4 Requirements for Building a Successful Insider Threat Team

An insider threat is malicious activity against an organization that comes from user credentials with legitimate access to an organization’s network, applications, or databases. These credentials can belong to current employees, former employees, or third parties like partners, contractors, or temporary workers with access to the organization’s physical or digital assets.  

Sometimes, having a security operations center (SOC) isn’t enough to address insider threats. Security operations teams are managing massive amounts of data across billions of events from on-premises and the cloud, but detecting insider threats has special requirements that encompass both searching historical data and seeing evolving credential behavior changes as they happen. 

In a recent webinar, Exabeam Director of Product Marketing Jeannie Warner and Sr. Director of Product Management Andy Skrei covered:

• The security risks associated with layoffs, new hires, and M&A
• Why your organization needs both an insider threat team and a SOC
• Four requirements for building a successful insider threat team

The security risks associated with layoffs, new hires, and M&A

With the recent spate of layoffs, organizations should be concerned about let-go employees sending files or information to their personal accounts, which can create risk for the company. As Jeannie explains, “Layoffs can create many unfortunate bad behavior patterns. Employees who just want to keep some of their good designs or templates into their new positions tend to want to keep their emails. They email them their successful docs, their pitches, and their notes. Or, in case of a surprise layoff, they may want to send their customer lists, their financial info, and more.”

New hires also pose a risk to the organization because they will be receiving many new emails requiring them to set up new accounts and logins. Andy says, “They start, and their inbox is filled with emails about installing new applications and updating things, and the employee doesn’t really have an understanding of what is normal for an organization. It’s a great opportunity for attackers to try to phish these employees and start to get access to those credentials. Attackers are smart; they see employees posting on LinkedIn that they just started a new job.”

Additionally, the SOC will not have a baseline of what normal behavior looks like for new employees until a few weeks into the job. “By using Exabeam Advanced Analytics with dynamic peer grouping,” Andy explains, “we’re able to provide visibility into those new hire credentials when they start to deviate from things that their peers do, even if they’re a new employee.”

Mergers and acquisitions (M&A) pose yet another challenge. “Once you start adding additions and buying other companies, this creates security nightmares,” Jeannie says. New organizations create a heterogeneous network in everything from tools and operating systems to security levels and maturity. “We always remember that larger, mature organizations that have a security department acquire smaller groups that may or may not have any security hardening in place,” she continues. “Anytime there’s a merger, so that somebody’s authenticating into your network, that’s an opportunity for some malicious actor.”

Disgruntled employees can blur the line between compromised insiders and malicious insiders. “Everyone has a price,” Andy says. “Oftentimes, buying credentials is fairly affordable.” Initially, people believed that the Lapsus$ attacks came from a sophisticated hacking group. “But that didn’t turn out to be true,” he explains. “It was simply, they were willing to fork over a couple of thousand dollars and employees were willing to hand them their credentials. And likewise, you have disgruntled employees as well that may attempt to perform any sort of sabotage, deleting data, bringing down data centers, or simply trying to lead the organization with IP and funnel that information either to other organizations or take it with them to their next role.” 

Why your organization needs both an insider threat team and a SOC

Jeannie has heard many security leaders say that they have a SOC, but they’re also building an insider threat team. So, why would you need both? What needs do they have that are different, and what do they have in common?

“For both, it really is about collecting the right data,” explains Andy. Organizations often believe that they must collect more data, “but they really need to collect the right data. It’s a balance between what is the right data to be able to detect the threats that I care about as well as the data that I need to support those investigations to really understand what’s happening here.”

For insider threat teams, it’s imperative that they know what they’re looking for. “Like any type of security detections, your analysts are often buried in a sea of noise….And lastly, it’s not just about the detections; it’s about the investigation as well. And manual investigations often lead to incomplete or inconsistent outcomes across the team,” Andy says.

SANS defines security operations as: people, process, and technology. “An insider threat team is a combination of people, processes, automation, and technology looking for rogue users, compromised credentials, and evidence of entity misuse in the organization,” Andy explains. “And this is done through ongoing monitoring of normal system and user state, the research and implementation of adversary-aligned defensive capabilities, and automation in response to whatever possible to minimize the damage.”

Insider threat is two sides of the same coin. On one side is the compromised insider, the external attacker gaining credentials. On the other is the malicious insider, the credentialed employee that is trusted within the environment. When you see an alert, how do you understand which side of the coin it is? As Andy explains, “This usually comes down to needing the right context and to do some investigation and triage. You really need to understand the intent behind the behaviors and the alerts themselves to understand what type of threat this really is.” 

Four requirements for building a successful insider threat team

How can an insider threat team be successful? Here are four main attributes of a successful insider threat program or the members of an insider threat team: 

1. Healthy paranoia

“Prevention alone is not enough,” Andy cautions. While prevention technologies are important, “it’s not just enough to have the technology itself in place. You need to make sure, ‘Is it configured, is it deployed properly? Do I have the full coverage across the organization?’” As we see in breach after breach, prevention methods fail to keep out attackers and don’t stop malicious insiders. “So you do need that fallback of real-time threat detection and response capabilities,” he says.

To combat insider threats, it’s critical to have capabilities to detect credential abuse. “Almost all insider threat detections are going to be focused around some sort of credential or use of credentials,” Andy explains. “We see that offensive posture. We need to focus on that more than just the defensive, and we should look for opportunities to support zero trust initiatives and validation as well.”

2. The ability to see normal and abnormal

It’s necessary to understand what normal looks like in your environment so you’ll know when something is awry. Jeannie illustrated this point with a story about something that happened at a previous employer: “I recall once, back when it was all just IDSs and firewalls, we were monitoring a bank and everything was fine, and then suddenly, out of the blue, on Thursday at two o’clock in the morning, there was this enormous back and forth traffic with Russia, which scared the crap out of me. I had to call them in the middle of the night and say, ‘Oh my gosh, something terrible is going on.’ And the person I had to call who was on their escalation chain woke everybody else up and then had to come back to me and say, ‘Oh, Jeannie, we do have a branch bank in Russia and this is where they do their switch.’ We had no idea of what was normal, so we didn’t know what abnormal was.”

The majority of cyberattacks involve compromised credentials. “So you need something  that sees compromised credentials, lateral movement, and privilege escalation,” Jeannie explains. You may already have several tools in your network for this, but they may or may not be in use by your SOC. Jeannie provided another example from a prior role: “In earlier years, we never saw Active Directory within the security operations center. So we were really missing all of the insider threat challenges. All I could do is say, ‘I think something large went out through the firewall because that was a pretty big SNMP bundle that went through.’ So literally it was guessing, checking, double-checking, and it took a long time.”

3. Embrace automation

If Jeannie’s team had had automation, that process could have been much shorter. “We need to embrace automation…across the full lifecycle,” Andy asserts.”Let’s leverage the analysts for decision support to make those tough decisions. But for those repeatable, consistent tasks that a lot of analysts are doing today are ripe for automation.” 74% of an analyst’s time is spent on triage investigation, so we should focus on what parts of that role we can automate. One area ripe for automation is creating timelines of events, which can often take hundreds of queries. A great place to start, Andy suggests, is “being able to automatically provide your analysts timelines to kickstart their investigations.”

4. Think like an attacker to communicate risk upward

It’s important to “think like the bad guy and say, ‘What could I do? What can I get at? Where can I go? What does this system that this credential is acting do? How do I know what’s normal in the network? How do I know what that asset is?’” Jeannie says. Take a website, for example. “Many different applications can be loaded, so, ‘What are they doing? What in particular? What’s on that server? What can they get to? What is that server connected to?’ And we need to be able to respond to all of these the way that a good business responds to market conditions. ‘Do I need to take something offline? Do I need to move in a different direction?’”

In addition, you should have a relationship with your HR team so that they feel comfortable sharing confidential information like when layoffs are going to happen so that your team can heighten its state of alert. “Or maybe, they can help create watch lists or allow/block lists that will help us be more effective and then not wake them up at two in the morning for known bad or good behavior,” suggests Jeannie.

You should also be aware of the things your team needs to know so that you can ensure they receive the right kind of continuing education. Then you can report back to leadership about how your team is doing by showing them, “‘Hey, this is my framework mapping of what we’re looking at and what we can see. I can see these classes of events, therefore I think we are covered and going to reduce your risk,’” she says.

How Exabeam can help

Insider threat initiatives require a new, focused approach: we call it New-Scale SIEM™. Exabeam Fusion, our most comprehensive offering, is the ideal tool for both security operations and insider threat teams. And if you already have a third-party SIEM in place, Security Investigation is the augmentation tool your new program needs. 

Watch the on-demand webinar or read the transcript for more insights from Jeannie and Andy, including use cases and a product demo.