Many organizations understand they need network protection from threats outside of their networks. But what happens when the threat comes from inside? In this article, we’ll dive into some of the best insider threat detection tools you can use to protect your assets from rogue internal threats.

Here’s our list of the seven best insider threat detection tools:

  • SolarWinds Security Event Manager EDITOR’S CHOICE Gives the best combination of insider threat control and flexibility.
  • ManageEngine Endpoint DLP Plus (FREE TRIAL) This data loss prevention system tracks user access to sensitive data in order to spot insider threats on all endpoints. Runs on Windows Server.
  • Datadog Security Monitoring Provides excellent pre-configured rules for fast deployment.
  • PRTG Monitor Uses a specialized sensor to track user behavior.
  • Splunk Uses peer group analytics to track both groups and individuals.
  • ActivTrak Offers extensive threat detection paired with efficiency insights.
  • Code42 Allows for extensive intellectual property protection and data monitoring.

The best Insider Threat Detection tools

With these selection criteria in mind, we identified some affordable and effective insider threat detection tools.

Our methodology for selecting an insider threat detection tool 

We reviewed the market for insider threat detection systems and analyzed tools based on the following criteria:

  • A system that uses machine learning to establish a baseline of normal activity
  • A package that looks for secondary indicators of a threat before fully flagging an intrusion
  • A service that includes alerts to draw the attention of technicians
  • Recommendations for access rights management tightening
  • Options to feed data through to analysis tools
  • A free trial or a demo system for a cost-free assessment
  • Good value for money from a tool that offers full-features intrusion detection at a sensible price

1. SolarWinds Security Event Manager (FREE TRIAL)

SolarWinds Security Event Manager (SEM) is a Windows-based centralized security application that can identify and prevent threats both internally and externally. SEM works by monitoring event logs and pulls that information into its own system for analysis, alerting, and correlation.

Key features:

  • Correlation engine.
  • Proactive account auditing.
  • Automated internal threat response.

The platform features over 700 built-in correlation rules combined with hundreds of automated responses administrators can use to build their own custom security rules. For example, SEM can detect events such as account lockouts, after-hours-logins, and detect when specific files are accessed. These events can be matched with an action such as disable a user account, send an email notification, or quarantine a workstation.

SolarWinds SEM also features activity monitoring and access logging, making it a great tool for insider threat management. Inside you’ll be able to quickly identify user accounts and visualize their permissions within your network. This makes tracking inheritable permissions and access control much easier, especially for larger organizations.

Rather than digging through log files, the access logging feature can highlight who has a privileged account and display an audit of exactly how that account was used within the network. Access can be filtered either by the user, time, or endpoint. This helps you quickly determine if an attack is coming from inside, or outside of your organization.

Through the threat intelligence feed, you can view both live and historical activity logs to identify anomalies or aid in a forensic investigation. Through this trove of data, you can stop threats of access violations, and then create correlation rules to stop these insider attacks from occurring again.

SolarWinds Security Event Manager can be tested completely free through a 30-day trial.

Pros:

  • Built with enterprise in mind, can monitor Windows, Linux, Unix, and Mac operating systems
  • Supports tools such as Snort, allowing SEM to be part of a larger NIDS strategy
  • Over 700 pre-configured alerts, correlation rules, and detection templates provide instant insights upon install
  • Threat response rules are easy to build and use intelligent reporting to reduce false positives
  • Built-in reporting and dashboard features help reduce the number of ancillary tools you need for your IDS

Cons:

  • Feature dense – requires time to fully explore all features

EDITOR’S CHOICE Outside of just reactionary tools, SolarWinds Security Event Manager makes it easy to search through your active directory environment and find inactive accounts, historical access rights, and permission information. This drastically cuts down on the time it takes to run a manual audit on your domain controller and helps close any potential internal weaknesses before they are exploited. Start 30-day Free Trial: solarwinds.com/security-event-manager OS: Windows 10 and later, Windows Server 2012 and later, Cloud-based: Hypervisor, AWS and MS Azure

EDITOR’S CHOICE

Outside of just reactionary tools, SolarWinds Security Event Manager makes it easy to search through your active directory environment and find inactive accounts, historical access rights, and permission information. This drastically cuts down on the time it takes to run a manual audit on your domain controller and helps close any potential internal weaknesses before they are exploited.

Start 30-day Free Trial: solarwinds.com/security-event-manager

OS: Windows 10 and later, Windows Server 2012 and later, Cloud-based: Hypervisor, AWS and MS Azure

2. ManageEngine Endpoint DLP Plus (FREE TRIAL)

ManageEngine Endpoint DLP Plus implements insider threat detection that focuses its user activity tracking on access to sensitive data. Many insider threat identification systems deploy AI-based user and entity behavior analytics (UEBA) for all user activity, but the ManageEngine package’s strategy is more lightweight because it is limited to file activity.

