cybersecurity predittiva

Estimated reading time: 4 minutes

Today, facing an attack in a corporate SOC is very similar to being under attack without knowing which direction the blow is coming from. The threat intelligence can keep you informed of security issues. However, in many cases, this information is only provided when you are already under attack, and is rarely very useful except in retrospect. It would take a different approach to data analysis, and that’s exactly what we propose with predictive cybersecurity .

In cybersecurity, threat intelligence is still relied upon as a fundamental defensive tool. Unfortunately, threat intelligence only covers a subset of threats that have already been found, while attackers constantly innovate . This means that new malware executables, phishing domains and attack strategies are created all the time.

Threat intelligence has a strong value for reactive incident response. It helps when pivoting through an investigation, identifying intent or other useful data, and providing additional investigative assistance. But it has limited value for detection, as threat actors avoid reusing their attack infrastructure from one target to another.

If the clues you see are different from those known from previous attacks, what can you do to move forward with effective detection? A legitimate question, for which predictive cybersecurity perhaps has an answer.

… what if you could know what is going to hit?

SOCaaS: predictive cybersecurity

Eyes on opponents rather than past attacks

The SOCaaS solution offered by SOD brings predictive cybersecurity capabilities to cybersecurity. The solution maps adversaries , instead of threats, and analyzes their actions to predict the behavior and the tools used in their attacks.

The analytical engine translates behavioral patterns into profiles of adversary attack infrastructures , which indicate as ( trojan, phishing or other forms of attack ) and where ( branches, customers, partners, peers, industry and geographies ) < strong> attackers are planning to target your company .

This provides a preemptive attack map, which identifies opponents based on their attack phase and current position within the extended business landscape . But not only that, in fact, information about the opponent, typical attack patterns and possible countermeasures that can be taken in advance are also identified. This way you can cancel the threat before it materializes .

cybersecurity predittiva

Predictive cybersecurity: understand what’s going to happen first

Our SOCaaS provides predictive detection capabilities against internal and external threats with the combination of user, entity and adversary behavior analysis. Our Next-Gen SIEM uses an analytics-driven approach to threat detection. SOC provides visibility in the crucial early stages of an attack. That is when cyber actors are targeting, planning and preparing the infrastructure for an attack.

With this level of predictive visibility, the team can prevent attacks and systematically contain those in progress. Predictive cybersecurity allows defenders to tune their systems against the attack infrastructure. In fact, it is possible to build blacklists that include the IP addresses and the host names of the instances used for the attack . Other measures include fortifying corporate systems against the specific malware that is used to target them, rendering the attack powerless when it occurs.

Opponent Behavior Analysis extends the capabilities of Next-Gen SIEM by continuously providing updated analysis of opponent information and behavior . This encompasses the entire attack infrastructure for dynamic and proactive threat protection.

SOCaaS automatically translates the pre-attack behavior of opponents into actions or countermeasures that can be taken against phishing, compromise of corporate email, ransomware, fraud and many other common threats.

Common use-cases


Correlate breaches from the same adversary / campaign into a cohesive threat, even if different pieces of attack infrastructure are used for each event.

Prevention and preventive defense

Preemptively blocking an opponent’s entire attack infrastructure, such as newly created phishing domains, for preemptive defense.

Strengthen vulnerable resources

Focus and secure the most vulnerable parts of your infrastructure based on information that identifies which areas are possible targets.

predictive cybersecurity

The information provided by SOCaaS is used to add more context to existing threats, as well as provide information on attacks that have not yet been implemented or are in the early stages, such as reconnaissance. This allows for direct action against evolving threats and a more robust defense.


Relying on luck to catch threats is madness, as the recent SolarWinds attack . Make your fortune with SOD’s SOCaaS solution, making sure you see threats before they happen and are “lucky” enough to counter them.

XDR laptop

Estimated reading time: 5 minutes

Just like any other IT field, the cybersecurity market is driven by hype . Currently hype towards XDR, ie eXtended Detection and Response .

XDR is the latest in threat detection and response, a key element of a company’s infrastructure and data defense .

What exactly is XDR?

XDR is an alternative to traditional responsive approaches that only provide layer visibility on attacks . I refer to procedures such as detection and endpoint response (EDR), network traffic analysis (NTA) and SIEM , which we have talked about in many other articles.

