Don’t Analyse Everything – Analyse the Right Thing to Detect and Respond to Insider Threats

Don’t Analyse Everything – Analyse the Right Thing to Detect and Respond to Insider Threats

Jeffrey Kok, Director of Pre-Sales, Asia Pacific and Japan

In 2013, organizations worldwide started to take insider threats seriously, thanks to a man named Edward Snowden. Yet, his is just one of many cases of authorized insiders who have caused damage – both intentionally and accidentally – to the organizations that trusted them.  From the Sage Group incident in the UK to the case of Harold Martin to, most recently, the IT admin who allegedly held a university’s email system hostage in exchange for $200,000, insider threats are a constant in today’s world.  What’s worse, these examples don’t even begin to touch on the 50 percent of breaches each year that are caused by inadvertent human error.

While many organizations have recognized this “threat from within” and bolstered protections accordingly, efforts typically focus on malicious insiders. However, a recent survey[1] of Information Security Forum (ISF) members shows that the vast majority of insider breaches were caused by inadvertent employee behaviour; not by malicious users. To effectively protect against the insider threat, you must first understand who the insiders are. Insider threat actors can be categorized into four main groups: Exploited Insiders, External Insiders, Malicious Insiders and Unintentional Insiders.

The Exploited Insider
Attackers commonly target high-value employees—such as sysadmins, IT help desk teams and executives—with spear phishing emails, and it only takes one victim for an attacker to establish a foothold inside the organization. Once inside a high-value user’s machine, attackers can capture their privileged credentials, further escalate privileges, execute pass-the-hash attacks to move to connected systems, and ultimately gain full domain-level access to—and control over—sensitive data and IT systems.

The External Insider
At least 60 percent of organizations[2] allow third-party vendors to remotely access their internal networks, and just like employees, these external users can turn into exploited, unintentional and malicious insiders. Yet, these users are not managed by your organization, which makes it difficult to secure and control their privileged access to your resources. According to a recent survey by the Ponemon Institute[3], 49 percent of respondents admitted that their organization has already experienced a data breach caused by a third-party vendor, and 73 percent see the problem increasing.

The Malicious Insider
Malicious insiders account for just 26 percent of internal incidents[4], yet they are the most difficult to detect[5] and are the most costly. Malicious insiders—such as disgruntled employees or those in need of financial resources—have knowledge of, and access to, sensitive information and can often legitimately bypass security measures.

The Unintentional Insider
Most employees are not out to steal sensitive information; they’re simply trying to do their jobs. For some, this means storing files in Dropbox or sending information via personal email—actions that may seem harmless, but can unintentionally put data and systems at risk. The Unintentional Insider In a recent survey from PwC, 50% of organizations reported that their single worst breach during the previous year was attributed to inadvertent human error[6].

Insiders, like all attackers, can have a variety of end goals, but they also all have one thing in common: they target the data and systems to which they have access. Any asset that sits between the attacker’s initial point of access and the attacker’s final end goal can be at risk. As such, all data and systems in your organization (especially those that enable lateral movement) are potential targets.

While it’s not easy to predict who will go rogue, research points to some key indicators that can help you identify high-risk users prior to an attack. Seventy percent of malicious insiders had been reprimanded for inappropriate behaviour—missing work, arguing with co-workers or poor performance—prior to carrying out malicious activity[7]. Organizations can benefit from applying increased scrutiny to such employees.

Here’s how you can use this new capability to improve your insider threat detection, investigation and response processes:

Identify and define risks. Define the activities that are particularly high-risk in your organization, and customize your solution to alert you when these activities occur. The activities considered “high-risk” will likely differ from organization to organization, but if you’re not quite sure where to start, check out these recommendations as a starting point.

Track everything. When your privileged users access high-value systems, record everything they do. By tracking each and every action they take during privileged sessions, you’ll have a data stream that can be automatically analysed. If something suspicious occurs, you’ll have a full video recording to review exactly what happened.

Automate threat detection. You don’t have the time to manually sift through session recordings to look for suspicious behaviour – nor should you. Automate the review of privileged user sessions to detect high-risk activity as soon as it occurs.

Respond quickly. With the automated review of user activity, you can be alerted to potential insider attacks immediately. Once you see the alert, you can investigate the situation, watch the suspicious session if it’s still in-progress, and terminate the session to stop any further damage from occurring.

Prioritize audit review. Enable your auditors to be more effective. By applying risk indexes to recorded sessions, auditors can easily prioritize sessions for review, complete audits faster and deliver greater value to the business.

When it comes to threat detection, there is a lot of data you can analyse, but to protect your organization’s most sensitive assets, you need to focus on what matters most. By proactively analysing privileged user activity on high-value assets, you can focus your efforts on your most sensitive users and information to gain prioritized, actionable alerts that can help you quickly detect and respond to attackers inside your network.

[1] “Information Security Forum Examines Security Risks of Insider Threats.” Information Security Forum, January 2016
[2] “Global Advanced Threat Landscape Survey.” CyberArk, 2014
[3] “Data Risk in the Third-Party Ecosystem.” Ponemon Institute Research Report, April 2016
[4] “Understand The State Of Data Security And Privacy: 2015 To 2016.” Forrester Research, January 2016
[5] “Verizon 2016 Data Breach Investigations Report.” Verizon, April 2016
[6] “2015 Information Security Breached Survey.” HM Government, Conducted by PwC, June 2015
[7] “Preventing and Profiling Malicious Insider Attacks.” Australian Government Department of Defence, April 2012

For the LATEST tech updates,
FOLLOW us on our Twitter
LIKE us on our FaceBook
SUBSCRIBE to us on our YouTube Channel!
    Blogger Comment
    Facebook Comment