Joyce Teo

7 Common causes of data breach: Safeguarding your digital assets

Data Breach is an ever-present threat to enterprises in today’s connected world. Whether you are a small SME or a large multinational company, the risk of a data breach and the company becoming another headline is a constant concern for senior management. It is not just financial loss that worries management but the loss of reputation and customer trust that can take years to recover if a data breach happens. This article reviews seven key issues that lead to a data breach and what can be done to mitigate these risks.

1. Weak and stolen passwords

Passwords remain the most popular security control and the entryway into applications and platforms in the modern era. While password controls have matured in recent years by incorporating features like password vaults, managers, and single sign-on technologies, they remain susceptible to attacks. Poor security awareness can cause users to share their passwords, reuse the same across applications or simply choose poor ones that are easily crackable, giving attackers an easy way into an environment. The most well-made cybersecurity framework can be compromised due to one password being shared by users.

To mitigate this risk, companies should invest in multi-factor authentication, improve their password guidelines and increase security awareness amongst users.

2. Insider threats

One of the most challenging threats in cybersecurity is insider threats. The possibility of a trusted individual misusing their approved access can be difficult to identify and mitigate. It is also not always malicious employees that cause a security breach ; negligent actions can lead to a security loophole being exploited, for example, a staff not following security policies, misconfiguring system settings, etc.

Insider Threats can be mitigated by deploying technologies like User Entity and Behavior Analytics (UEBA) that leverage on machine learning to identify anomalies, and Zero Trust Architectures that operate on the assumption that the network is potentially compromised and every action must be authorized.

3. Misconfigurations

Misconfiguration (due to human mistake or lack of knowledge) is a major source of data breach. Misconfiguration in infrastructure or software creates vulnerabilities. These lead to the security posture of a company being degraded, default passwords being used, open network ports, etc. This risk can be amplified in cloud environments where changes can quickly propagate to production environments via automated pipelines.

To mitigate these risks, companies should regularly review their infrastructure and software configurations, and continuously monitor their infrastructure.

4. Human error

Apart from negligence, genuine human error is another cause of data breach that is difficult to mitigate. A person accidentally emailing out sensitive information, clicking on malicious links, losing their laptops etc, are all risks that can cause severe security incidents for an organisation.

Along with awareness, cybersecurity teams should assume human errors will happen and implement controls such as data leakage policies, encryption, anti-phishing technology, etc., that can mitigate the impact of a human error.

5. Malware

Malware has been an ever-present threat since the early days of the Internet and is expected to remain so. Malware attacks continue to increase in sophistication yearly, with cybercriminals leveraging new technologies like AI to improve their attacks further.

To mitigate these risks, a multi-thronged approach is essential via a combination of user awareness, anti-malware controls, email filtering, and hardening the environment against vulnerabilities that will allow malware to gain a foothold. Regular patching is necessary, as unpatched systems are typically how malware can gain privileged access within an environment to execute further attacks. Backups can also serve as one defense against attacks like ransomware, and it is important to keep backups separate from the immediate environment to prevent the infection from affecting the backups.

6. Social engineering

Social Engineering attack is older than the Internet but was amplified in the digital era once cybercriminals realized how easy it was to abuse the anonymity offered by the Internet. Social Engineering refers to tricking people into disclosing sensitive information or carrying out actions that result in security compromises. It abuses human trust, the desire to be helpful, and the fear of getting into trouble.

The most common type of social engineering attack is phishing, which comes in various forms such as email, text messaging, chats, etc. The method is usually the same i.e. creates a sense of panic or urgency in the user that makes them divulge information or click on a malicious link/attachment. Awareness of existing and emerging types of social engineering attacks remains the best way to protect against this ever-present risk.

7. Supply chain issues

The Supply Chain can be a significant blind spot in a company’s cybersecurity defenses. Supply chain refers to the partners, vendors, and tools that are involved or connected to the company’s infrastructure. Attackers have realized that compromising the supply chain can give them a foothold in a company’s network far more quickly than attempting a direct compromise.

To mitigate these risks, companies must include their partners and software dependencies within their security risk management scope. Partners and Service providers should be vetted to meet a minimum baseline before connecting to a company’s environment.

Final thoughts

Cybersecurity is an ever-evolving field, and it is essential to be aware of the main threats vectors that can lead to data compromises. Companies can improve their security posture by prioritizing these risks and implementing mitigations against them. Implementation of technical and human-based controls are essential for a comprehensive cybersecurity strategy. Security is an ongoing process and we can expect new risks to appear in the near future.

How User and Entity Behavior Analytics (UEBA) can help

User and Entity Behavior Analytics (UEBA) plays a crucial role in helping organizations mitigate the risk and impact of data breaches. InsiderSecurity’s Automated UEBA leverages machine learning algorithms to analyze user behaviour, detect anomalies, and identify potential insider threats. By monitoring user activities, InsiderSecurity detects unusual patterns, such as unauthorized access or abnormal data transfers, which may indicate malicious intent or compromised user accounts. InsiderSecurity’s UEBA offers valuable insights into user behaviour, allowing organizations to detect and respond to potential data breach risks effectively.

Join InsiderSecurity at Booth 4K21 during the Singapore Fintech Festival

Complying with MAS-TRM and CCOP 2.0 requirements with InsiderSecurity

How does InsiderSecurity meet MAS-TRM and CCoP 2.0?

InsiderSecurity helps to meet key MAS-TRM and CCoP 2.0 requirements that are challenging and tedious to comply with. As a leader in automated log analytics, InsiderSecurity helps to reduce compliance costs.

InsiderSecurity does the following:

Simplify database security monitoring

Harness the power of AI to monitor your on-premise, hybrid, and cloud environments with ease

Simplify the review of user activity logs

Manual review of user activity logs is tedious and often impractical due to the high volume of log events. With InsiderSecurity’s smart log review, users no longer have to manually review an overwhelming volume log events or alerts. InsiderSecurity makes sense of the logs and solves the challenge of manual log review

Monitor for anomalies in user behaviour

InsiderSecurity’s automated user behavior analytics flags out anomalies in behaviour patterns and detects early signs of breach

Built-in workflow to support governance and audit

InsiderSecurity provides a built-in workflow in log review that improves IT governance and support audits

Trusted by government agencies

InsiderSecurity’s solutions are deployed and trusted by government agencies and healthcare institutions

IMDA Accreditation

InsiderSecurity is the only company accredited by Singapore’s IMDA in the field of user and entity behavior analytics. Our solutions have been evaluated to meet IMDA’s high standards for deployment in enterprises and government agencies

Key Details of Singapore Fintech Festival 2023

  • Date: 15 – 17 Nov 2023
  • Time: 10:00 am to 6:00 pm
  • Location: Booth 4K21 | Hall 4, Singapore EXPO

Join us at Booth 4K21 during the Singapore Fintech Festival!

