo-location of the attack, networks and ports accessed, protocols used and corrective actions taken (pass, fail, or lock out). Also, at the end of each report, Shalom proves the anomaly by showing calculated risk based probabilities and giving simple explanations.
Shalom also adapts to the triggered suspicious activity using a "moving-window" method. This continuous, adaptive profiling perfects Shalom's accuracy over time even when users change their computer behavior.
Older user behavior is eventually removed and only the more current normal user behavior is retained for anomaly detection. Optionally, Shalom can be configured to only report suspicious insider activity without any interview, or authentication
On the other hand, if the user fails the questioning, Shalom denies further access to the system. Intruders and impostors with hijacked accounts or spoofed identities will likely fail the random questioning and will be prevented from further access
Further access to compromised accounts are denied unless the user is able to authenticate successfully or cleared by system administrators using the Shalom security tool. Shalom reports the suspicious user actitvity, actions taken, and results of the authentication all in real time.
Sometimes attackers set up phony backdoor accounts and give them elevated privileges. Backdoor accounts are commonly used because they are fake and cannot be traced back to to real users.
If Shalom detects newly created backdoor accounts, it verifies them and reports how they entered the network, from which host and at exactly what time. Shalom also keeps a history of all commands and processes executed by the backdoor account.
Lastly, for Windows Servers, a feature called System Anomaly Reporting enables Shalom to detect and report suspiciously executing processes and network data transfers initiated by the highly privileged SYSTEM account. Shalom also monitors all other user-level and system-level (UNIX daemons, Windows Services) accounts for anomalous activity.
While intruders are kept locked out, administrators can now use the Shalom Admin Tool to look up security reports, determine compromised and high risk accounts, release users, and further review reports for malicious insider activity.
The graphical tool also provides information on exactly who's logged on at any given location at any given time. So administrators always have a bird's eye view of which computer accounts are compromised, which accounts are abused, anywhere, anytime in the network. With Shalom, insider thieves are caught and intruders are kept locked out across the network.
