icon-accurate@2x Challenge

While insider threats may not be as common as other attacks like phishing or malware, based on the type of access an insider has, they can be extremely damaging. And while a traditional SOAR can automate aspects of the incident response process for responding to and containing an insider threat, they’re typically heavily dependent on 3rd party tools or manual investigations by security analysts to detect the insider threat. This leads to slow detection and response times and additional operating overhead for security operations teams.

icon-fast@2x Solution

LogicHub’s ability to use machine learning to baseline behavior associated with user, host and network activities allows you to create playbooks that automatically hunt for abnormal actions indicating a potential insider threat. For example, a server hosting critical financial data may have a finite number of regular users, so LogicHub will identify any new user and check a baseline to see if other members of their OU have commonly accessed that data. Even if they have valid permissions, additional investigations can be automatically performed to check for activities tied to insider threats or potentially compromised accounts. This includes investigating where they have sent outbound emails, if they have downloaded unusually large amounts of data, or if they have performed additional suspicious activity like creating new admin accounts. When a possible insider threat is detected, the user account in question can be disabled automatically or with one-click authorization, and the appropriate personnel can be notified to take further action.

Similar case studies

Automatically Quarantining Infected Hosts
Quarantine infected host automatically or with one-click authorization.
Automating EDR Alert Triage
Automatically analyze, investigate and triage EDR events and alerts at scale.
Automating Phishing Triage
Automatic analysis, detection and triage of potential phishing attempts.
Automating SIEM Alert Triage
Automatically analyze, investigate and triage SIEM events and alerts at scale.
Detecting and Disabling Compromised Credentials
Automatically detect and disable compromised user and admin credentials.
Detecting Exposed AWS Keys
Find and disable AWS keys that have been inadvertantly exposed.
Hunting for Insider Threats
Automatically hunt for and detect insider threats.
Malicious Powershell Commands
Detect the malicious user of Powershell commands.
Managed O365 Detection and Response
Cloud productivity managed detection and response for O365 users.
Threat Hunting in GitHub
Using automated playbooks to deliver continuous threat hunting.
Using TIP to Automatically Triage Network Events
Using threat intelligence platforms to accurately triage network events.
Managed Detection and Response for G-Suite
Cloud productivity managed detection and response for G-Suite users.
MDR After Hours Incident Response
Managed detection and response for after hours threat protection.
Respond to User Reported Incident
Automate incident response to issues reported by users.
Automating Threat Hunting in AWS CloudTrail Logs
LogicHub has developed a playbook to hunt for risks in one such solution, AWS CloudTrail logs. This conducts seven investigations in parallel to identify risks within the CloudTrail logs.
Automating Threat Hunting in Web Proxy Logs
By running the LogicHub Playbook for Web Proxy Threat Hunting, Security Operations Centers (SOCs) can discover surreptitious communications with remote Command and Control (C2) applications that play an integral part in security attacks.
Automating Threat Intelligence Searches
One of the many use cases that LogicHub customers have implemented and benefited from is that of automating the search for Indicators of Compromise (IOCs), that are distributed from various 3rd party sources within their environment.
Monitoring Files Written to USB
LogicHub customers have implemented and benefited from automating the monitoring of users writing files to external USB drives.