Discover how InsiderSecurity’s solutions can help your organization comply with regulatory requirements and enhance its cybersecurity posture. Engage with our team of experts and be sure to attend our enlightening presentation on achieving compliance with MAS-TRM through InsiderSecurity.

Solve the world’s cloud security challenges with Singaporean technology

SINGAPORE, October 13, 2023 – InsiderSecurity, a Singaporean developer of innovative cybersecurity SaaS used by many government agencies and enterprises, is excited to unveil its latest cloud security product codenamed CSX, at Govware 2023. CSX already won an award at CSA Cybersecurity Innovation Day 2022.

CSX is a good example of homegrown cybersecurity products that help position Singapore to be a cybersecurity hub in the digital economy.

Founded by local cyber experts, InsiderSecurity has been building advanced cybersecurity software products for the past 8 years. CSX is a cumulation of its expertise in cyber security, user behavior analytics and product development.

CSX is a game-changer in the market as it does one important thing: simplify cloud security.

As more businesses shift to the cloud, attackers are increasingly targeting cloud data and assets. Every now and then, a company appears on the news due to a cyber breach – a cyber breach has become a matter of when, not if. Chief Information Security Officers (CISOs) are held accountable for breaches and some even face criminal charges for lack of oversight.

This brings up the question – how can I be sure that the business’s cloud data and infrastructure are secure and have not been compromised?

Leveraging state-of-the-art analytics and artificial intelligence, CSX offers robust security coverage across the whole cloud stack, encompassing Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).

CSX flags out anomalous behaviors within cloud environments, providing actionable insights through an intuitive dashboard. CSX empowers businesses to enhance their security posture by minimising the need for extensive security expertise or large security teams. CSX makes cloud security accessible and cost-effective, even for small enterprises.

“We are very excited to release our newest cybersecurity solution for the cloud – CSX,” said Justin Tay, Product Manager at InsiderSecurity. “With CSX, we want to help businesses from Singapore and abroad to get assurance of the security of their cloud products and services.”

One of the standout features of CSX is its simplicity. For example, users can seamlessly onboard their IaaS, PaaS, and SaaS services through the user-friendly dashboard. Adding a new cloud service for monitoring is as easy as clicking “Add” and following the automated steps. This streamlined process simplifies security management and minimizes the time and effort required to ensure the security of cloud products and services.

“I can’t wait to onboard all our products when CSX is released,” said a CEO at an SME. “Recently, one of our employees had their mobile phone compromised and lost access to their mobile banking app. Since they also had our company work productivity tools products installed on the same phone, I was extremely worried that our cloud services have also been compromised. At the time, the only way I could be sure there was no major breach was to incur significant costs reviewing each of our security tools – CSX would have made that so much easier and more affordable!”

Put your cloud security worries to rest and secure all your clouds with CSX today. To learn more about InsiderSecurity, please visit InsiderSecurity.

Key details of GovWare Conference & Exhibition 2023

  • Date: October 17 to 19, 2023
  • Time: 9:00 am to 5:30 pm
  • Location: Booth H32 | Sands Expo and Convention Centre

Join us at Booth H32 during GovWare 2023 to experience CSX firsthand! Discover live demonstrations of CSX, engage in in-depth discussions about cloud security challenges and connect with our team of experts. Don’t miss this opportunity to explore the future of cloud security.

About InsiderSecurity:

InsiderSecurity helps organisations to uncover cyber breaches very early, so as to avoid serious data loss. Our products include CSX for simplified cloud security, Database Activity Monitor for database security and Smart Log Review for log review compliance.

Founded in 2015, InsiderSecurity has won several awards for our technology. We are the only organisation to be accredited by Singapore’s IMDA in cybersecurity behavior analytics, having met high standards for deployment in government and enterprises. We are also a two-time winner on CSA’s Cybersecurity Innovation Day.

Today, InsiderSecurity’s products are trusted by many large enterprises, government agencies and SMEs.

How User and Entity Behavior Analytics (UEBA) helps with modern-day attacks

The modern cyber-threat landscape is evolving rapidly, with newer and more sophisticated attacks emerging daily. Enterprises have dealt with these risks by implementing complex cybersecurity frameworks consisting of firewalls, anti-malware, intrusion detection systems, etc. However, these are no longer sufficient in the age of hybrid clouds and remote working. Users can access environments from a variety of devices and locations. Hence, we need a new approach focusing on the user’s behaviour instead of the device or the location. This is where User and Entity Behavior Analytics (UEBA) comes in as an approach that shifts the focus to what the user is doing rather than where they are coming from or what their device is doing.

What is UEBA

UEBA provides an intelligent context-based approach to securing the modern-day environment by leveraging the power of Artificial Intelligence and Machine Learning to cybersecurity. By analyzing threat signals from a user’s behaviour and comparing them to their regular activity, UEBA can create a risk profile based on factors such as login patterns, application access, file access, device usage, etc. This risk profile is not static and dynamically changes as users change their behaviour over time. By essentially learning how the user behaves using AI, UEBA provides a smarter, risk-based approach to cybersecurity, instead of the static allow/disallow rules that have been used traditionally. When users start deviating from their established behaviour, the UEBA can proactively highlight this as a potential threat.

The power of UEBA is apparent when trying to mitigate attacks involving abuse of privileged access or compromised accounts. These attacks are not trivial to detect as the compromised accounts are typically authorised to access the assets. Sophisticated attacks using zero-day exploits, which can evade even the most advanced cybersecurity solutions, can be detected using UEBA as UEBA analyzes subtle context-based signals.

How UEBA works

UEBA leverages the power of machine learning and applies it to the analysis of user behavior within a network. By building a baseline of what is “normal” behavior and what isn’t, UEBA can detect subtle shifts in user behaviour that may indicate malicious activity. These contextual data signals can easily get missed by conventional tools like SIEM solutions or firewalls. A UEBA solution works by analyzing the vast amounts of data within the organization during its learning phase, where it studies data signals such as logins, file access, application and database usage patterns. This telemetry data is fed into its analytics platform, where powerful machine learning algorithms are used to understand and establish a baseline for the users and assets.

