In this article you will learn:
- All CISO’s need to understand your biggest asset, people, can also your most significant risk.
- Insider threats are increasing for enterprises across all industry sectors. Threats can come from anyone with access to sensitive data.
- Be prepared to mitigate your risk with active insider threat detection and prevention.
What is an Insider Threat?
Insider threats are defined as cybersecurity threats that come from within your own company. It may be an employee or a vendor – even ex-employees. Anyone that has valid access to your network can be an insider threat.
Dealing with insider threats isn’t easy since the people you trust with your data and systems are the ones responsible for them.
Types of Insider Threats
There are three types of insider threats, Compromised users, Careless users, and Malicious users.
Compromised Employees or Vendors
Compromised employees or vendors are the most important type of insider threat you’ll face. This is because neither of you knows they are compromised. It can happen if an employee grants access to an attacker by clicking on a phishing link in an email. These are the most common types of insider threats.
Careless Employees
Careless employees or vendors can become targets for attackers. Leaving a computer or terminal unlocked for a few minutes can be enough for one to gain access.
Granting DBA permissions to regular users (or worse, using software system accounts) to do IT work are also examples of careless insider threats.
Malicious Insider
Malicious attackers can take any shape or form. They usually have legitimate user access to the system and willfully extract data or Intellectual Property. Since they are involved with the attack, they can also cover up their tracks. That makes detection even more difficult.
Detecting Insider Threats
Most of the security tools used today try to stop legitimate users being compromised. This includes things like firewalls, endpoint scanning, and anti-phishing tools. They are also the most common types of breaches, so it makes sense that so much effort goes into stopping them.
The other two types of profiles aren’t that easy to deal with. With careless behavior, knowing what system event was valid or not is almost impossible. Network and security admins probably don’t know the context behind an application’s behavior, so won’t notice anything suspicious before it’s too late.
Similarly, with malicious attackers, they will know the ins and outs of your company’s security system. Giving them a good chance of getting away without being detected.
The most significant issues with detecting insider threats are:
1. Legitimate Users
The nature of the threat is what makes it so hard to prevent. With the actor using their authentic login profiles, there’s no immediate warning triggered. Accessing large files or databases infrequently may be a valid part of their day to day job requirements.
2. System and Software Context
For the security team to know that something terrible is happening, they need to know what something bad looks like. This isn’t easy as. Usually, business units are the experts when it comes to their software. Without the right context, detecting a real insider threat from the security operations center is almost impossible.
3. Post Login Activities
Keeping track of every user’s activities after they’ve logged in to the system is a lot of work. In some cases, raw logs need to be checked, and each event studied. Even with Machine Learning (ML) tools, this can still be a lot of work. It could also lead to many false positives being reported, adding noise to the problem.
Indicators of Insider Attacks
Detecting attacks is still possible. Some signs are easy to spot and take action on.
Common indicators of insider threats are:
- Unexplained Financial Gain
- Abuse by Service Accounts.
- Multiple failed logins.
- Incorrect software access requests.
- Large data or file transfers.
Using systems and tools that look for these items can help raise the alarm for an attack. While regular endpoint scans (daily) will ensure workstations stay clean from viruses and malware.
Identifying Breaches in the System
Identify breaches starts with the security team understanding normal behavior.
Normal behavior should be mapped down to the lowest access and activity. Included in the logs should be the User’s ID, workstation IP address, the accessed server’s IP, employee department, and the software used.
Additionally, knowing what database was accessed, which schemas and tables read, and what other SQL operations were performed, will help the security team identify breaches.
Detect Insider Threats with Machine Learning
One area where machine learning gives a massive ROI is in network threat detection. Although it isn’t magic, it can highlight where to point your resources.
By providing the system’s state and behavioral information to a machine learning algorithm, weird and suspect actions can be identified quickly. Information like user and connection types, role access and application rights, working times and access patterns, can promptly be passed to ML applications.
Knowing what falls outside of the above normal system state can be done by mapping the following into the alert process:
- Listing table access rights per app.
- Specifying service account credentials and schemas used.
- Monitoring the usual data storage locations.
Prevent Insider Threats With Threat Scoring
Correlating the above types of information allows you to create threat scores for each user activity. Couple that to the user’s credentials, you can alert the security team soon after a breach is found.
Using this type of analytics is new to the industry. Early implementations have been successful in helping companies gain the edge on their rivals.
Vendors are starting to offer custom Security Risk Management solutions that include:
- Behavior analytics
- Threat intelligence
- Anomaly detection
- Predictive alerts
Statistics on Insider Threats
33% of organizations have faced an insider threat incident. (Source: SANS)
Two out of three insider incidents happen from contractor or employee negligence. (Source: Ponemon Institute)
69% of organizations have experienced an attempted or successful threat or corruption of data in the last 12 months. (Source: Accenture)
It takes an average of 72 days to contain an insider threat.
Take a Proactive Approach to Insider Threats
Using historical data can help you quickly build risk profiles for each of your users. Mapping their daily interactions with the data you manage will let you know where high-risk profiles are. This will allow you to proactively engage in the areas where you have the biggest concerns.
Although any point in the network poses a risk, elevated access rights have the highest potential for abuse. Implementing key indicator monitoring on these user profiles with active directory policies will reduce the amount of risk you face.
Auditing exiting employees, ensuring their credentials are revoked and they do not leave with company data is also vital. Nearly 70% of outgoing employees admit to taking some data with them out the door. If credentials are also left intact, you may as well leave the door open for them. Privileged access management is a great way to manage user.
Although unintended insider threats remain the biggest concern, it’s the malicious ones that can cause the worst disaster.