The layer visibility implies that various services are adopted, stratified (layers), which each keep under control a specific entity in the infrastructure. This can be problematic. In fact, you need to make sure that layers don’t end up isolated, making it difficult, or nearly impossible to manage and view data. layer visibility provides important information, but can also lead to problems, including :

Collecting too many incomplete and contextless alerts. EDR detects only 26% of initial attack vectors and due to the high volume of security alerts, 54% of professionals security ignores warnings that should be investigated .
Complex and time-consuming investigations requiring specialist expertise . With EDR, the median time to identify a breach has increased to 197 days, and the median time to contain a breach has increased to 69 days.
Tools focused on technology rather than user or business . EDR focuses on technology gaps rather than the operational needs of users and companies. With more than 40 tools used in an average Security Operations Center (SOC), 23% of security teams spend their time maintaining and managing security tools rather than investigating . ( Source )

XDR data collection

For already overloaded security teams, the result can be an endless stream of events , too many tools and information to switch between, longer time frames for detection and security expenses that are beyond budget and are not even fully effective .

What’s new in eXtended Detection Response

XDR implements a proactive approach to threat detection and response . It offers visibility into data across networks, clouds and endpoints, while applying analytics and automation to address today’s increasingly sophisticated threats. The benefits of the XDR approach for security teams are manifold:

Identify hidden, stealth and sophisticated threats proactively and quickly.
Track threats across any source or location within your organization. < br> Increase the productivity of people working with technology.
Get more from their security investments .
Conclude investigations in a way more efficient .

From a business perspective, XDR enables companies to detect cyber threats and stop attacks, as well as simplify and strengthen security processes. As a result, it enables companies to better serve users and accelerate digital transformation initiatives. When users, data and applications are protected, companies can focus on strategic priorities.

Why consider it for your company

The two main reasons why this approach is beneficial are: endpoints do not have visibility into threats in places like cloud services , and it may not be possible to put a < em> software agent on all company endpoints .

But there are other reasons to consider too. The addition of other data sources can provide more context in the EDR results, improving triage and investigation of alerts . Providers are moving not only to provide more and better organized data, but also by delivering analytics platforms to lighten the analytical load on operators. This translates into ease of use and reduced operating costs.

XDR can seem very attractive as a product: Tight integration of parts, highly tuned content (as the provider has total control over the events from the data sources), use of analytics and response automation.

Virtual data XDR

What to pay attention to before adoption

Some providers are positioning their XDR as the ultimate threat detection solution . However, many vendors are unable to offer all the tools needed to get the advantage sold. Some providers offer endpoint and cloud monitoring in the package, others endpoint and network monitoring, but when looking at the comprehensive needs of most organizations, there are often missing details in the overall picture.

And if, once the company engages with a provider and notices a lack in one of the monitored sectors, what are the possible solutions? A situation of vendor lock-in from which to break free means to sever a contract and then open another one, with all the consequent costs.

XDR as an approach, not as a product

Before entering into a contract with a provider that sells a solution as final, it is always good to weigh the benefits and implications analytically.

Tight, two-way integration of multiple threat detection and response capabilities is the first distinguishing feature. But it is not necessary to buy two technology components from the same vendor to achieve good integration. Indeed, many products have the ability to integrate with some solutions from other vendors as one of their main strengths.

The XDR approach must provide a platform that allows the necessary data collection and storage , but also strong analytical skills, to orchestrate and automate response actions provided by the other parts of the solution. A cloud based Next Generation SIEM is a perfect solution.

How to move then?

The interest in XDR products is a clear signal that excessive fragmentation was leading to excessive complexity. A little consolidation is good, but it must be done while protecting flexibility and the ability to follow the best solutions.

In our opinion, a SOCaaS is an optimal solution. Provides next generation SIEM , with strong analytical capabilities. In addition, it also integrates artificial intelligence that helps in time to recognize threats through behavior analysis. A SOCaaS is the future of security operating platforms.

To find out with our services they can help you protect the data of your company and your customers, contact us, we will gladly answer all your questions.

Threat Intelligence Virtual

Estimated reading time: 5 minutes

threat intelligence data provides companies with relevant and timely insights they need to understand, predict, detect and respond to cybersecurity threats . Threat intelligence solutions collect, filter and analyze large volumes of raw data related to existing or emerging sources of threats. The result is threat intelligence feeds and management reports. Data scientists and security teams use these feeds and reports to develop a targeted incident response program for specific attacks .

