Insider threats are a growing concern for all organizations—one that is increasingly difficult to manage using conventional security technologies. Unlike other types of security threats, insider threats are complicated by the fact that only some are caused by intentional malicious insiders.

“The greatest threat to the security of US companies is no longer the hacker attacking from beyond network walls. Now, it is the insiders already within those walls, and equipped with an all-access pass.”

                                                                   -The Future of Insider Threats, by Robert N. Rose;

Insiders also include contractors, vendors, customers, and others. Frequently they’re authorized to access some part of your network, but too often they aren’t being effectively managed by your security team.

Compounding this situation, the number of unmanaged mobile and personal devices connecting to a typical corporate network is growing.

When you consider all these risks, you can understand why insider threats require a comprehensive cybersecurity strategy.

Consider the statistics:

  • In a 2018 survey by the Ponemon Institute, 59 percent admitted that their organization had experienced a data breach caused by one of their third parties such as a vendor. Forty-two percent said that an insider breach happened within the past 12 months.
  • A 2018 Verizon study showed that within the healthcare industry, insiders were responsible for 58 percent of data breaches. They were attributed to a combination of accidental and malicious insider actions.
  • Based on more than 700 cases in the CERT insider threat database, 59 percent of departing employees will take sensitive information with them.

When you miss an insider threat, the impact can be severe. A 2018 Ponemon Institute study revealed that the average annual cost of insider-related incidents is USD $8.76 million. And it takes an average of 52 days to resolve each insider threat incident.

The risks of using traditional insider threat security strategies

Traditional security measures like using a legacy SIEM typically involve analysts manually examining log files from multiple sources and then trying to make sense of all their data. This usually requires a lot of copying and pasting across multiple files to compile an investigation diary—and you’re unlikely to easily find and mitigate the legitimate security incidents.

Many barriers can interfere with your threat identification and mitigation, including:

  • Obtaining required data
    You have nearly a zero chance of success without access to the right data. Do you have full access to all of the data you need to effectively identify insider threats?
  • Making sense of the vast amounts of data that reside in different systems and physical locations
    Many systems and services are connected to your network and are potential targets. Are you able to understand each of their logs?
  • Segregating insiders and their potential and actual threats from other threats
    Can you identify an insider using the tools at your disposal? Are you able to identify that person’s department, location, peer groups, and supervisor and other important information?
  • Accurately identifying the “crown jewels”
    Which assets will an attacker likely pursue? Are these assets safe, or have they already been unknowingly compromised? Has an insider already exfiltrated data?
  • Understanding granular clues without reliable context on good or bad behavior
    What is normal behavior? Can you identify it by looking at log data? Was it permissible for a key asset to be accessed from a VPN connection originating in China for example?
  • Dealing with a large attack surface
    How many employees, vendors, customers, contractors, and others have valid credentials to access your network? How many still have accounts or knowledge on how to access your assets after they leave the organization?
  • Training and awareness
    Do your analysts have the right experience so they can be effective with your current insider threat identification and mitigation solution?

Security teams are faced with overwhelming amounts of log data

Security teams are also tasked with monitoring log data from a multitude of sources, including:

  • Local network connections such as remote offices, users’ homes, and those on the road using a VPN
  • Cloud apps managed by entities outside of your direct control
  • Document management systems containing your company’s sensitive information
  • Distributed printers involved in breaches either electronically, or through the printing of information that is carried out the door.
  • Mobile phones, tablets, and other unmanaged personal devices connecting to your wireless access points and company resources
  • Employees receiving and responding to personal emails, visiting social networks, and doing other personal tasks on your network

Traditional insider threat programs

In addition, traditional security approaches like correlation rules can’t automate threat detection. They only detect known threats for which the rules have been written. The risks you really need to detect are often of the unknown variety.

Also, with traditional security solutions you could end up working in reactive mode, handling threats after they’ve become breaches. A lot of sensitive data can leave your organization over the average 52 days it takes to resolve a malicious insider incident.

The smart approach to managing insider threats

Expecting analysts to painstakingly monitor insider threats isn’t a reasonable solution. The smart approach will address the weak points you’ll find in legacy SIEM solutions:

  • Collecting all log data

With a smart SIEM, you can ingest all the log data you need, without being charged for the volume of your data. Instead, all the important data is available to your analysts without having to arbitrarily cherry pick the logs that you’re guessing carry the right clues.

  • Automated and continuous behavior modeling

The best way to identify anomalous behavior is to first understand what constitutes normal behavior. A user and entity behavior analytics (UEBA) solution automatically creates normal behavior baselines, then continuously models behavior going forward.

  • Smart session timeline creation

To surface anomalous behavior, you need to answer the who, what, when, where, and why. A prebuilt, context-rich timeline of every user session can give you this insight.

  • Threat hunting capabilities

To easily detect anomalous behavior, you’ll want a well-designed, all-inclusive user interface where even entry-level analysts can identify evolving insider threats. Ideally, you should be able to search session timelines to reveal clues to threats.

  • Automated response

A complete solution assigns risk scores to behaviors, triggering responses based on risk totals. Depending on the integration within your IT environment, responses can range from simply flagging a user or machine, to running an automated playbook, to mitigating an event without human intervention.

Understanding user behaviors is key

User behaviors often provide critical warnings so that you can mitigate and prevent security threats. To manage insider threats based on behaviors, you need to establish a normal behavior baseline for each user. Figure 1 shows a potential insider threat that was identified by baselining their normal behavior with their anomalous activities, resulting in an elevated risk score.

Figure 1 – A user card showing the trends listing their potentially malicious activities and elevated risk score

Looking at the timeline, you can check if there are other indicators of insider threats. Typically, if you’ve found one indicator, there are other related events that lead to the threat—not just one event—allowing analysts to track down all the security incidents in one timeline.

For more information about using a behavior-based approach to manage insider threats, see:

Sr. Principal Product Marketing Manager

More like this

If you’d like to see more content like this, subscribe to the Exabeam Blog