Any analysis of IT security spending reinforces the fact that most organizations follow a traditional approach to IT security—protecting against outside threats with virtual private networks, firewalls, intrusion detection and prevention, anti-spam services, and anti-malware protection. At the same time, nearly all IT and security managers will admit that this classic approach is outdated and flawed. Even when the enterprise is protected by the most effective perimeter security, the network remains vulnerable to insiders.

Not surprisingly, most organizations seek an effective way to monitor what insiders do on the network. In a 2008 Whitney Marketing survey of security and network management personnel at 1,150 companies, almost all reported that they lack the means to have complete insight into how company insiders are using vital resources available from the corporate network. In fact, 94 percent of respondents wanted greater visibility into the actions of internal users. More specifically, the top network security concerns cited in the survey included employees looking at private or sensitive data, vendors, contractors or offshore employees accessing and changing files, and IT staff or other privileged users improperly accessing information and records.

If IT managers are so concerned about insiders, then why do security budgets focus on protecting against outside threats? The longstanding answer has been that deploying effective internal security is too great an obstacle considering the cost, complexity and inherent risk to key applications—unless a compliance mandate forces the issue.

That argument is becoming obsolete when faced with the relentless advance of Moore’s Law. New multi-core processors coupled with innovations in software and database technology now make it possible to create security appliances that can provide deep, broad coverage for monitoring insider behavior, without crippling network or application performance. These appliances can track user behavior with unprecedented detail and then record that activity and share that information with other security information management applications. They also offer the advantage of being easy to deploy and operate, and they can be used to implement control activities for both regulatory compliance and general business risk management.

Certainly these new deep and broad appliance solutions offer new possibilities for monitoring insider activity. That said, there are several best practices to follow as IT organizations deploy them to gain the greatest business and security value. First, managers should use the appliance systems to help them answer the following questions:

· What insider activities present the greatest risks to the organization?

· Where is the sensitive data and who’s accessing it? Focus on the activities of the users to locate the data.

· Who are the highest-risk users? Contractors? Offshore users? Super-users like network or IT administrators? Departing employees? Disgruntled employees? Eager employees who might fall victim to social engineering ploys?

To maximize the investment in any deep and broad network monitoring system, it is also important to consider what other compliance and event management (SIM/SIEM) systems are already in place and what visibility gaps exist, especially with respect to user-centric analysis. As the deployment progresses, continue to evaluate and adjust alerts and reports in the sys-tem to ensure important risks are spotted, while redefining what activities are considered safe. Most importantly, seek to partner with the lines of business to develop policies that reflect true business risk, thereby elevating the role of the IT/security team to one more aligned with business objectives. By following these practices, organizations can gain the advantages of the faster and more actionable reporting that is now possible and available, while making sure these systems deliver the right level of value to suit individual enterprise security and compliance requirements.

—Jonathan Gohstand, Vice President of Marketing, PacketMotion