Everyone from fraud prevention to security operations to risk analysis benefits from threat intelligence . Threat intelligence software provides interactive, real-time views of threat and vulnerability data.

The advantage offered to security analysts and experts is obvious and serves to easily and quickly identify threat actor patterns . Understanding the source and target of attacks helps business leaders put in place effective defenses to mitigate risks and protect themselves from activities that could negatively impact the business.

cyber threat intelligence can be classified as strategic, tactical or operational. Strategic concerns the capabilities and general intent of cyber attacks . Consequently also the development of informed strategies associated with the fight against long-term threats. That Tactic is about the techniques and procedures that attackers might use in day-to-day operations. Finally, threat intelligence Operational provides highly technical forensic information regarding a specific attack campaign.

Threat Intelligence Virtual

The threat intelligence cycle

Threat Intelligence Solutions collect raw data on actors and threats from various sources. This data is then analyzed and filtered to produce feed and management reports that contain information that can be used in automated security control solutions . The main purpose of this type of security is to keep organizations informed about the risks of advanced persistent threats, zero- day and exploits, and how to protect yourself from them.

The Cyber Threat Intelligence Cycle consists of the following stages.

Planning: The data requirements must first be defined.

Collection: Collect large amounts of raw data from internal and external threat intelligence sources.

Processing: Raw data is filtered, categorized and organized.

Analytics: This process transforms raw data into streams of threat intelligence using structured analytics techniques in real time and helps analysts identify Indicators of Compromise (IOC). < / p>

Dissemination: Analysis results are immediately shared with cybersecurity professionals and threat intelligence analysts.

Feedback: If all questions are answered, the cycle is over. If there are new requirements, the cycle starts over from the planning phase.

Common indicators of impairment

Enterprises are under increasing pressure to manage security vulnerabilities, and the threat landscape is ever-changing. threat intelligence feeds can help with this process identifying common indicators of compromise (IOC) . Not only that, they can also recommend the necessary steps to prevent attacks and infections. Some of the more common indicators of compromise include:

IP addresses, URLs and domain names: An example would be malware targeting an internal host that is communicating with a known threat actor.

Email addresses, email subject, links and attachments: An example would be a phishing attempt which relies on an unsuspecting user clicking on a link or attachment and initiating a malicious command.

Registry keys, file names and hashes of files and DLLs: An example would be an attack from an external host that has already been reported for nefarious behavior or is already infected.

threat intelligence hacker

Which tools for threat intelligence

The growing increase in malware and cyber threats has led to an abundance of threat intelligence tools that provide valuable information to protect businesses.

These tools come in the form of both open source and proprietary platforms. These provide a variety of cyber threat defense capabilities, such as automated risk analysis , private data collection , threat intelligence quick search tools, reporting and sharing this information among multiple users, curated alerts, vulnerability risk analysis, dark web monitoring, automated risk mitigation, threat hunting and much more.

We talked about one of these tools in a other article : the Miter Att & amp; ck . This is a very useful tool for learning about hacker attack techniques and behaviors. This is thanks to the information gathered by threat intelligence and the consequent sharing. A framework like this is very efficient for creating defensive mechanisms that make it possible to secure corporate infrastructures.

Artificial intelligence and threat intelligence

As we saw earlier, gathering information from various sources is just one of the steps. These must then be analyzed and subsequently processed into control protocols, to be really useful for security.

For this type of work of analysis, definition of baseline behaviors and data control, we are increasingly relying on artificial intelligence and deep learning. A Next Generation SIEM , flanked by a UEBA solution are perfect for this type of protection.

The control of the behavior of entities within the perimeter carried out by the UEBA is able to identify any suspicious behavior, based on the information collected and analyzed by the SIEM.


The defenses we have named are the primary value of a corporate security plan. Adopting specific solutions, implementing threat intelligence and therefore an active search for threat indicators, offers a strategic advantage. The company can take a step ahead of criminals, who can only leverage the surprise effect against their victims. Precisely for this general situation, every company should be in a position not to be caught by the off guard. Implementing proactive solutions is now necessary.

The threat intelligence is therefore a defense weapon behind which to protect the most important resources in order to work in peace.

If you want to know how we can help you with our security services, do not hesitate to contact us, we will be happy to answer any questions.