  • Tracks access to data
  • Identifies and categorizes sensitive data
  • Monitors file movements

The Endpoint DLP Plus software package needs to be installed on one server. All of the other endpoints in the system are monitored over the network. This configuration creates one central console for the entire business. An extension to the standard package can reach out to remote sites, thus allowing a security operations center to track activity at all locations.

The important setup task with any data security system is to create a definition of what is considered to be “sensitive” data. The dashboard of Endpoint DLP Plus includes a library of policy templates that provide preset definitions and controls. There are templates for all of the major data protection standards and it is also possible to create your own.

Applying a template creates a security policy that sets down rules over which user groups can access, modify, or delete different types of sensitive data. These controls extend to the supervision of USB storage devices, email systems, and file transfer services to cloud platforms.

The ManageEngine service performed a sweep of all endpoints to identify sensitive data stores. The tool is able to process document images with OCR and it can spot collections of fields, which, by their proximity, create a composite sensitive data record. The DLP then categorizes each instance of data that was identified.

The categorization of sensitive data into different types allows for a filer detail of control by allowing some actions to be performed on one category that could be blocked on another. The system also allows you to define trusted applications that generate or process sensitive data. The service will block exports of data from these privileged software packages to unauthorized applications.

The DLP system will raise an alert if suspicious activity has been identified. You can set up rules to let the package automatically deal with these events or leave responses to manual processes.

The software for ManageEngine Endpoint DLP Plus installs on Windows Server. There are two editions available: Free and Professional. The Free option is limited to monitoring data on 25 endpoints. The paid version is called the Professional edition. You can assess the Professional plan on a 30-day free trial.

  • Free version available

  • Automated response rules

  • Alerts on the identification of suspicious activity

  • Controls over email and USB storage devices

  • No cloud-based option

ManageEngine Endpoint DLP Plus Download 30-day FREE Trial

3. Datadog Security Monitoring

Datadog Security Monitoring aims to be a holistic approach to network security by ingesting data from every part of your network both internally and externally. The platform is extremely flexible allowing you to hunt threats manually and leverage automation to stop insider threats in their tracks.

  • 600+ integrations.
  • Simple user interface.
  • Dozens of pre-configured detection rules.

While this may sound complex, Datadog does an impressive job at keeping the interface clean and user-friendly. Through a single pane of glass, you can identify and sift through security events across dynamic environments, whether that be in the cloud, on-premises, or a mix of both.

This real-time threat detection combined with Datadog’s out-of-the-box features makes deploying your insider threat management strategy much quicker than most platforms. Dozens of pre-configured detection rules start working immediately, meaning you can start seeing instant insights on attacks, misconfigurations, and potential attacks starting from behind your firewall.

With over 500+ vendor-supported integrations, Datadog has some of the most flexible logging and monitoring abilities of any threat detection tool. For example, you can have integrations for AWS and G Suite, while also having on-premises Windows server and endpoint monitors pushing data to one centralized location.

Partner integrations allow you to pivot and add additional capabilities into new and existing tools. For more incident response features a CrowdStrike integration can be installed to help direct how internal threats are dealt with and give you more control over how a team handles incident responses.

When a possible insider threat is found, a manual investigation can begin to determine its validity and scope. Datadog drastically decreases the time an investigation takes by integrating directly with communication tools as well as assigning events their own severity score.

Assigning an event to a technician or a team can be done through automation or manually. Datadog allows you to quickly share security information dubbed “Signals” with your team. Events can be shared via email, push notification, or through third-party apps like Slack or PagerDuty.

Datadog Security Monitoring starts at $0.20 (£0.15) per gigabyte of analyzed log data per month. To access the out-of-the-box detection rules and enable 15-month log retention the price goes up to $0.30 (£0.22) per gigabyte of ingested data.

  • Highly scalable cloud-based monitoring that can applications across multiple WANs

  • Flexible à la carte pricing and feature options

  • A vast amount of integrations, great for large networks utilizing numerous third-party applications

  • Templates work extremely well out of the box, customization is possible but not always necessary

  • Could benefit from having a longer 30-day trial period

You can try hunting insider threats with Datadog for free through a 14-day trial.

4. Paessler PRTG Monitor

PRTG Network Monitor has been known for its robust and flexible sensor-based monitoring, but it has now expanded into insider threat detection. Paessler and Flowmon Networks have recently partnered up to expand the capabilities of PRTG Monitor to include insider threat detection, in-depth flow analysis, and behavioral analytics.

