• Hello and welcome! Register to enjoy full access and benefits:

    • Advertise in the Marketplace section for free.
    • Get more visibility with a signature link.
    • Company/website listings.
    • Ask & answer queries.
    • Much more...

    Register here or log in if you're already a member.

  • 🎉 WHV has crossed 56000 (56k) monthly views (unique) and 285135 clicks per month, as per Google Analytics! Thank you for your support! 🎉

Insider Threat Detection in Hosting: Simple Techniques and Tools Explained

johny899

New Member
Content Writer
Messages
805
Reaction score
3
Points
23
Balance
$984.1USD
To be honest, while external hackers can compromise your servers, an insider can cause even more damage even quicker. This is the reason they are so scary. When I was first working with hosted servers and systems, I worried first about external hackers. Then I realized that any one of those staff members inside could cause damage as well that was potentially worse than any external hacker. Have you felt that frustration?

The obvious reason for that threat being so dangerous is you have a hacker from the outside trying to hack into things. But that user inside, and they already have access to:
  • Delete files
  • Change settings
  • Steal data
  • Cause the system to break
They may not have meant to do any of those things. I still have clear memories of a junior admin deleting a production database. I can still feel the rubber band of panic having been pulled tight.

Which is also why hosting companies are so diligent with their insider threats!

Tracking behavior: Tracking on “Strange Activity”​

Think of it as exploring if a person is acting differently than usual. Here are a couple of examples of “strange” behaviors:
  • Logging in late at night
  • Downloading terabytes of data at a clip
  • Accessing servers that the person has never accessed before in the past
These behaviors identify something is wrong. Monitoring behavior helps providers identify “weird” behavior early.

Controlling Access: Granting Just Enough Access​

I always say, don’t give everyone the keys to the kingdom. Why? Because the more access, the more risk.

Hosting providers use tools such as the following:
  • RBAC (Role-Based Access Control)
  • Just-In-Time access
  • MFA (Multi-Factor Authentication)
The tools confirm that people only open what they really need access to. Nothing more.

Monitoring File Integrity: Keeping Watch for File Changes​

File Integrity Monitoring (FIM) can be considered a camera that is watching your files. It gives you an alert if:
  • The file was modified
  • A setting was modified/changed
  • New users were added to the system
Some tools that help a lot include OSSEC, Wazuh, and Tripwire. I used OSSEC in a situation to find a script changing SSH keys without authorization. If I did not have FIM I still would not have been able to identify the issue.

SIEM Systems: All in One Location​

SIEM systems collect logs and alerts all over your server and show them on a single interface/dashboard.

Some tools that are popular include:
  • Splunk
  • ELK Stack
  • Graylog
SIEM tools help capture patterns that a human may have missed or see immediately. This can save quite a bit of time and distress.
 
You must log in or register to reply here.
Menu
Log in
Register