Useful links:

Cyber Threat Intelligence (CTI) – greater effectiveness for IT security

SOAR: coordination for cyber security

shoulder surfing cafeteria

Estimated reading time: 8 minutes

The term shoulder surfing might conjure up images of a little surfer on his shirt collar, but the reality is much more mundane. shoulder surfing is a criminal practice in which thieves steal your personal data by spying on you while using a laptop, ATM, public terminal or other electronic device among other people . This social engineering technique is a security risk that can cause disaster, especially if the stolen credentials are corporate.

The practice long predates smartphones and laptops and dates back to when criminals spied on pay phone users as they entered their calling card numbers to make calls . Many years have passed, but the technique has not been lost. Thieves have evolved to observe their victims typing their ATM PINs, paying at self-service petrol pumps, or even making a purchase in a store.

A similar technique for ATM theft involves a card cloning device superimposed on the card insertion hole and a micro camera to spy on the code. The micro camera performs an act of shoulder surfing . Card cloning is essential because without a physical device the pin is useless, but in the case of account credentials on the network, all you need is user and password.

Shoulder surfing ATM

When does Shoulder Surfing take place?

shoulder surfing can happen whenever you share personal information in a public place. This includes not only ATMs, coffee shops and POS devices in general, but virtually any place where you use a laptop, tablet or smartphone to enter personal data.

Long-time shoulder surfers did not usually loom behind their victims to scrutinize information. Instead, they stood at a safe distance and interpreted finger movements as people typed numbers on the keyboard . Similarly, today’s social engineers often escape attention as they quietly observe others in public places such as airport lounges and shopping malls, bars and restaurants, on trains or subways, or wherever there are people, to tell the truth.

Indeed, today’s most sophisticated criminals are watching from further away, hidden from view. They could use binoculars, micro cameras, or the camera of their phone or tablet to scan your screen or keyboard. Not only that, they may eavesdrop as you read credit card numbers on the phone or provide other sensitive information. Criminals could also take pictures, make a video or audio record of the information and then interpret it later.

Whatever the methodology, it is clear that technology has not only helped us to be more connected and be able to afford to pay for a frappuccino with our mobile phone, but it has also exposed us to security risks. When it comes to sensitive data, especially if there is a corporate account involved that could access other people’s sensitive data, you should never let your guard down , consequences could be very serious .

As shoulder surfing commonly happens

Before suggesting some methods to prevent shoulder surfing to be put into practice immediately, let’s take a closer look at how credential theft could happen with this technique.

At the bar or in the cafeteria

You’re in a busy restaurant bar waiting for a friend. To pass the time, you connect to Instagram. Unfortunately, you don’t notice that the person stuck in line next to you is looking at your password, which happens to be the same one you use for your email and bank account.

At the ATM

You’re taking cash at an ATM. You feel safe because the man after you in line is at least 10 feet away and is even looking at his phone. In fact, he is recording your finger movements on his phone and will later decrypt them to get your PIN number.

To the airport

Your flight is delayed, so grab your laptop and kill your time by reading a couple of work emails to keep up to date. Log in to the company website to read your mail and enter your username and password. You are so calm that you don’t see the woman a few places away as she stares at the screen while you enter data.

shoulder surfing cafeteria

What are the consequences of shoulder surfing?

Using your credit card information to make fraudulent purchases is just one example of the damage you could suffer if you fall victim to shoulder surfing . The more personal information a criminal captures about you, the more serious the consequences can be for your bank account and financial health.

A serious case of shoulder surfing can expose you to identity theft . A criminal could use your personal information, such as your social security number, to open new bank accounts, apply for loans, rent apartments, or apply for a job under your name. An identity thief could get their hands on your tax refund, use your name to get medical treatment, or even apply for government benefits in your name. They could also commit a crime and provide your personal information when questioned by the police, leaving you with a dirty record or arrest warrant.

Of course, if you suspect this has happened, you’ll need to go to the police immediately, block your checking accounts and notify the bank. If fraudulent actions have already been carried out in your name, you may need to prove that you are not involved.

Things get dangerous if the stolen data is from a corporate account. In fact, with the use of valid credentials, anyone could enter the company’s system and perform all kinds of actions, such as collecting additional data, placing malware, running a ransomware , steal customer data and then sell it online.

How to defend yourself from shoulder surfing

Two levels of protection can be identified, the first is proactive and is aimed at preventing credentials from being exposed to malicious people, the second is active and provides software to detect attempts to use stolen credentials.

