Within the enterprise, occasionally insiders use their access to information for wrong behavior such as stealing sensitive data, committing theft, fraud or misusing information systems. This security risk is known as the insider risk or insider threat. In other cases, external hackers access information using stolen identities, impersonating legitimate users using a technique called phishing. This is another internal security problem called identity theft or phishing
To address these insider risks, all computer systems must be continuously monitored for suspicious user activity. Anomalous behavior is often an indicator of a possible security breach. An effective internal security solution should detect and contain fraudulent internals. Shalom cloud security service software meets these requirements by using real time anomaly detection and intelligent authentication technology to detect and prevent fraudulent insiders. Also, as we migrate to the cloud, it is important that we monitor and follow the data as it flows to different areas and manage risk effectively
Nowell Shalom addresses the insider security threat. Shalom service is constantly on the look out for highly suspicious user behavior, authenticates and reports suspicious insiders, and denies access to identity phishers. Shalom service focuses on securing each computer account. It first learns how each user behaves over time, mastering their computer behavior (applications used, time of use, day type, accessed network shares, physical location, etc) while using their computers. This is called user profiling or behavioral modeling.
Shalom also interviews each user, collecting personal information (e.g. year of birth) and uses this to authenticate for identity verification if they behave very suspiciously. During this interview, Shalom learns multiple specifics about the user's personality, background, and anything the user wishes to share. Authentication information collected varies from user to user.
Suspicious user behavior is always a key indicator of a possible insider security breach. Shalom watches each user and host-system account for anomalies with respect to their processes and applications executed, time of use, day-type, geo-location, network activity, cloud applications, and other hardware specific variables. Any behavior that is highly deviant from the normal user behavior of the real account owner is considered suspicious [anomaly detection].
Anomaly detection for each identity in real time - behaviors towards the outside circle (yellow, orange, red) is often suspicious and of higher risk. Green & blue represents lesser risk. Graphical illustration of statistical adaptive algorithm. Software learns and adapts to normal user behavior, then detects anomalies or deviations from the norm
If Shalom detects suspicious user activity, it first reports, then authenticates the user by asking questions using authentication information collected. If the user passes the questioning, Shalom grants continued access to the user, but still reports the unusual activity to administrators. These reports can then be reviewed to check for possible unauthorized activity by insiders.
Each report states the attackers' exact anomaly including the time of incident, desktop/cloud applications used, geo-location of the attack, networks and ports accessed, protocols used and corrective actions taken (pass, fail, or lock out). Also, at the end of each report, Shalom proves the anomaly by showing calculated risk based probabilities and giving simple explanations.
Shalom Security Platform also adapts to the triggered suspicious activity using a "moving-window" method. This continuous, adaptive profiling perfects Shalom's accuracy over time even when users change their computer behavior.
Older user behavior is eventually removed and only the more current normal user behavior is retained for anomaly detection. Optionally, Shalom can be configured to only report suspicious insider activity without any interview, or authentication
(Click the image to enlarge!)
On the other hand, if the user fails the questioning, Shalom denies further access to the system. Intruders and impostors with hijacked accounts or spoofed identities will likely fail the random questioning and will be prevented from further access
Further access to compromised accounts are denied unless the user is able to authenticate successfully or cleared by system administrators using the Shalom security tool. Shalom reports the suspicious user activity, actions taken, and results of the authentication all in real time.
Sometimes attackers set up phony backdoor accounts and grant elevated privileges. Backdoor accounts are commonly used because they are fake and cannot be traced back to to real users.
If Shalom detects newly created backdoor accounts, it verifies them and reports how they entered the network, from which host and at exactly what time. Shalom also keeps a history of all commands, network cloud access, and processes executed by the backdoor account.
Lastly, for Windows Servers, a feature called System Anomaly Reporting enables Shalom to detect and report suspiciously executing processes and network data transfers initiated by the highly privileged SYSTEM account. Shalom Security Platform also monitors all other user-level and system-level (UNIX daemons, Windows Services) accounts for anomalous activity.
While intruders are kept locked out, administrators can now use the Shalom Security Platform Administrator tool to look up security reports, determine compromised and high risk accounts, release users, and further review reports for malicious insider activity.
This powerful graphical tool also provides information on exactly who's logged on at any given location at any given time. So administrators always have a bird's eye view of which computer accounts are compromised, which accounts are abused, anywhere, anytime in the network. With Shalom Security Platform, insider thieves are caught and intruders are kept locked out across the network. Also detailed statistical analysis can be derived from detailed profiled behavior, and exported to external databases for analytical business risk intelligence and analysis.
As you can see from these amazing snapshots of Nowell's Shalom Security Cloud, administrators and information security professionals can enjoy a great deal of visibility and ease of use while managing complex security threats of their business information systems. For the first time, you can get a high degree of real time cloud security and risk analytical intelligence for your entire business all from one simple-to-use dash board
(Click the image to enlarge)
Languages supported for cloud authentication include: English, Spanish, French, Portuguese, and German. More languages including arabic, mandarin chinese and russian are being planned for our next release - Please check back later!
In conclusion, Nowell cloud software helps to reduce the risks of insider threats, identity theft and internal fraud, while managing the complex risk vectors associated with enterprises moving to cloud hosted enterprise applications
Anomaly detection for each identity in real time - behaviors towards the outside circle (yellow, orange, red) is often suspicious and of higher risk. Green & blue represents lesser risk. Graphical illustration of statistical adaptive algorithm. Software learns and adapts to normal user behavior, then detects anomalies or deviations from the norm 
