The Internal Security Mindset: Getting Your Head in the Game

IT is still largely unprotected from one area of enterprise risk: the insider threat.

by Bob Pratt

Network security has changed dramatically since the days of the mainframe and dumb terminal, when everything was secure as long as the machine room door was locked.

The rise of the personal computer and local area networks changed everything. Suddenly IT had to worry about programs running on remote computers outside their direct control. In addition, all these remote computers and users were demanding direct access to data previously reserved for the mainframe priests alone. This rise of networked interconnectivity led to entire new classes of security products, including anti-virus scanners, firewalls, URL filtering, proxy servers, and SecureID™ cards, among others.

All these products, though, are essentially focused on securing the corporate network from outside threats. But there is still one area of risk that IT is largely unprotected from. This is the insider threat.

IT organizations today generally have a good handle on how users are authenticated into the network. What they don’t know is what users are doing after they log on. Without this knowledge, it’s impossible to know if users are accessing intellectual property they shouldn’t be, misusing their network privileges, abusing corporate bandwidth or servers, or violating the corporate acceptable-use policies.

Traditionally this has been handled by collecting information from targeted clients and servers. This can be done in two ways, by installing agents on each system or by turning on high levels of logging, retrieving those logs to a central location, and then storing them for extended analysis and record keeping. Each of these methods has limitations that have prevented them from becoming widespread.

Agent-based products, as you’d expect, have a wide range of logistics and compatibility problems associated with them. While an agent-approach may work well for very small, focused deployments, it will generally not scale effectively to large corporate networks.

The log-based approach has its own difficulties as well. First, not all applications or servers offer good logging services, and very few will log all the information regarding user activity. Secondly, consolidating those logs to a central location and storing them for extended periods of time is a serious logistical problem. Finally, finding a method to easily analyze all these disparate logs is very difficult.

Another approach to internal network security has been to redeploy products designed for perimeter security to monitor internal networks. For instance, use firewalls to segment off various portions of the corporate network from each other, or use Intrusion Detection Systems to look for aberrant behavior on the internal network. While this has a certain surface appeal, the fundamental problem is that perimeter security solutions are not designed to solve internal network problems. They will work fine if you want to detect worms originating from machines inside your firewall, or if you have two divisions you want to totally separate from each other, but they won’t help detect a sales person downloading source code from an engineering server, or a customer service person surfing a medical records database for information beyond what they’d normally need for their job.

How to Solve Internal Security Problems

An entirely new class of products is emerging. These products are designed specifically to solve the corporate internal security problem. These products are designed to monitor traffic inside corporate networks, and bind all of it to user IDs. This leverages identity intelligence to provide a complete view of network activity and simple, business level reports on the activity.

These monitor-based products, designed for corporate internal security, avoid many if not all of the limitations associated with legacy approaches to the space. First, these systems are completely passive in terms of deployment. In other words, no agents are required, no modifications to the corporate network or directory are necessary, and all the required data can be collected by monitoring traffic thru span ports on key switches throughout the network. This eliminates the logistical hassles associated with many of the traditional internal security approaches.

Products of this type also provide information about all traffic on the network, not just port/signature-based identification of traffic. This is critical, as solving internal security issues requires much more than simply knowing how many packets a given IP address transmitted on a given port. This deep analysis provides key data associated with each application and its use. If a user is using Microsoft File and Print Services to access a particular server the system will not only record that access, but track what files are being touched and if those files are being read, written, deleted, renamed, printed, etc. This meta-data, as it’s called, is critical to distinguish intentional misuse from mistakes from normal legitimate usage.

The integration of this data with true user identities from the corporate directory is also critical. Without that, the information will be virtually unusable as it will be too cumbersome to manually match each network address to the person that was using the address at any given point in time. With a true directory connection, it’s a single click to generate reports on not just activity for a single user, but activity for an entire business group, such as “Finance” or “Human Resources”, regardless of how many users are in the group or where they may have logged in from at any particular point in time.

Finally, when evaluating internal security solutions it’s vital to ensure that data can be stored for long periods of time. This is another area where the new category of internal security solutions stands out. Because they collect just key information about each transaction rather than the transaction itself, they are generally designed to store data for a minimum of 12-18 months. This makes it easy to answer historical questions that frequently come up in audit/compliance reporting, forensic workups, and other types of inquiries. In addition, having long baselines of internal network usage make it much easier to detect when an individual is doing something out of their ordinary pattern, and to plan for network growth and upgrades.

As with any strategic decision, when evaluating new products for internal security purposes, IT should be mindful of the tradeoffs between the various solutions. For example, while agent-based solutions might be cost and complexity prohibitive for some scenarios, the new generation monitor-based internal security solutions also have limitations. Monitor-based solutions cannot, by their nature, detect what is being done inside a specific client workstation. This means that monitor-based solutions cannot detect or prevent a user from copying files from his or her local hard disk to a local USB drive or burning them to a CD. If detecting this activity is mission critical, then an agent-based solution may be a better fit. A product that’s very cumbersome to deploy, but ultimately secure, may be appropriate for the National Security Agency’s internal network, but would be massive overkill for a typical corporate network.


Internal network security is the top IT security problem today. Legacy approaches are inadequate to solve the problem, due to installation and maintenance challenges, usability issues, logistics, and the lack of a complete view of internal activity.

Assistance is on the way. It’s important for IT administrators, network operations teams, and IT security personnel to be aware that there are now products available which can provide practical, usable solutions without requiring massive new infrastructures or large teams of people to deploy and manage them.

When determining the type of product for the environment, evaluate the tradeoffs of each type of product. Be careful: internal network security is definitely an area where one size does not fit all.

- - -

Bob Pratt is director of product management and marketing at PacketMotion.(, a provider of internal network monitoring and security solutions. Previously, Bob worked for several leading companies in network security and management. He is a frequent speaker and author on topics including public key infrastructure, cryptography, network management, and security. You can contact the author at