Shoulder surfing

Defend yourself proactively

If you really can’t avoid entering sensitive data on your laptop, tablet or smartphone in a public place, you should follow the countermeasures listed below.

Tip 1: Before entering any sensitive data, find a safe place . Make sure you sit with your back to the wall. This is the best way to protect yourself from prying eyes. Avoid public transport, the central armchairs of a waiting room and places where there is a lot of people coming and going.

Tip 2: Use a privacy filter. This hardware device is a simple polarized translucent sheet that is placed over the screen. It will make your screen look black to anyone looking at it from any unnatural angle . This will make it much more difficult for unauthorized people to see your information.

Tip 3: Two-factor authentication requires a user to prove their identity using two different authentication components that are independent of each other. Since this type of authentication only passes when both factors are used correctly in combination, the security measure is particularly effective. For example, this method is often used a lot in online banking. There are many services that allow you to use your mobile phone as a second authentication factor . This is done through special apps.

Tip 4: Another solution is to use a password manager . By doing so, you no longer have to enter each password individually on your computer. The password manager will do this for you after you enter your master password . This prevents unauthorized people from using your keyboard to determine the real password, provided that you properly protect your master password .

Actively defend yourself with a SOC and behavior analysis

Now let’s imagine that the corporate account credentials have been stolen. At this point only a behavior control system can trigger an alarm and therefore block the user before there is any damage.

In fact, using correct credentials, a normal traditional SIEM would not trigger any alarms. For an older generation SIEM, access would be legitimate, because the credentials are correct. The attacker would have free undisturbed access to the system and could continue with his attack plan.

With SOD’s SOCaaS service, however, abnormal access would trigger an alarm. The SOC provided is equipped with a Next Generation SIEM and a system UEBA control behavior . This means that any deviation from the user’s usual behavior would be reported.

In the case of credential theft, as happens with shoulder surfing, the access made by the attacker would therefore trigger an alarm because something is wrong . For example, the login could take place at anomalous times, in another country / IP, from a different operating system, etc.


shoulder surfing is a social engineering technique that focuses on user carelessness while entering sensitive data into a system. In the event that a user’s corporate credentials are stolen, the only really efficient thing is to have a system that analyzes user behavior and reports whenever suspicious actions are detected.

If you want to know in detail how a SOC and UEBA system can help your company defend against social engineering attacks, do not hesitate to contact us, we will be happy to answer any questions.

Monitoring SIEM Analisi dati

Estimated reading time: 6 minutes

As the cybersecurity threat landscape becomes increasingly sophisticated, service providers, such as SOD, need to take additional precautions to protect their customers’ networks. An information management system and monitoring SIEM is an excellent choice in this respect.

This system, in fact, helps mitigate cybersecurity threats from two different angles, all from a single interface . The SIEM monitoring system collects information from multiple sources: network data, threat information feeds, compliance regulations, firewalls, etc. Next, uses that data to power features designed to help IT administrators respond to threat events in real time.

SIEM monitoring Data collection

Advantages of SIEM monitoring

In contrast to individual security control systems such as asset management or network intrusion detection, SIEM allows you to dig deeper into security vulnerabilities by unifying information from various systems – even very and offering unprecedented visibility into events occurring in the system.

SIEM is not a threat detection system in and of itself, but enhances the security tools already in use by providing real-time insights to work from . In particular, SOD uses a Next Gen SIEM in a SOAR ( Security Orchestration, Automation and Response ) which also includes advanced behavioral analysis tools ( UEBA ).

If you put high-quality log files into a SIEM tool, you receive high-quality insights into network security . This information can help improve network security protocols.

Unfortunately, many administrators treat SIEM implementation as a solution to be set up and then forgotten. To experience the full benefits of managing information and security events , you need to implement a set of best practices to optimize your solution, starting with security logging.

The logs of a SIEM

How does security monitoring fit into SIEM implementation best practices ? If you look at the SIEM in its main components, it is a log management system .

All the information that a SIEM tool collects is in the form of logs, or records of events occurring within an organization’s IT infrastructure and network.

Examples of logs collected by SIEM include, but are not limited to: Firewalls, routers, wireless access points, vulnerability reports, partner information, antivirus and antimalware.

However, as SIEM tools have a very broad reach and constantly collect log data from all parts of the system, can be a bit complicated and impractical to implement . SIEM best practices help avoid pain points along the line of operation. This way you use SIEM as effectively as possible right from the start.

