Internal Threat Detection

No business or organization with a computer network is immune from the threat of data breaches, unauthorized access, and malicious activities performed by trusted individuals inside their network.

While many organizations have policies in place to restrict access, and approve the addition of new devices, users and software, they often lack the tools to monitor and respond to violations.

Let us help you detect internal threats so they can be addressed quickly to minimize damage.

Insider Threats on the Rise

Between 2018 and 2020, there was a 47% increase in the frequency of Insider Threat incidents.

(Cybersecurity Insiders - 2021)

Insiders Responsible

Insiders are responsible for around 22% of security incidents.

(Verizon)

More Difficult to Detect Internal Threats

52% of businesses agree that it’s harder to detect insider threats than external attacks

(Redscan)

Watches for Threats

Agents are installed on your Servers and Workstations and monitor your computers for indicators of threats.

Alerts When Threats Discovered

Daily alerts aggregate the issues that were detected during the past 24 hours allowing you to investigate threats.

Web-based Dashboard

All threats and supporting information are logged and accessible via our web-based dashboard.

Change Reports

Weekly summary of all changes to the network is sent via email and can be stored in your happier IT Report Vault for compliance.

Detection

Notification

Change Reporting

Web Dashboard

Machine Learning

Requirements

The Internal Threat Detection system automatically scans your network daily and sends an alert whenever it detects an unsanctioned change or threat to the network such as:

• Access Control

  • Restrict access to accounting computers to authorized users

  • Restrict access to business owner computers to authorized users

  • Restrict access to IT admin only, restricted computers to IT administrators

  • Restrict access to computers containing electronic protected health information to authorized users

  • Restrict access to systems in the cardholder data environment to authorized users

  • Restrict users that are not authorized to log into multiple computer systems

  • Authorize new devices to be added to restricted networks

  • Restrict IT administrative access to minimum necessary

  • Strictly control the addition of new users to the domain

  • Users should only access authorized systems

  • Strictly control the addition of new local computer administrators

  • Strictly control the addition of new printers to the network

  • Investigate suspicious logons to computers

  • Investigate suspicious logons by users

• Computers

  • Changes to locked down computers should be strictly controlled

  • Restrict Internet access for computers that are not authorized to access the Internet directly

  • Install critical patches for DMZ computers within 30 days

  • Install critical patches on network computers within 30 days

• Network Security

  • Detect network changes to internal wireless networks

  • Detect network changes to internal networks

  • Only connect to authorized wireless networks

The Internal Threat Detection system automatically scans your network daily and sends an alert whenever it detects an unsanctioned change or threat to the network such as:

• New devices added to the network

• Changes to user accounts, hardware and software

• Presence of unauthorized files such as Credit Cards, Social Insurance Numbers, and ePHI

• Latent threats

Change Reporting gives you a quick at-a-glance summary of changes that didn’t trigger an alert but still might be worth a quick review.

Additionally documented change reporting satisfies compliance requirements and can be helpful in forensic investigations.

• Change Reports can be sent weekly, monthly or both

• Change Reports can be emailed to you or any recipient

• Change Reports can be saved to your happier IT Report Vault as evidence of compliance to a wide range of IT security standards.

• Changes included in Change Reports fall into the following categories

  • Wireless Networks

  • Network Devices

  • Domain Users

  • Computers

  • Printers

  • DNS

  • Switch Port Connections

  • Local Users

Simple web-based dashboard makes viewing and alerts threats simple.

• View all alerts and drill into more detail in our web-based dashboard

• Filter alerts by Type (ACT) or Severity

• Search based on text in the threat title

• Keeps a record of the date/time each threat was detected

The Internal Threat Detection system uses ‘smart tags’, a feature that allows it to adapt to your unique environment. Smart tags enrich the detection system by adding information about specific users, assets, and settings. These tags help the system gain intelligence about what it detects. Over time, the tags increase the quality of the alerts by displaying more potential threats and fewer false positives.

Examples of how you might use the smart tags to fine-tune Cyber Hawk’s alerts for a particular client:

• Tag a computer as being “Restricted IT Admin Only.” When any user logs in who hasn’t been tagged as an “IT Admin”, Cyber Hawk will send an alert.

• Tag a computer as “Locked Down,” disabling changes from being made to it. If someone manages to install an application on this machine, Cyber Hawk will sense it and let you know. This is one example of the way tagging removes false positives and increase the relevance of alerts.

• Tag a wireless network as a “Guest Wireless Network,” alerting Cyber Hawk that it doesn’t need to worry about new devices appearing on it. If a new device shows up on a network not tagged for guest access, Cyber Hawk will send an alert so you can determine the threat level.

• One Scanner is required per organization

• The scanner can either be installed on a Windows server (2012 or newer) or as a Linux VM (VMWare or Hyper-V).

  • Virtual Appliance Minimum Requirements

    • 2-core i5 or Xeon processor (4 cores recommended)

    • 4GB RAM (8GB Recommended)