From Anomalies to Action: CISO Insights on Insider Threats and Red Team Thinking
When CISOs get together, interesting conversations happen. In the CISO Q&A — Solving Insider Threats webinar, Michael Moreno, Senior Product Marketing Manager, Exabeam, and Andrew Williams, Principal Product Marketing Manager, Mimecast, were joined by Neil Clauson, Regional CISO, Mimecast, and myself to discuss strategies to combat insider threats, including those stemming from compromised credentials and social engineering attacks like phishing.
As the CISO at Exabeam, I understand that security is about painting a full picture of the threat landscape. In the webinar and this article, security analysts can find tactics to better understand anomalies, analyze behaviors, and identify tactics, techniques, and procedures (TTPs), especially when they originate from within an organization.
In this article:
Mike kicks off the conversation by posing a question about email-based threats. As many CISOs are well aware, email can be an easy target for threat actors.
“Think of your attack surface like a funnel,” Neil explains. “At the top of that funnel and most exposed are your email and your collaboration tools. So while you can minimize that attack surface as much as possible with multifaceted detections and integrations and security awareness training and all that, your users still have to do work.”
Indeed, security operations centers (SOCs) need tools that can accommodate modern cyberthreats, including ransomware, impersonation attacks, credential harvesting, and phishing schemes.
Insider risks versus insider threats
As the conversation evolves, I’m quick to clarify the difference between insider risk and insider threats: “When we talk about insider risk, we’re referring to that potential for an individual or some entity within the organization, whether it be an employee or a contractor, to cause some sort of harm. Whereas the insider threat is really where that potential risk actually materializes and now you have that insider doing something, whether it’s intentional or unintentionally taking actions that could be detrimental to the organization.”
It is essential for security professionals to monitor user behavior, as small indicators can often hint at the potential severity of insider risks or insider threats. Thankfully, tools like Exabeam harness machine learning techniques to analyze vast amounts of data, find anomalies, filter noise, and, eventually, triage compromised credentials before they’ve been exploited or escalated.
As Neil jokes, this kind of threat hunting can be akin to “finding a needle in a stack of needles,” but it is essential work for 21st century SOCs.
Red team thinking
Continuing on, Neil details how the Mimecast team harnesses “red team thinking,” an adversarial mindset that challenges previously held assumptions. He constantly asks: “Are we really as protected as we thought?” Through collaboration, situational awareness, and tabletop exercises, he leads his SOC through OODA loops (observe, orient, decide, act), encouraging his team to make the most appropriate decision in the given context.
“The tools are great,” he concludes. “But the processes around that are really what make the tools effective.”
By harnessing the power of our collective technologies, Mimecast and Exabeam can offer SOCs an enhanced security posture, seamlessly integrating powerful telemetry data and behavioral analytics. Data is not just stored, but analyzed, and leveraged into alert and case management, dynamic alert prioritization, and more.
Explains Andrew, “As Exabeam rolls up new functions and features in their platform, they can take advantage of all Mimecast features and vice versa. And that’s what we want to get is something that is constantly staying up to date, able to protect us against the latest style of threats and to share the right visibility.”
Want to learn more about proactively defending against insider threats?
Watch the on-demand webinar, “CISO Q&A — Solving Insider Threats.”
It’s no secret that insider threats present a significant challenge to organizations of all sizes. If your security team is feeling the pressure to address these threats effectively, this webinar is for you. Join the CISOs from Exabeam and Mimecast as they explore strategies to combat insider threats, including those stemming from compromised credentials and social engineering attacks like phishing.
During this enlightening session, you’ll discover how these industry experts leverage telemetry data to proactively stay ahead of cybersecurity threats. Gain valuable insights into the following topics that are top of mind for today’s CISOs:
- Mitigating compromised credentials and phishing through effective security operations techniques
- Maximizing the value of telemetry data for better threat intelligence
- Accelerating threat detection, investigation, and response (TDIR), even on a limited budget
What’s New in Exabeam Product Development — October 2023
Exabeam IRAP Assessment Completion Creates New Opportunities for Partners in Australia
Subscribe today and we'll send our latest blog posts right to your inbox, so you can stay ahead of the cybercriminals and defend your organization.
See a world-class SIEM solution in action
Most reported breaches involved lost or stolen credentials. How can you keep pace?
Exabeam delivers SOC teams industry-leading analytics, patented anomaly detection, and Smart Timelines to help teams pinpoint the actions that lead to exploits.
Whether you need a SIEM replacement, a legacy SIEM modernization with XDR, Exabeam offers advanced, modular, and cloud-delivered TDIR.
Get a demo today!