The modern network has all of the tools needed to batten down the hatches on even the most sophisticated of threats. Your perimeter-based security tools are preventing breaches from malicious actors while your endpoint tools are protecting individual devices from compromise. But what happens when threats don’t look like threats? What happens when a threat actor already has a foothold into the network? The IP checks every box? These are called insider threats, and we’ve seen some big-name enterprises fall victim to such attacks in recent years.

There are many different types of insider threats. Often times a rogue insider like a disgruntled employee with legitimate access to the network decides to use his or her knowledge and access with malicious intent. Others involve compromised credentials, allowing threat actors to appear as though they have access to certain systems. Sometimes there are attackers hiding in plain sight. Threat actors target and breach legacy or IoT devices that often have key vulnerabilities and are not monitored as heavily, making them easy targets. These can go totally unnoticed and give attackers a foothold into the network, disguising them in east-west traffic as any other legitimate employee. This can all be devastating for businesses and can result in lost productivity and revenue, or even worse, loss of sensitive or classified data. Perhaps the scariest part is that most security tools cannot identify insider threats since they often provide no clear indicator that the network is at risk.

Insider threats are one of the fastest growing threats in the modern security network and according to the Ponemon 2020 report, the number of insider threat incidents has increased by 47% since 2018. Such incidents also take an average of 77 days to contain. None of the traditional security tools can detect these types of attacks. Cisco Stealthwatch is a Network Detection and Response solution that uses the network itself as a sensor to detect threats based on network behavior. Stealthwatch uses network telemetry or metadata generated by networking devices and analyzes all network traffic to expose suspicious or malicious activities caused by insider threats, making it adept at detecting and responding to these types of attacks.

Let’s take a look at 3 reasons why Cisco Stealthwatch is the #1 security tool for detecting and stopping insider threats:

1.Stealthwatch can immediately alert on any red flags

Stealthwatch is constantly monitoring your network’s behavior to detect threats anywhere on the network. Over time, Stealthwatch sees all network traffic and establishes a baseline for ‘normal’ behavior. This allows Stealthwatch to find various kinds of threats that would otherwise go undetected. If there is a threat originating from within the network, your security solutions in place may not be able to see where this is starting. Network traffic is the one source of truth for any and all suspicious activity and enhances contextual awareness, allowing Stealthwatch to look further than most other solutions. Stealthwatch notifies users when anomalies occur, so if a remote desktop user is doing something out of the ordinary, or attempting to access sensitive material at an unusual time, Stealthwatch will trigger an alert.

2.Stealthwatch excels at monitoring east-west traffic

Because Stealthwatch looks for behavioral anomalies, it is especially great for monitoring lateral movement for insider threats. Most organizations focus on protecting their networks from targeted attacks from external sources and lose sight of threats that start within their networks. Stealthwatch monitors all traffic going to and from all your network devices which provides full visibility into internal traffic. CISO’s can be confident that their teams will not be bogged down with an array of alarms, but rather a handful of key actionable alerts.

The Stealthwatch dashboard provides much more than just alerts. It provides a view into all session traffic with information on top internal/external hosts or devices and how much communication is happening between these devices. It also has the ability to drill down into past events with a variety of search and filtering features for deeper forensic analysis. This is especially useful for both NetOps and SecOps teams looking to sift through east-west traffic with ease.

Stealthwatch is also available as a SaaS-delivered solution, Stealthwatch Cloud, that will monitor and protect both your private network and public cloud resources. Because insider threats have knowledge of the way the network is configured, they are able to take advantage of known vulnerabilities that exist in cloud resources such as a misconfigured web application firewall. Stealthwatch Cloud uses the same analytical techniques and also ingests native cloud telemetry that is generated by major cloud providers like AWS, Azure and GCP, allowing for high-fidelity threat detections in all of your public cloud traffic. It generates alerts like Permissive AWS S3 Access Control List and Geographically Unusual Azure API Usage Description that can identify suspicious internal traffic in your cloud environment.

3.Stealthwatch generates alerts specifically to identify potential insider threats

Stealthwatch can generate over 100 different alert types for all kinds of different activity. Some of these alerts focus specifically on insider threats:

Stealthwatch has the ability to classify every device connected to the network into logical host groups by functions, locations, device types, etc. and it will trigger an alert if any unusual access or activity occurs. For example, if a device in the marketing host group tries to access a server that hosts sensitive employee data (that would normally be only accessed by the HR host group) an alert will be triggered. Organizations can also create their own custom policy violation alerts within Stealthwatch to trigger on things like traffic to blocked countries, connections to an external server, etc. So even if an attacker gains access to the network, or legitimate employees are trying to access sensitive data they don’t shouldn’t be, Stealthwatch will immediately detect this activity and alert users.

Data Hoarding alerts could also be indicative of an insider threat. There are two flavors of this alert category that Stealthwatch will generate: suspect data hoarding, and target data hoarding. 

Suspect data hoarding identifies an inside host, acting as a client, that is downloading data from other hosts. If the client exceeds its set threshold or its expected behavioral norm, it is considered the suspect and will fire this alert. Target Data hoarding is a similar alert that identifies an internal host, but this time the host is acting as a server, delivering data to a host or set of hosts. This device is likely a target of an attack being initiated by one of the other connected devices. Both alerts clearly indicate misuse and suspicious behavior to an extent. Should this activity continue, or more targets/suspects get identified, an additional alert for data exfiltration will fire off, indicating that obvious unwanted data transfer is occurring.

Internal Brute Force attacks are common amongst enterprises and occur when an attacker uses automated tools or manually attempts numerous password combinations to break into a protected system. This attacker could either be the disgruntled employee or an external threat that has infiltrated and compromised your systems and been snooping around unnoticed. If compromised, systems can fall victim to unwanted configuration changes, data theft, or slowdowns that can seriously impact the business. Both of these users would be capable of navigating their way through east-west traffic and breaching a system using an automated tool. Stealthwatch can put these incidents to rest with ease. Users can configure brute force login security events to trigger alerts in these scenarios. Stealthwatch can also detect this as an anomaly if the host is accessing a system that it is not normally in contact with. It also sees an abnormally large volume of login attempts as evidence to support an alert. If a SOC operator gets an alert, a simple firewall rule or host isolation can stop the threat in its tracks, and a look through previous session traffic can identify other devices that this insider threat may have been poking around in.

Additionally, Stealthwatch can detect reconnaissance activity, TOR traffic, C&C traffic, firewall policy violations (the list goes on) and more. An NDR tool like Stealthwatch ties your security portfolio together and provides network level visibility to detect insider threats where your other solutions cannot.

To learn more, visit our webpage and sign up for a 2-week Stealthwatch Visibility Assessment today.


Matt Stauffer

Marketing Specialist

Security Marketing