SIEM monitoring Data analysis

Best practice

1. Start calmly

The most common mistake made in implementing SIEM monitoring is trying to do too much too soon . Before you even start looking for a SIEM solution, in fact, it is best to define the scope of your SIEM implementation and think about what you want SIEM to do for your network and infrastructure.

We start by isolating the objectives , taking stock of existing security protocols and brainstorming how these protocols fit into the future SIEM implementation. You can also segment anything you want to monitor into groups and define how you want to monitor them. This helps ensure that you have a clear plan for logging.

Once an initial planning has taken place, the SIEM system does not yet have to be implemented across the entire IT infrastructure. It is better to proceed piecemeal.

You should then test the SIEM monitoring solution on a small section of the system to see how it works. Only then are key security vulnerabilities identified that should be addressed immediately and proceed with implementation in subsequent segments.

Setting up SIEM monitoring step by step, rather than running everything right away, will help ensure that logging works in harmony with the rest of the IT section .

2. Think about the requirements

SIEM monitoring can help the company demonstrate compliance with security regulations and audits, but only by knowing what these standards are in advance . Before committing to a SIEM system, you create a list of HIPAA, GDPR, HITECH and any other IT regulations that you need to comply with. The list is then used to compare the required regulations with the solutions that are put into practice.

Not only does this narrow down the list of standards, it will force you to consider how much log data you actually need. Keeping the correct amount to be compliant, also aligns with best practices of SIEM logging and monitoring .

Obviously, the solutions and protocols to follow are not the same for everyone and need to be adapted according to the position of the individual company. For this particular aspect, SOD can help your company both in gathering the information necessary to identify which standards to follow, and in the standards verification once implemented.

3. Fix the correlations

SIEM correlation streamlines its implementation, allowing you to configure the system according to the specific needs of their customers. SIEM works by collecting data from multiple sources and then filtering, analyzing and correlating it to determine if it deserves to be reported as a security alert.

For this it is essential to correlate the rules and set alarm thresholds based on the type of data and their origin . It is important to remember, in fact, that SIEM is designed to find connections between events that would not otherwise be related to each other.

Setting up a SIEM monitoring system is a delicate but fundamental operation to improve the security system for a particular company.

4. Collect data efficiently

Through a SIEM monitoring system it is possible to collect such an amount of data that it could become complicated to manage. It becomes important to choose in a balanced way which data to use in order to optimize the right amount without losing the advantage of having the entire system under control .

Among the data that it is better not to leave out are: Successful permissions and failed attempts, changes to user privileges, application errors and performance problems, opt-in and in general all the actions made by users with administrative privileges.

The following are excluded: information whose collection is illegal, banking information or credit card data, encryption keys, passwords and personal data .

5. Have a plan in case of a detected threat

Choosing the right SIEM solution and employing logging best practices is only part of the job. You need to have an action plan in case of cyber threat .

For the company that relies on a MSSP as SOD, this means making sure that monitoring is only the first part of the service provided. Ideally, SIEM monitoring is the first piece of a well-designed SOAR that puts in place professional operators, alert notifications and a recovery plan in accordance with the type of data put at risk .

In this respect, the SOC as a Service we offer covers most of the eventualities.

SIEM monitoring Data analysis


Monitoring is a fundamental part of the corporate security system and a SIEM is one of the ways to put it into practice. However, we must not stop at the collection of information, we must know how to treat, enrich and analyze it.

SOD offers comprehensive services that implement SIEM monitoring systems. The implementation obviously implies a “calibration” of the systems and of the correlations between the data in order to always offer the most suitable solution.

If you would like more information about our products, do not hesitate to contact us, we will be happy to answer your questions.

Useful links:

ICT Monitoring Service

Next Generation SIEM: where are we?

Insider Threat, le minacce dall'interno

Insider threats are difficult to spot because they come from within your organization. Employees, contractors and partners require different levels of login credentials in order to perform their work. Attackers can trick these insiders into accessing them or offering them money to knowingly steal valuable information from the company.

Traditional security solutions focus on protecting the organization from external attackers. This strategy overlooks the damage that an internal resource could do to the organization, whether aware or not. With a Nextgen SIEM solution you have the ability to detect and respond to both external and internal threats, with the help of the UEBA in identifying suspicious behavior.