Unlike static rules, UEBA algorithms improve their detection as they learn how each environment operate.  Simply put, the more data the UEBA gathers, the better it gets at identifying anomalies. The UEBA then continually monitors user behaviour against this normal baseline in real-time and flags any deviations. This can be invaluable in identifying complex multi-stage attacks like compromised accounts, privilege abuse, insider attacks, etc.

Common use cases of UEBA

UEBA can help with various security use cases to detect threats that other solutions might miss. Let us take a look at a few of the most important ones:

  1. Compromised Accounts: A UEBA solution can be highly effective at detecting if an account has been compromised, due to its ability to flag activities the account does not normally perform. Even if an attacker has managed to authenticate and authorize themselves successfully, UEBA uses various indicators to determine if the account has been compromised. For instance, if the account is accessed from an unusual location or during odd hours, the UEBA solution promptly detects this unusual activity pattern and triggers an alert.
  2. Malicious Insiders and Privilege Abuse: A user misusing their authorized access can be one of the most challenging actions to detect. This is where UEBA solutions can show their value. Similar to compromised accounts, a UEBA solution does not rely on the authenticated status of the user, but instead analyses the user activity, eg, checking if the users are accessing servers they do not usually access or accessing files in a pattern which deviates from their norm.
  3. Privilege Escalation: An attacker or insider attempting to escalate their privileges can be detected by a UEBA solution. This can be very useful in detecting a compromised account which the attacker is using to stay persistent within the network.
  4. Unauthorized Data Access and Exfiltration: By analyzing file and data transfer attempts and comparing it against a historical baseline, UEBAs can proactively detect data exfiltration attempts and unauthorized data access. A user attempting to exfiltrate suspicious amounts of data or accessing data outside of their role will get proactively flagged.

How InsiderSecurity can help

While a UEBA solution is not a silver bullet and should form part of a holistic cybersecurity framework, its ability to detect insider attacks, compromised accounts, data exfiltration, etc., is an essential defense against modern attacks. UEBA allows companies to respond to sophisticated attacks that will fly under the radar of most cybersecurity solutions.

Insider Security’s Automated UEBA solution provides all the abilities mentioned, along with the ability to protect data on-prem and in the cloud. Our solution delivers holistic visibility into data as it is accessed, used, or moved and can detect suspicious user or network-level activity. 

Automated UEBA offers the following:

  • Proactive detection of malicious user activity within the network
  • Advanced machine learning and advanced user behaviour analytics to detect user compromises and privileged abuse

By leveraging the power of machine learning and providing actionable insights, Automated UEBA gives your cybersecurity team the ability to respond quickly and mitigate modern cyber threats without compromising user productivity.

InsiderSecurity analysis for Volt Typhoon attacks

InsiderSecurity conducts in-depth research and analysis on emerging cyber threats, so as to equip organizations with the knowledge to proactively protect themselves. In light of recent events, our Insider Lab team has thoroughly examined the methods and exploitation techniques employed by the notorious Volt Typhoon Attacks. Furthermore, we delved into the early detection strategies and practical measures to counter these threats. Here are the key findings from our investigation: 

Volt Typhoon attacks  

On May 24, 2023, Microsoft and the “Five Eyes Alliance” cybersecurity information sharing organization released a joint cybersecurity advisory, which detailed a series of activities related to the Volt Typhoon. According to Microsoft’s blog post, these malicious activities have been ongoing since mid-2021 and have targeted critical infrastructure sectors in Guam and the United States. The sectors affected include communication, manufacturing, utilities, transportation, construction, maritime, government, IT, and education. 

What sets these attackers apart is their extensive utilization of Living-off-the-land techniques (LOLT), which prioritize stealth and obfuscation. Remarkably, the attackers refrained from introducing any discernible malware, custom code, or binaries into the compromised systems. By doing so, they successfully evaded antivirus and endpoint detection and response (EDR) solutions, enabling them to freely navigate the networks and systems. 

In this article, Insider Lab provides valuable insights into detecting such stealthy attackers throughout the various stages of an attack. We focus on the utilization of User and Entity Behavior Analytics (UEBA), a behavioural-based security solution designed specifically to identify threats posed by these lurking attackers within the network. 

Stage 1: Entry and credential access 

During the initial phase of the attack, the intruder managed to gain entry into the enterprise’s intranet by initially infiltrating the router’s management interface (step 1).  

Note: While it is uncommon for the management interface to be exposed directly to the internet, this may be necessary if the device is managed by a third party. 

Subsequently, they discovered credentials stored within the router, allowing them to access the network’s assets (step 2). 

To illustrate this stage, let’s consider a scenario where the attacker stumbled on the credential ‘RouterAdmin1’ stored within the router and utilized it to gain access to the domain servers present within the enterprise’s network. 

Note: The rationale to store access credentials (to other network assets) within the router is unclear. However, this might be necessary if specific capabilities of the router have been activated. One such example is when the router needs to retrieve specific records from the identity management server, which is typically the Domain controller. 
Fig 1. Step 1 and Step 2 of Volt Typhoon Attacks

To detect steps (1) and (2) effectively, behavioural-based algorithms can be leveraged. By monitoring deviations in login behaviour, the following three use cases can trigger alerts when the ‘RouterAdmin1’ account is misused: 

  1. Odd Server Usage 
  2. Unusual Login Time  
  3. First-Time Server Login 

Fig 2. How UEBA can Detect Step 2 of Volt Typhoon Attacks

In the ‘Odd server usage’ use case, advanced behavioural analysis can detect anomalies in the usage patterns of the ‘RouterAdmin1’ account. In the event of lateral movement, if the ‘RouterAdmin1’ account is being used to access servers in a way that deviates significantly from a user’s previous patterns, an anomaly alert will be generated. For example, if an attacker gains access to the ‘File server’ and ‘Mail server’ by utilizing the ‘RouterAdmin1’ account instead of the authorized user’s account, this would trigger an alert. 

In the ‘First-time login into server’ use case, an anomaly alert will be promptly triggered when the account logs into the server for the first time. 

In the ‘Unusual login time’ use case, an anomaly alert will be generated when the account logs into the server at a time that significantly deviates from its established login timing. 

The convergence of these anomalies will increase the risk score associated with the ‘RouterAdmin1’ entity, strongly indicating malicious activities. 

Stage 2:  Command & Control 

During stage 2 of the attack, the attacker utilizes the PSEXEC to execute commands on a remote server. PSEXEC.EXE, a Microsoft tool, enables privileged users to launch processes on a remote server. Based on the NSA’s document the attacker launches the NETSH.EXE command on the File server using PSEXEC.EXE in the Domain controller (step 3). 

C:\pstools\psexec.exe” \\{REDACTED} -s cmd /c “cmd.exe /c “netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=9999” 

The attacker was also observed executing the following command to establish a network connection tunnel. 

netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=9999 connectaddress={REDACTED} connectport=8443 protocol=tcp 
Fig 4. How UEBA can Detect Step 3 and Step 4 of Volt Typhoon Attacks

To effectively detect steps 3 and 4, which involve the execution of privileged actions, the following use cases can be leveraged: 

  1. Privileged Network Drive Access 
  2. Creation of New Service 
  3. New Network Service 

Fig 4. How UEBA can Detect Step 3 and Step 4 of Volt Typhoon Attacks

In the use case of privileged network drive access, an anomaly alert will be triggered when the account accesses a privileged drive such as \\SERVER\ADMIN$. This hidden drive exists in Windows servers and enables privileged users to access the \Windows\ folder of the server. The \SERVER\ADMIN$ drive is commonly utilized by tools like PSEXEC to upload binaries into the server. 

In the use case of creating a new service, an anomaly alert will be promptly generated when a new system service is created. A specific example of concern is the PSEXEC tool, which creates and launches PSEXESVC.EXE as a new system service after successfully uploading the binary. 

In the use case of a new network service, an anomaly alert will be triggered upon the detection of new network connectivity or services. Specifically, this includes instances where NETSH.EXE is utilized to establish a network proxy that listens on TCP port 9999. Moreover, the network proxy is configured to forward incoming data to TCP port 8443 at the IP address 192.168.100.100. 

The presence of the new network service listening on TCP port 9999, as well as the outgoing connection to 192.168.100.100 on TCP port 8443 can be identified by the network anomaly algorithm. 

Stage 3: Reconnaissance and defense evasion

In stage 3 of the attack, the attacker executed a sequence of natively available commands to gather additional information (Step 5). These commands provide various information, including network settings, account details, running processes, and more. Finally, they attempted to clear the security log in order to conceal their tracks (Step 6). 

Fig 5. Step 5 and Step 6 of Volt Typhoon Attacks

To detect steps 5 and 6 effectively, the following use cases can be leveraged: 

  1. Suspicious LOLBIN activity 
  2. Security Log Cleared 

Fig 6. How UEBA can Detect Step 5 and Step 6 of Volt Typhoon Attacks

In the use case of suspicious LOLBin (Living-off-the-Land Binary) activity, an anomaly alert will be generated when a series of native commands are executed in a pattern that closely resembles the activities typically carried out by an attacker during reconnaissance and maintaining access. 

These are the specific LOLBin commands outlined in the advisory released by the NSA pertaining to the campaign:

Fig 7. Specific LOLBin Commands in Volt Typhoon

In the use case of security log clearance, an anomaly alert will be triggered when the account attempts to clear the security event log. This deliberate action poses a significant concern as it obstructs forensic analysis and investigation, especially when the victim lacks access to the audit trail. 

This underscores the importance of forwarding the audit log to a secure and resilient log storage facility to preserve crucial evidence for future analysis. 

Auto triage of security alerts 

In the previous sections, we discussed the use cases for detecting stealthy attackers in a network. While one can try to use a SIEM (Security Information and Event Management) solution to implement some of these use cases, there are significant limitations to consider when using a SIEM solution for such use cases. 

For example, monitoring Event ID 1102 can help detect the clearing of security logs, while Event ID 5145 can identify privileged network drive access. However, enabling these alerts in a SIEM may overwhelm the security team with numerous alerts, including many that are benign or unrelated to malicious activity. 

To address this challenge, UEBA (User and Entity Behavior Analytics) will be an effective approach. UEBA continuously triages and compares activity against the historical behavioural of entities. The security team is only notified when behavioural changes linked to relevant use cases are detected, minimizing alert fatigue. 

By leveraging UEBA, security alerts are analyzed in the context of an entity’s overall behaviour, allowing for a more accurate and targeted detection of suspicious activities. This approach significantly reduces the number of false positives and focuses attention on the most relevant alerts, improving the efficiency and effectiveness of the security team’s response to potential threats.  


 

Fig 8. UEBA send a security ticket to users

Summary and recommendations 

The attacker’s patient execution of the campaign, relying on the operating system’s limited tools and living-off-the-land (LOL) techniques, emphasizes the need for proactive security measures. To safeguard your organization against such threats, we recommend implementing the following measures: 

  • Restrict direct internet access to the router’s management interface 
  • Maintain credentials stored in the router at lower privilege levels 
  • Implement comprehensive authentication and authorization measures for both intranet and internet-facing assets 
  • Establish a secure and centralized location for forwarding and storing audit logs 
  • Take a proactive approach by continuously monitoring audit logs for any abnormalities related to identity, network, and assets. Detecting anomalies early can help mitigate potential threats before they escalate 

How can InsiderSecurity help? 

Fig 9. A timeline chart showcasing the detection at each stage of the Volt Typhoon attack with InsiderSecurity’s Automated UEBA

InsiderSecurity’s Automated UEBA (User and Entity Behavior Analytics) powered by AI and advanced user behaviour analytics provides early detection of various security risks, including hijacked accounts, insider threats, and compromised servers. By leveraging our Automated UEBA, organizations can effectively detect all the above-mentioned attack pathways. 

Through continuous monitoring and analysis of user behaviour, InsiderSecurity identifies suspicious activities, anomalous patterns, and deviations from normal behaviour. This allows for the proactive identification of potential security incidents and timely response to mitigate risks. 

InsiderSecurity’s Automated UEBA goes beyond traditional rule-based approaches, utilizing advanced machine learning algorithms to detect complex and evolving attack techniques. By analyzing user behaviour, account activity, network traffic, and other relevant data sources, our solution provides enhanced visibility into potential threats and helps organizations stay one step ahead of adversaries. 

Elevate your security posture and protect your organization from sophisticated threats. Contact us now to schedule a consultation and discover how our advanced security solutions can help you stay ahead of evolving cyber risks. Don’t wait until it’s too late – act now to secure your future. 

What are the 5 key areas of cloud security

Concerns of cloud data breaches are a key reason that cloud adoptions hit a roadblock in companies despite an eagerness to go “cloud first”. Despite the promise and flexibility that the cloud offers, security is something that companies cannot compromise on. Cloud security expertise remains high in demand and low in supply, with most CISOs struggling to fill the skills gap in their team.

It is essential to understand the fundamental principles on which cloud security is built before cloud adoption may be implemented properly. One of the biggest mistakes that companies can make is to implement a cloud solution without much consideration to its cloud security.

Let us take a look at a few of the key areas within cloud security and how they all work together.

Visibility

It is difficult to secure what you do not have visibility on, and nowhere is this more true than cloud security.

Without proper change management, cloud infrastructure can get updated within seconds leading to a security nightmare unless proper security checks are implemented. CISOs and cybersecurity teams must monitor and get visibility on what is happening within their cloud environments before a security breach happens. This is easier said than done, as cloud workloads can be geographically dispersed, managed by different teams, and even spread across different cloud providers like AWS, GCP, and Microsoft Azure. Many companies prefer to go multi-cloud to prevent vendor lock-in, which becomes a major visibility challenge for CISOs.

One solution is to adopt Cloud-native tooling like Cloud Security Posture Management (CSPM) tools so that threats and misconfigurations can be proactively identified before they lead to a security breach. These solutions may also allow auto-remediations, enabling faster response times than possible for on-premise. In addition to threat mitigations, CISOs implementing such tools gain visibility into their single or multi-cloud environment, enabling the CISOs to make informed decisions about their cloud risk posture. 

Continuous monitoring

Gaining visibility leads to the next key area, which is continuous monitoring for threats. Monitoring also helps companies to maintain compliance with regulatory standards.

The cloud lends itself to automation, and millions of events can be taking place, any one of which could be due to a potential cyber threat. Manual security response is not feasible in such an environment. A high volume of events and alerts lead to alert fatigue and critical alerts being missed out.  

It is helps to have cloud monitoring solutions powered by machine learning that can make sense of these events and to detect suspicious user activity automatically.

Security by design

It is important to include security at the design stage of cloud adoption, and not to bolt on security as an afterthought. For example, companies can make use of Infrastructure as Code (IaC) templates to spin up cloud infrastructure like compute instance, databases, networks, security groups etc with certain security controls baked in from the start.
Security by design will not only make life easier for cloud administrators but lend itself to better security down the road.

Identity Management

One of the most significant changes in cloud security is how the traditional network perimeter decreases in importance. Identitiy access management becomes much more important. While network perimeter controls do not vanish entirely, security controls now focus more on validating the user and machine identities in the cloud.

Besides strong password policies and multi-factor authentication controls, other data such as location, risk score, device status etc may also be used to establish the identity. This is part of the Zero Trust model, where there is no implicit trust granted to any user or device, whether it resides within or outside the network.

Vulnerability Management

Migrating your infrastructure to the cloud does not mean that you can now completely pass the job of vulnerability management to the cloud service provider. With the shared security responsibiliy model used by all cloud service providers, the company is responsible for vulnerability management in certain portions of the cloud infrastructure (which varies depending on whether you are using IaaS, PaaS or SaaS).

The rapid speed at which cloud environments change, and the complex architectures involved (servers, containers, serverless functions etc) can make vulnerability management in the cloud challenging.

An effective cloud vulnerability management program should recognize the unique nature of cloud workloads but carry over the best practices from an on-prem vulnerability management program. Identification, severity tracking, and tracking to closure are all activities that are needed to ensure the cloud environment is not exposed to any critical vulnerabilities.

A final note : cloud security is not static

Cloud Security does not finish after security controls are implemented. As the threat landscape changes fast, cloud security implementations can fail if they are viewed as a project with a clear start and end date. Instead, companies should regularly review and improve or adjust their cloud security controls.

These areas discussed should be addressed by security controls and be made part of an overall cloud security plan to be reviewed regularly. This eases the cloud adoption process for companies, so that companies can reap the benefits of cloud.

How can InsiderSecurity help?

InsiderSecurity Cloud Security Monitor detects threats in real-time for Microsoft 365 environments. It is a simple-to-use SaaS for enterprises to monitor their data security in Microsoft 365. With its award-winning automated cybersecurity analytics and machine-learning, InsiderSecurity CSM makes sense millions of events that are occurring in Microsoft 365, easing the burden on overworked security teams. It provides an easy way to monitor your Microsoft 365 data security.

Lessons from recent cloud data breaches

Cloud Security is an evolving area in which many companies are still finding their footing. Navigating a cloud environment can be challenging for cybersecurity teams who are unfamiliar with how security changes in a cloud environment. Examples of this can be increased automation, a shared security responsibility model, faster change management, and so on.

Cybersecurity teams can learn which areas to focus on by upskilling their cloud knowledge via certifications, adopting cloud-native best practices, and by studying cloud data breaches within the industry. By analyzing these incidents and understanding what vulnerabilities led to these control failures, companies can ensure they are not exposed in a similar way.

Let us look at a few of the most notable cloud data breaches of recent years and what lessons we can learn from them.

Accenture

Accenture, a well-known name in the IT consulting industry, revealed that a popular ransomware group had compromised them in 2017. As a consequence of a cloud misconfiguration, Accenture inadvertently left four of its AWS S3 buckets to be publicly accessible. As a result, hundreds of gigabytes of sensitive client and company data were exposed. This data included more than 40,000 plaintext passwords, sensitive API data, decryption keys, authentication credentials, user data, and customer information. Hackers released some of this data on the dark web. 

In August of 2021, Accenture again fell prey to an attack via the LockBit ransomware.  Attackers exfiltrated over six terabytes of data and demanded that a $50 million ransom payout be made. The compromise also affected Accenture customers.  

Accenture admitted in its financial report that  
“In addition, our clients have experienced, and may in the future experience, breaches of systems and cloud-based services enabled by or provided by us.” 

A few of the key lessons that can be taken from this incident are:  

  • Deploy cloud security tools to detect misconfigurations in the cloud environment. These misconfigurations are usually how attackers gain a foothold in an environment.  
  • All major cloud providers like Microsoft Azure, Google, and AWS have guidance on how to protect against ransomware. These should be studied and adopted.  
  • Insider threats are a genuine cause for concern. Employees with access can be targeted and potentially bribed by attackers with million dollar budgets. 
  • Partners and customers of Accenture were compromised as part of this attack, and hence it is essential to assess the risk of third-party access in a cloud environment.  

Cognyte 

Cognyte, a cybersecurity analytics firm, faced industry scrutiny after a misconfiguration led to over 5 billion user records being exposed over the internet. Even worse was that this database contained data about previous security incidents as part of Cognyte’s intelligence service. A misconfiguration of this database led to it being exposed over the internet without any authentication in place. Thankfully this was discovered by a security firm and informed to them proactively. 