  • Machine learning-powered by AI.
  • Highly scalable.
  • Auto grouping and prioritization.

This addition makes the PRTG platform considerably more flexible, especially for companies who are looking for a combination of insider threat detection and network monitoring.

Like all PRTG monitors, insider threat detection works by combining two custom sensors, an SNMP sensor, and a Python script sensor. The SNMP sensor is used to monitor the Flowmon appliance while the Python script allows that data to be displayed from Flowmon into the PRTG dashboard.

Together these sensors give both deep insights into the network status of a device, as well as contextual security information that can be processed by machine learning. Once processed these security events are grouped together and then assigned a priority depending on their severity before being displayed on the PRTG monitoring dashboard.

The live dashboard puts your entire network into perspective through a series of key insights, charts, and live network maps. All of your key insider threat management information and network monitoring can be displayed and customized through over 300 different graphic objects and visualizations.

On the backend, PRTG allows for flexible alerting based on a combination of conditions, thresholds, and quotas. All alerts are highly configurable which allows you to reduce the number of total alerts your operations center receives. You can choose to be alerted via email, HTTP request, push notification, or from PRTG’s Android and iPhone apps.

Technicians can quickly toggle from PRTG to Flowmon while troubleshooting an event to apply root causes analysis; they can search through other related security events to get a clearer picture of what may be an insider threat. By combining your insider threat management with your network monitoring you simplify the workflow and increase the speed at which IT staff and the network security team can identify and solve issues.

PTRG Monitor is highly flexible and designed to fit virtually any sized company. Pricing is based on the number of sensors you have deployed. You can test out the full version of PRTG and its insider threat detection system for free through a 30-day trial.

  • Uses behavioral analysis to identify suspicious or malicious activity

  • Built-in root cause analysis helps technicians triage issues faster

  • Drag and drop editor makes it easy to build custom views and reports

  • Supports a wide range of alert mediums such as SMS, email, and third-party integration

  • Supports a freeware version

  • Is a very comprehensive platform with many features and moving parts that require time to learn

  • Custom sensors can sometimes be challenging to manually configure

5. Splunk

Splunk markets itself as the “data to everything” platform, making it an extremely flexible tool for threat detection, monitoring, and even business intelligence. For now, we’ll focus on how Splunk can specifically be used for insider threat management.

  • Behavioral analytics.
  • Data theft prevention.
  • Cloud and on-premises options.

Like many of these platforms, Splunk harnesses its power by collecting signals through event logs pulled from endpoints, servers, and applications. These events are brought into the Splunk ecosystem and displayed in a single dashboard. Machine learning and behavioral analysis help highlight key security events a manual review may have missed and even can apply automatic remediation via scripts.

Splunk excels in insider threat detection primarily through its User Behavior Analytics (UBA) system. This is a form of continuous threat monitoring that combines rules you define with how a user regularly behaves. If a rule is broken, or if suspicious behavior is detected, immediate action can be taken to stop the threat.

This combination of behavior baselining and peer group analytics gives a clear window into not just the actions of an internal account, but the intent behind a user’s action. For example, the actions of a compromised account will look much different than an employee who is manually attempting to access parts of the network they are not authorized to.

The data Splunk can process gives you a granular look at these events and puts the tools to deal with them at your disposal. Outside of just unusual account activity, Splunk has the ability to detect data exfiltration, privilege escalation, and privileged account abuse.

Through constant network monitoring the Splunk platform can automatically prevent and alert to data theft. Private or sensitive information can be tagged as confidential, allowing Splunk to stop it from leaving through unsecured channels as well as audit the history of its access.

Splunk has three pricing tiers, starting with a free version allowing for 500MB of daily indexing. Monitoring and alerts are only available through their Standard and Premium versions, but your monthly cost will be closely tied to how much data Splunk processes.

  • Can utilize behavior analysis to detect threats that aren’t discovered through logs

  • An excellent user interface, highly visual with easy customization options

  • Easy prioritization of events

  • Enterprise focused

  • Available for Linux and Windows

  • Pricing is not transparent, requires a quote from the vendor

  • More suited for large enterprises

  • Uses Search Processing Language (SPL) for queries, steepening the learning curve

You can test out Splunk through a free download.

See also: Network Security Auditing

6. ActivTrak

ActivTrak is a dedicated platform for employee monitoring, operational efficiency, and security management. Since ActivTrak collects so much information around end-user behavior, it can easily identify insider threats and play a key role as an insider threat management tool.

