The following is an excerpt from our recent Industry Perspective, Why You Need Improved Operational Intelligence for Big Data, which you can read and download for free here.
Insider threats present a unique challenge to government agencies, in part because what may be normal activity for one employee could be abnormal for another. In large organizations, this problem only grows in scope, making it very difficult to prevent and stop a potential threat.
But what is common across all activities is that when an insider threat strikes, there was some kind of anomalous activity, where someone was accessing information or conducting activities that are outside the scope of their work. To help prevent insider threats, Splunk software leverages data from many sources — anything from server logs, files, workstation data, network data, and the entire universe of machine data. Splunk can then use that information to create a baseline of what looks normal within an organization. They can assess each user and every IP address to predict and identify events that are outliers.
By using this technology, agencies can instantly know what activities are abnormal based on historical behavior. The behavior may not be specifically illegal or bad, but certainly something that is different outside normal business operations for an individual. With Splunk technology, this process requires no coding, and no establishing of pre-determined conditions to look for and report on.
The software can provide a unique view across the data and enable the orgnization to spot abnormalities in behavior, providing managers new insights and tools they previously did not have. Once an abnormal activity takes place, the Splunk system automatically alerts administrators. This can keep agencies’ confidential data more secure, and mitigates the impact of insider threats with early detection.
“You can only address insider threats through big data, because otherwise you would have a traditional database management system that stores very specific data, and then determine the data needed, identify what is abnormal activity, and have specific rules or signatures or program language to look for certain events. With Splunk you avoid that process, because you look across all sources. Agencies are also looking across historical trends and norms in real time, so you will know right away that something doesn’t look quite right.”
To find out more about operational intelligence and how it can help prevent insider threats, read our full report here.