A few of the critical lessons that can be taken from this incident are:  

  • Misconfigurations remain one of the biggest threats to cloud security. Without controls to detect and remediate such mistakes, a company can face a similar situation to Cognyte.  
  • It is difficult to secure that on which you have no visibility. Make use of cloud security tools to identify all cloud resources and their security posture.  
  • Passwords are simply not enough to secure a cloud environment. Implementing multi-factor authentication would have mitigated the impact of this exposure and is something all companies should implement.  

Kaseya

Kaseya, a popular IT management software provider based in the U.S., was compromised in July 2021 by a Russian Hacking group. The attack was similar to the supply chain compromise of SolarWinds in which a popular software is compromised and used as a jumping point to access more environments. While the company shut down its SaaS servers and notified customers, it was not enough to contain the blast radius of the attack as customers found themselves receiving ransomware instead of Kaseya’s regular software updates. The situation was severe enough for the FBI and cybersecurity firms like Mandiant to get involved.  

A few of the critical lessons that can be taken from this incident are:  

  • Supply chain attacks can be highly devastating as many other parties are compromised along with the initial victim. Attackers are smart enough to realize that compromising the software supply chain can be easier and result in higher payoffs than attacking companies head-on.  
  • Patching remains as essential as ever, as the Russian Group was able to compromise Kaseya by exploiting unpatched vulnerabilities.  

Raychat

Raychat, a famous Iranian chatting application, was compromised in February of 2021 due to a misconfigured database similar to Cognyte. Over 267 million personal details of its customers were accessed and then deleted by a bot. The misconfiguration meant that no advanced technical skills were needed, and the attacker could simply access the database and destroy it without any controls detecting or stopping the malicious activities.  

A few of the critical lessons that can be taken from this incident are:  

  • The common theme of misconfigurations once again shows up in this case. If Raychat had implemented controls to detect and remediate this weakness in time, the entire data breach could have been avoided.  
  • Continuous monitoring of a cloud environment is essential. An attacker accessing a cloud database should be detected due to its suspicious nature. However, the lack of such controls meant Raychat was not aware while the attack was taking place.  

Lessons learned

By analyzing these incidents, we can pick up some common themes in nearly all of these incidents. These are lessons to ensure that our cloud environments do not contain the same weaknesses:  

  • Misconfigurations are a crucial risk, and it is essential to have controls in place that can detect and mitigate these weaknesses. 
  • Visibility into cloud resources is critical, as cloud environments change rapidly.  
  • Continuous monitoring of cloud resources is needed. Suspicious activities like logins from suspicious locations and data exfiltration should be detected. Cloud Security Monitor provides such automated, continous monitoring.  
  • Multi-factor authentication is a best practice that should be implemented in both the cloud and on-premise. 
  • Supply chain risk can be a blind spot in cloud environments. It is useful to do a risk assessment of the software supply chain and implement controls to protect against its compromise.  

Top cloud security challenges in 2023

Cloud adoption is speeding up in 2023, with Gartner estimating the worldwide spending on public cloud services to grow by 20% from 2022. This has beaten the initial forecasts of 18% for cloud growth, showing the high demand for public cloud services despite an overall economic slowdown across the globe. Infrastructure as a Service (IaaS) leads this growth, with the other services close behind.
The cloud bring benefits for companies due to its agile and scalable nature. However, at the same time, cloud adoption presents unique security challenges as well.
We look at the key cloud security challenges in cloud adoption and how to address these challenges.

Insufficient cloud security expertise

Cloud is a different environment from on-premise and cybersecurity teams that “copy-and-paste” security controls into the cloud will soon find that this approach does not work. Cloud lends itself to automation and speed, hence native cloud security tooling becomes a important requirement. These tools require upskilling the current cybersecurity teams; otherwise, CISOs will find themselves with environments their teams are not equipped to defend! It is essential to implement tools that are optimized for cloud environments and to invest in the proper training of the cloud security teams.

Misconfigurations

Misconfigurations are a key reason for most cloud security breaches, as cloud administrators unintentionally end up exposing cloud interfaces and infrastructure over the internet. This is easily picked up by attackers and used as an entry point into the cloud environment. The misconfiguration may also be carried out by an insider threat with malicious intent, and not be detected due to a lack of cloud security tooling. Insider threat is a genuine risk regardless of which environment it is occurring in, and misuse of authorized access can be very difficult to detect without proper tooling.

Lack of visibility

Multi-cloud is a reality today as most companies do not want to live with the risk of vendor lock-in. Most companies adopting the cloud have hybrid environments with workloads split between on-prem and two or more cloud providers. While this provides flexibility and options, it also becomes a nightmare for CISOs to control and secure due to its scattered nature. Each cloud environment is different in how it functions, and it is important to have a cloud security solution put in place that can provide centralized view of the risk posture of each environment.

Account takeovers

Cloud identities are a key focus point for attackers, given that the traditional network perimeter no longer exist in the cloud. Cloud control planes are the “keys to the kingdom” in most cloud environments and attackers can target cloud administrators via phishing attacks, malware etc. to compromise their credentials and gain access. This is especially easy to do if multi-factor authentication (MFA) has not been configured or the password itself is weak and susceptible to brute-forcing attacks. Even if MFA is enabled, attackers can still compromise the cloud control plane if the administrator’s machine has been compromised.
This attack is not just restricted to user identities but also to services and applications. Users can unintentionally grant access to SaaS applications within their cloud environments, which may be malicious and allow attackers to bypass security controls and gain access to your cloud environment. It is essential to follow a zero-trust model and authenticate every request made. SaaS applications should be reviewed for excessive permissions that grant trusted access to cloud data.

Cloud vulnerabilities

Cloud workloads can be vulnerable to the same weaknesses that are present in any software unless controls are set up within the pipeline. Missing patches, insecure coding, weak communication protocols, excessive permissions etc. are all weaknesses that can be taken advantage of by attackers and used to gain a foothold within a cloud environment. Cloud workload protection mechanisms help to assess the security posture of workloads throughout the lifecycle and can mitigate risks arising in real time.