Insider threat - working in team

Insider threat, the reasons

Employees or contractors identified as at risk are linked to 60% of cases of insider threats, increasing the likelihood that such incidents result in the theft of sensitive company data. Insider threats can be divided into two groups: the distracted and the hostile.

The mechanics of an attack change significantly based on the motivations behind it. It is therefore better to fully understand which characteristics are typical of the motivations behind attacks, in order to be able to stop potential threats before they become violations.

Economic gain

It is clear to each employee how much the data that the company holds can be worth. Here, in the event of a crisis, allowing data to be leaked in exchange for money may seem like a reduced risk. This type of motive must be considered above all when, in times like the present one, an external event (the COVID-19 pandemic) still puts the workplace at risk. With the risk of an imminent layoff, the sale of data that you have access to as an employee is a more than attractive escape route.


Non-compliance with security rules is a very real risk and the most common cause of internal threats. Indolence in compliance with the rules costs organizations an average of $ 4.58mln per year. Threats come, specifically, from some security practices that are not respected, such as failure to log out from the system, writing one’s passwords on paper or reusing them. In this category there are also violations in the use of unauthorized software or a failure to protect company data.

The reasons behind these harmful behaviors are often, unfortunately, particularly simple: security is bypassed by an allegedly greater speed, productivity or, worse, laziness.


One type of negligent employee is the distracted one, which is worth treating in isolation because it is more complicated to identify. While the serial behavior of violating the rules is easily identifiable, the distracted, who normally diligently complies with the regulations, is not identified before the only, unfortunate, time when his carelessness does not cost the company an attack that went to successful.

Damage to the company

Among the most subtle insider threats are those of those who have the sole purpose of damaging the company. The motive, in these cases, is usually of a personal nature: an employee who is refused a raise, a disagreement with a superior, etc. The insider then moves to discredit his company, causing damage to its image that results in frightened investors who withdraw their capital or lose customers.

Sabotage and sale of information to third parties

For companies that handle sensitive data, this type of threat is a real risk. Whether the company deals with valuable intellectual property or sensitive data of its customers, there is a high probability that there are those who are interested in having access to that data to use it to their advantage. In this scenario, the actor who wants to get hold of the data recruits an insider to steal it.

Cases that fall under the definition of espionage or media sabotage have been on the rise in recent years. Attacks start from nations such as Russia or North Korea, often involved in this type of trafficking in order to gain political advantages against Western states and organizations.

Defense against insider threats

The defense against attacks that originate from the inside is based on the analysis of the suspicious behavior of those who have access to the systems. The difficulty is found in the non-violent nature of the attacks. It is easy for insiders to not need to breach any security checks, having access from the start.

So how can we immediately catch the threats?

Monitor user access

Insiders with legitimate access choose to abuse their access privileges. Excessive access rights are often granted to reduce the effort that privilege management requires. Avoiding this type of behavior is already a first step in a proactive direction of defense.

Furthermore, with a Nextgen SIEM system it is possible to monitor users with high privilege access to databases, servers and critical applications. At that point it is easier to identify those who abuse their access.

Detect suspicious user behavior

The most sophisticated attacks are based on stealth. To this end, attackers increasingly rely on the compromise of existing internal resources. Once inside the network, they perform lateral movement and steal data under the guise of an internal user.

A system such as that offered by SOD’s SOCaaS allows, among other things, to quickly identify suspicious accounts by detecting abnormal user behavior compared to normal base patterns and the activity of colleagues.

The advantages of a modern system

Shorter response time

Using behavioral analysis it is possible to identify abnormal actions so that we can investigate very quickly.

Advanced behavioral analysis: with the UEBA system (included in SOCaaS), security analysts are able to monitor access and activity of users to the most important resources of the company, allowing to find internal threats with the minimal noise for fast detection and response.

Rapid recognition of users at risk

To enable rapid detection of insider threats, security teams need the ability to link a user’s accounts together to create a universal user profile. This is possible with a Nextgen SIEM system. The analysis of user behavior is also compared to that of a group of peers, to identify anomalous behaviors with greater precision, understanding how a user’s activity is different from that of his colleagues.

The threats that start from within the company perimeter are perhaps the most risky due to their low noise nature. Fortunately, with systems increasingly capable of detecting suspicious behavior and aggregating large amounts of employee data, it is possible to take effective countermeasures to combat this type of attack.

Useful links: