Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Using Logs to Detect User-Based Threats

Using Logs to Detect User-Based Threats

A common theme at the Splunk user conference is the idea that the users are the greatest threat. Even in a well-regulated enterprise where no one has more privileges than what’s needed to do their job, a typical user has more than enough ability to steal massive amounts of data or cause widespread problems. Fortscale seeks to address this issue by using the data that the company is already collecting.

For various reasons, typical enterprise software generates massive amounts of log data. Normally this data can’t actually be used for anything unless you are willing to manually search it, a task that isn’t done until long after the breach has been detected.

Splunk solves this first step towards making this data useful. By importing and indexing the raw logs, users can quickly search for information on what’s actually happening on their systems. But that is only step one, you still need to know what to search for.

Returning back to Fortscale, the next step is analysis. Using machine-learning techniques, Fortscale reviews the aggregated data and looks for typical and abnormal user patterns. Their algorithms are designed to proactively look for behaviors that appear risky so that operations have a starting place for their reviews.

The next step is profiling. Once patterns are established, the tools actively monitor user behavior against both historical and live data or against their peers. Here is an example from a real financial company that I’ve worked with in the past:

A trader had just left the firm to start his own business. In the financial sector, few things are more important than the client list. Such as list could make or break his new company, while at the same time dramatically reduce sales for the firm he was leaving. And rumor was that he took our client list with him.

As soon as management heard about it, IT was tasked to search through the logs to find out whether or not it was true. Our logs were complete; every action the trader made was carefully recorded in a massive set of files. But still this process took two weeks because we not only had to figure out what he was doing, we also had to figure out whether what he was doing was actually unusual or not.

If Fortscale works like they claim, their tools would have been able to baseline his actions against those of other traders, dropping the research time dramatically. It could have even detected the alleged data theft when it first started, negating the need for a potentially costly lawsuit.

Rate this Article