Network Security Gaps: Real-time Detection

Hello, my name is Buck French, and I'm the CEO of Securify. And today I'm going to talk to you about the network security gaps that exist within most enterprises, and their ability to have real-time detection of what users are doing with their critical business systems.

In most organizations, they've opened up their networks to a whole host of different user groups - for a great business reason - outsourcers, partners, different employee groups, providing them access to these key business systems, so you can drive efficiencies within your organization.

The challenge, though, comes that this creates a security risk for you because most organizations today do not have real-time visibility of what users are doing to those key business systems. They don't have an ability to verify the trust in which they're providing those different user groups. The only way they've been able to achieve any level of visibility today is through log-analysis. The challenge with log-analysis, as many of you know, is extremely time consuming and costly, and it's always after the fact.

So what I'd like to speak to you today about is about this gap that exists. An interesting statistic to help support that this gap exists today, is that 78% of inside abuse that happens within an organization today is by an authorized user to a key business system. And in 75% of these instances, the abuse is reported by a non-IT person. So, we know the gap exists, so how do we fill it?

Well, first, it's important to have a real-time monitoring device that monitors the traffic between different user groups and these key business systems. There's three critical components that need to be monitored for within this interaction to ensure that these users are doing the appropriate things. First, you have to understand the relationship between that user and the system. Based on that relationship, you need to understand what services that system can offer. So the second key component is, given the system to that user, what services are allowed? And finally, the third component is, based on that user, to that type of system, with those types of services, what transactions are allowed within those services?

For example, let's say that this is a general intranet user. Then, has access to a web server. That, at the highest level, is the relationship. Based on the fact that this is a general intranet user to a web server, that system is allowed to provide HTTP. Based on the fact that it's a general intranet user with a web server, getting HTTP, the service is only allowed to provide Gets and Connects as a transaction for that user. If a user tries to do a WebDAV or a Change command on this web server, or this key business system, you'll be alerted on it. So the core component of understanding and mitigating the risk of insider abuse within your enterprise today is having the ability to have real-time visibility and control of how a user is interacting with those key business systems, all the way up to the application layer.