  • In-depth behavioral monitoring.
  • Data redaction.
  • Employee productivity reports.

Through a series of lightweight sensors living on endpoint devices, ActivTrak can immediately stop insider threats as well as provide an overview of the threat scope on a company-wide level. These sensors can not only identify insider threats but read into the context of the security event on a deeper level.

For example, an employee accidentally opening a malicious email is much different from employees actively installing hacking tools on their machines. Understanding this difference helps shape a custom response that is both appropriate and impactful.

Through these insights, you can view both individuals and specific departments or groups who are engaging in high-risk behavior. Viewing this information on such a high level helps larger organizations track their security posture by department, and even uncover opportunities for further security education or policy changes.

In combination with this high-level behavioral overview, ActivTrak also provides basic malware protection, website restrictions, and automated data redaction.

Outside of security ActivTrak offers additional features such as application usage tracking, employee productivity reports, and workflow monitoring for identifying unbalanced workloads and peak work hours.

ActivTrak is considered a Freemium software that offers some of its most basic features completely free. To get access to features such as customized alerts, detailed automation, and remote deployment you’ll need the Advanced plan starting at $7.20 (£5.39) per user per month.

  • Can monitor employee behavior for security and performance purposes

  • Offers highly customizable automated remediation

  • Includes basic endpoint security for anti-malware

  • Designed more for employee monitoring, which can feel invasive depending on company culture

  • Add-ons like anti-virus aren’t as effective as standalone AV products

You can view the full pricing chart on the ActivTrak pricing page.

7. Code42

Code42 is a SaaS that focuses almost entirely on stopping and preventing insider threats for any sized network. Whether you’re protecting intellectual property or stopping a rogue employee, Code42 uses a combination of detection, investigation, and response to put an end to malicious activities.

  • Flexible risk analysis.
  • Intellectual property protection.
  • Automated incidents response.

The Code42 platform takes a granular look at data protection and applies custom solutions for each scenario. For example, the system uses separate techniques to secure data from a cloud platform, such as Google Drive, than it does when an employee unexpectedly leaves the company.

By monitoring virtually all file activity, Code42 can get a pulse on violations and identify what should or shouldn’t be considered acceptable by a security policy. This technique can fill the gap where single solutions such as Data Loss Prevention (DLP) or User Activity Monitoring (UAM) fall short.

By seeing security events at such a level your company is able to identify big picture security flaws such as data exposure, most high-risk users, and most vulnerable third-party platforms.

Using this broad coverage Code42 allows you to quickly take action against threats through both manual review and automated remediation. Administrators can view a pre-prioritized dashboard that highlights the most pressing security matters so they can get to work on what matters most.

There is an entire section dedicated to Security Orchestration Automation and Response (SOAR) which gives security teams the power to create rules based on conditions or thresholds and apply customized responses to each event.

Lastly, Code42 can dive deep into the context and change in an individual user’s activity. The platform works to monitor privileged accounts and can monitor those users more closely who show signs of becoming more of an insider threat.

For example, users who fail phishing tests, have expressed job dissatisfaction, or have worked on unsecured networks all will have a higher level of scrutiny applied to their user accounts.

Code42 comes in two pricing structures, Basic and Advanced. The Advanced tier gives you more in-depth investigation tools, file deletion detection, and cloud file monitoring. Pricing is not publicly available, however, a free 30-day trial is offered.

  • Can automatically restore files to their previous location and state

  • Operates more as a SIEM tool, making it a good option for those looking for more advanced coverage and monitoring

  • Can audit user access to network files and locations

  • Analysis tools can help determine if actions were malicious or accidental

  • Can be resource-intensive when used at scale

  • Has a steep learning curve than similar IDS software

  • Expensive, pricing based per computer

Choosing an Insider Threat Detection Tool

We’ve narrowed down the six best insider threat detection tools, but which is right for you?

If you’re a mid to large-sized organization SolarWinds Security Event Manager provides broad coverage against insider threats at a fair price. SolarWinds SEM allows for insider threat management paired with the ability to scale and monitor other aspects of network security in one easy-to-use platform.

Both Paessler PRTG and Datadog are close runners up, with their pre-made rule-sets, intuitive dashboards, and scalable monitoring solutions.

Do you have a method for tracking insider threats? Be sure to tell us your insider threat experiences in the comments below.

  • Configuration Analysis – communication occurs that doesn’t fit in with the planned architecture of the system
  • Modeling – Establish a baseline of normal activity per user and look for deviations from this
  • Indicator – System changes (indicators of compromise) that are known to indicate malicious behavior
  • Threat Behavior – Known patterns of activity that can chain through to a damaging event