How Cloud Security monitor can help

Cloud Security Monitor monitors for threats in real-time for Microsoft 365 environments. Its award-winning automated cybersecurity analytics and machine learning makes sense of the millions of events that are occurring in Microsoft 365, easing the burden on overworked security teams. It monitors for insider threats and suspicious data access.
Some of its key features are :
● Discover if an insider threat or hacker is stealing valuable company data from Sharepoint or OneDrive
● Monitor for documents shared to the public by accident
● Easy-to-read summary reports instead of alerts
● Monitor your cloud security health with easy-to-read summary reports without the need to manually go through a high volume of events or alerts
● Intelligent algorithms automatically uncover suspicious activities and automatically provide risk grading of the entities
● Get notified when there is a high-risk activity
● With intelligent algorithms making sense of activity events, you only get alerted when there is a high-risk activity, so you do not get swamped by alerts
● Discover if your Microsoft 365 accounts are compromised and whether a hacker is accessing your company data and emails

InsiderSecurity analysis for CVE-2023-23397 Microsoft Outlook vulnerability 

CVE-2023-23397 Threat Overview 

InsiderSecurity carries out research and analysis on the latest cyber threats to help organizations stay ahead. InsiderSecurity analysed the possible exploitation techniques for the recent Outlook vulnerability, as well as methods for early detection of such exploits, both for this specific vulnerability and future similar vulnerabilities. The following are our findings:

Microsoft recently released a patch for Outlook vulnerability CVE-2023-23397, which has been actively exploited for almost an entire year. The CVE-2023-23397 vulnerability in Microsoft Outlook has generated significant concern due to its high severity score of CVSS 9.8.  It affects everything from Microsoft 365 apps for enterprise to Outlook 2013 SP1. This exploit has caught the attention of a hacking group linked to Russia’s GRU military intelligence agency that is using it to target some European organizations in government, transportation, energy, and military sectors.  

Companies have to quickly patch their Outlook software and implement measures to detect if they have been compromised. As companies may already be compromised, it is not sufficient to simply block access to port 445 on the internet. 

Stealing the Net-NTLM hash 

CVE-2023-23397 allows the attacker to steal the Net-NTLM hash from the victim, which enables an attacker to assume a victim identity and to move deeper into the organisation.  
The attacker steals the Net-NTLM hash by tricking the victim into accessing an UNC path \\Attacker_IP_Address. The ‘leaking’ of Net-NTLM hash through this mechanism is not new, nor is it considered an actual vulnerability by itself, as it is a feature which allows Windows machines to communicate with one another. 

The safer Kerberos authentication is typically used by machines within the same domain. However, when a user wants to communicate with a machine belonging to a different domain or with a machine known only by its IP address, the Kerberos authentication would not work, hence, the user’s authentication type will be downgraded from Kerberos to NTLM, and the user’s Net-NTLM hashes will automatically be sent to the destination. 

For instance, if a user attempts to access the following UNC paths, the Net-NTLM hash will be sent (and therefore leaked) to an attacker. 

\\Attacker_IP_address 

\\Attacker_hostname.In_another_domain 

How is CVE-2023-23397 exploited 

The impact of CVE-2023-23397 is equivalent to the impact of a successful Net-NTLM based attack. In all attack paths, the attacker sends a malicious email to the victim, causing the victim’s machine to send their Net-NTLM hash to the attacker. Once the attacker steals the Net-NTLM hash from the victim, they could proceed with either of the attacks described in the slides: 

  1. In attack path 1, the attacker could gain high privileged access to Windows domain server of interest by relaying the Net-NTLM of the privileged user to the domain server. This could be done by targeting a privileged user to send their Net-NTLM hash to a pre-compromised machine belonging to a clueless employee within the network. This is also known as NTLM-Relay attack. 
  1. In attack path 2, the attacker could attempt to recover the password from the stolen Net-NTLM hash through offline password cracking, allowing the attacker to login into the company’s network via VPN and move laterally from assets to assets. This could work because the password for all the services available to the victim could be synchronized and centrally managed by an identify provider (i.e. – Domain controller). Multi-factor authentication (MFA) will reduce the possibility of this attack path.  
  1. In attack path 3, the same password recovery technique described in attack path 2 would be used which allows the attacker to login into the victim’s cloud account. The attack could then continue to search for valuable data or secrets stored in the cloud and perform cloud-based attacks. MFA will reduce the possibility of this attack path too. 

Detection strategies  

There are a number of approaches to detect successful Net-NTLM based exploits due to the CVE-2023-23397 or similar vulnerabilities. These include 

1.  Detecting for TCP connections made to port 445 (SMB) and port 80 (WebDAV) in both internal (Attack path 1) and external IP (Attack path 2 and 3) addresses, especially for new destination IP addresses not observed in the past. 

2.  Successful login from accounts made from a new location, whether from cloud and on-premise (Attack paths 1,2 and 3)

3.  Detecting for NTLM authentication from accounts that do not usually perform NTLM authentication. Successful Net-NTLM-Relay attack has been observed to be chained with NTLM hash dump which will lead to pass-the-hash attack. 

4.  Monitoring for changes in server access patterns, where a compromised account is used to access servers in a suspicious manner. 

Behaviour analytics can detect such changes and enable users to detect Net-NTLM exploits, even if the exploit is due to newly discovered vulnerability. 

The above are some of the use cases we have in InsiderSecurity solutions, and we hope these tips are useful for the community. So, gear up and get ready to hunt down these attacks like a pro. And always remember to stay safe out there! 

Avoid Similar Attacks with InsiderSecurity

Looking for ways to stay ahead of any cyber threats? InsiderSecurity provides advanced cybersecurity behavior analytics products that help your company to uncover cyber threats before there is any serious data loss. We offer a range of solutions, including Automated UEBA for securing on-premise and cloud IT infrastructure, as well as the Cloud Security Monitor for ensuring cloud data security. 

Automated UEBA establishes baselines of data access behaviour and alerts on abnormal activity. It detects insider threats, backdoors and advanced attacks by leveraging machine learning and advanced user behavioral analytics.  

InsiderSecurity protects your critical data wherever it resides—on-premises, in the cloud and the hybrid environment. 

Cybersecurity Code-of-Practice (CCoP) 2.0: Complying with InsiderSecurity

Why choose InsiderSecurity for CCoP 2.0

InsiderSecurity products are built for compliance

  • Ease of use, especially useful for small IT teams
  • Automated review of account activity saves hours in monitoring
  • Built-in workflow that support governance and audits

Do you also know:

  • InsiderSecurity is used and trusted by Singapore CII today
  • InsiderSecurity is IMDA accredited
  • InsiderSecurity is an award-winning Singaporean technology company that has its engineering and technical support teams in Singapore

What is Cybersecurity Code-of-Practice (CCoP) 2.0?

The Cybersecurity Code-of-Practice (CCoP) 2.0 refers to the Cybersecurity Code of Practice for Critical Information Infrastructure 2.0, which is an updated version of the CCOP 1.0 released in 2018. The CCoP 2.0 published on 4 July 2022. It specifies the minimum cybersecurity requirements that organizations operating Critical Information Infrastructure (CII) must implement to ensure the security and resilience of their IT or OT system and/or network infrastructure, including physical devices and systems, software platforms, and applications of the CII.

The primary objective of CCoP 2.0 is to enhance the defensive capabilities of organisations against the sophisticated tactics, techniques, and procedures (TTPs) employed by cyber attackers. It seeks to impede their progress of attacks and improve the agility to tackle emerging risks in domains such as cloud, AI, and 5G. Additionally, it facilitates coordinated defenses between the government and private sectors to promptly identify, discover, and respond to cybersecurity attacks and threats.

Whom will CCoP 2.0 affect?

The designated CII sectors, which are responsible for the continuous delivery of essential services in Singapore, are Government, Energy, Water, Healthcare, Banking & Finance, Transport (encompassing Land, Maritime, and Aviation), Media, Infocomm, and Security & Emergency Services.

How does InsiderSecurity meet CCOP 2.0?

InsiderSecurity helps to meet key CCoP 2.0 requirements that are challenging and tedious to comply with. As a leader in automated analytics, InsiderSecurity’s solutions are especially useful for smaller IT teams. InsiderSecurity solutions are used in Singapore CII today. 

InsiderSecurity meets CCOP2.0 in the below two areas: 

  • Database security
    InsiderSecurity’s simplified database monitoring flags out data access anomalies. InsiderSecurity saves manpower in monitoring.
  • Monitor for anomalies in user behaviour patterns
    InsiderSecurity’s automated log analysis flags out anomalies in behaviour patterns and detects early signs of breach. With InsiderSecurity, the user does not have to manually review high volume log events or alerts. InsiderSecurity makes sense of the logs and saves manpower in monitoring.

Which CCOP2.0 requirements are addressed by InsiderSecurity?

CCoP 2.0 Requirements Clause InsiderSecurity
5.2 Account Management 5.2.1(d) Establish mechanisms and processes to monitor the activities of each account, including behavioural patterns, for any anomalies and to trigger an alert for investigation when any anomaly is detected; Yes
5.13 Database Security 5.13.4 The CIIO shall monitor databases in a CII for anomalous activities and trigger an alert for investigation when any anomaly is detected. Yes
5.13.5 The CIIO shall monitor for bulk queries that exceed a predetermined threshold of data to be retrieved and trigger an alert for investigation when any such bulk query is detected. Yes
6.1 Logging 6.1.1 The CIIO shall generate, collect and store logs of the following: Yes
(a) All access and attempts to access the CII and the activities during such access, including application and database activities, and access to data in the CII; Yes
6.2 Monitoring and Detection 6.2.1 The CIIO shall establish and implement mechanisms and processes for the purposes of: Yes
(a) Monitoring and detecting all cybersecurity events in respect of the CII; Yes
(b) Collecting and storing records of all such cybersecurity events (including, where available, logs relating to the cybersecurity event); Yes
(c) Analysing all such cybersecurity events, including correlating between cybersecurity events, and determining whether there is or has been any cybersecurity incident; and Yes
6.2.2 For the purposes of monitoring and detecting cybersecurity events, the mechanisms and processes established by the CIIO shall include: Yes
(b) Establishing the normal day-to-day operational activities and network traffic in the CII, and using this as a baseline against which the CIIO is to monitor for deviations and anomalous activities; and Yes
(c) Ensuring that alerts for further investigation are triggered for all deviations and anomalous activities that are detected. Yes

CSA has also provided more clarification via their Responses to Feedback Received dated July 2022. The below compliance table outlines how InsiderSecurity meets the CSA responses on CCoP 2.0:

CSA responses on CCoP 2.0InsiderSecurity
11.4 The CIIO is expected to monitor the behavioural patterns of user accounts within the CII environment and to trigger an alert if a CIIO detects suspicious behaviour patterns or behaviour patterns that deviate from the expected baseline.Yes
11.12 The intent of the clause is to facilitate early detection of any unauthorised access and malicious activities performed by the privileged accounts. The CIIO should log privileged account related activities such as login attempts, configuration changes etc.Yes
11.41. The CIIO should log and monitor all application access and activities to detect any unauthorised access or malicious activities to the application. Following the feedback, CSA has revised the clause to provide clarity.Yes
12.15. Examples of the components of the threat hunting include having data to baseline normal traffic to find outliners, develop hypothesis based on tools and framework, and investigate and analyse potential threats to discover any new malicious patterns in the data and uncover threat actor’s TTPs.Yes

What are the InsiderSecurity products that meet CCOP2.0?

InsiderSecurity’s Database Activity Monitor (DAM) discovers data access anomalies early before there is serious data loss. Some of its key features are:

  • Easy Deployment and Reduce Operation Cost
    By leveraging on machine learning and AI, Database Activity Monitor does not require the user to configure complex, error-prone database rules. Database Activity Monitor works practically out-of-the-box.
  • Automated monitoring for suspicious data activity
    Automatically detect suspicious database administrator activities, data theft and unusual network activities in the databases.
  • Save manpower
    With smart algorithms making sense of events 24/7, customers only need to review high-risk accounts and activities instead of long, complex reports.
  • Built for compliance
    Features for IT governance and support for audit.

InsiderSecurity’s Automated UEBA flags out anomalies in behaviour patterns and detects early signs of breach. Some of its key features are:

  • Stop Internal Threats
    Continuous, automated monitoring of all user behaviours to uncover suspicious user activities early, before there is any serious data loss
  • Automated Threat Detection
    Detect automatically and save on manpower.
  • Advanced Sensors
    Provide visibility needed to catch Advanced Persistent Threats (APTs)
  • Built for compliance
    Features for IT governance and support for audit.

About InsiderSecurity

InsiderSecurity is a Singapore-based cybersecurity technology company that has garnered industry recognition and awards. Founded by a team of cybersecurity experts, InsiderSecurity provides cutting-edge user behavior analytics to detect internal cyber threats early.

InsiderSecurity is a two-time winner on CSA Cybersecurity Innovation Day, in 2020 and 2022, and has also been listed in the ASEAN 40 under 40 for its groundbreaking cybersecurity innovations. InsiderSecurity is the only company accredited by Singapore Government in the area of User and Entity Behavior Analytics. This means that InsiderSecurity met IMDA’s high standards for deployment in enterprises and government agencies.

InsiderSecurity solutions are used by large enterprises and government agencies today.

Complying CCoP2.0 with InsiderSecurity

For more information on how InsiderSecurity can help you meet your compliance and security needs

Contact Now