A holistic approach to dealing with risk from within
Insider threats in cyber security are threats posed by individuals from within an organization, such as current or former employees, contractors and partners. These individuals have the potential to misuse access to networks and assets to wittingly or unwittingly disclose, modify and delete sensitive information. Information at risk of being compromised could include details about an organization's security practices, customer and employee data, login credentials and sensitive financial records. The nature of insider threats means that traditional preventative security measures are often ineffective.
Traditional security measures tend to focus on external threats and are not always capable of identifying an internal threat emerging from inside an organization.
Someone who maliciously and intentionally abuses legitimate credentials, typically to steal information for financial or personal incentives. They have an advantage over other attackers because they are familiar with the security policies and procedures of an organization, as well as its vulnerabilities.
An innocent pawn who unknowingly exposes the system to outside threats. This is the most common type of insider threat, resulting from mistakes, such as leaving a device exposed or falling victim to a scam.
Accidental insider threat can be equally risky to the organization and is unfortunately quite common, accounting for 25% of data breaches in 2017. These are employees, vendors and partners with the best of intentions, but may accidentally click a link, forgo company policy, or accidentally leak information outside the organization.
Some cyber security experts believe that negligent and malicious employees are the most common actors in insider attacks. For example, in its 2019 Insider Threat Report [PDF], Verizon placed careless workers and misuse of assets at the top of their threat actors list. At the same time, they didn’t even mention privileged users. However, most of the cyber security community thinks otherwise. Cyber security Insiders surveyed [PDF] security professionals to identify the riskiest types of insiders. Here’s what types of users most of them consider the most dangerous:
These users are particularly threatening since they hold all the keys to the organization’s infrastructure and sensitive data. Because of their high level of access, harmful activity by privileged users is difficult to detect as they don’t break any cyber security rules when accessing sensitive resources.
Regular users are not so dangerous compared to privileged users, but they still can harm an organization. For instance, they can misuse corporate data, install unauthorized applications, send confidential emails to the wrong address, become a victim of a phishing attack, etc.to detect as they don’t break any cyber security rules when accessing sensitive resources.
— Vendors, business partners, and temps may not follow cyber security rules and practices implemented in your organization or may violate them unknowingly. Also, hackers can breach a third-party vendor with a low level of security to get inside your protected perimeter.
— C-level executives have access to the most confidential and sensitive information about an organization. This category of users may abuse their knowledge for insider trading, personal gain, or corporate or government infiltration.
Insiders have direct access to data and IT systems, which means they can cause the most damage. According to a 2015 Intel Security study, insider threat actors were responsible for 43% of attacks, split evenly between malicious and unintentional actors. According to the IBM X-Force 2016 Cyber Security Intelligence Index, insider cyber security threats are an even bigger problem. From 2015 to 2016, the percentage of attacks carried out by all insiders grew from 55% to 60% according to the study. Of those, about 73.6% were carried out by malicious insiders — or 44.5% of total attacks. Insider threat mitigation is difficult because the actors are trusted agents, who often have legitimate access to company data. As most legacy tools have failed us, many cyber security experts agree that it is time to move on.
A lot of cyber security companies develop their strategies around preventing external threats. However, sometimes the worst attacks come from within.
Here are a few key benefits to looking into insider threat detection:
Monitoring and Reporting: Depending on the software or cyber security companies you invest in; insider threat detection should have some level of quick monitoring and reporting. As with other cyber security threats, if you are unable to make sense of the threat detections, it will be hard to do much about them.
Identify Patterns: Insider threats often come in patterns. If you have a way to identify and monitor internal breaches, it can help you begin to recognize the patterns within your own organization. This can help you make your company stronger against existing and future vulnerabilities.
User access management program is essential for insider threat detection. A report from the Ponemon Institute revealed that 62% of end users say they have access to company data they shouldn’t see. By following the least privilege model, all of your employees will only have access to information required to perform their jobs – no more and no less. This helps prevent data loss by restricting unauthorized access to sensitive information.
Tools like Machine Learning (ML) applications can help analyze the data stream and prioritize the most relevant alerts. You can use digital forensics and analytics tools like User and Event Behavior Analytics (UEBA) to help detect, analyze, and alert the security team to any potential insider threats. User behavior analytics can establish a baseline for normal data access activity, while database activity monitoring can help identify policy violations.
The bulk of insider threats facing businesses are due to negligence. While the workforce can be trained on cyber security awareness and so on, one cannot rule out possibilities of human error from time to time. Cyber security is about eliminating risks, which includes reducing the attack surface; if a breach does occur, it can be contained easily. In authentication, this can be implemented by using the least privilege principle. Least privilege means that no worker gains access to more data than is needed to perform their tasks at any point. In addition to identity verification, Risk Based Authentication (RBA) collects information about a user’s location, device, time of access, etc. to determine that no breach is being attempted. Avoiding two-factor authentication, RBA estimates a risk score based on login behavior.
You won’t be able to detect insider threats without monitoring your employees. In order to make employee monitoring effective, you should first establish a baseline of normal behavior – their user access level, hours usually worked, files usually opened and downloaded, etc.
Then, look out for signs of abnormal behavior such as:
Once an employee behaves abnormally, immediately intervene and find out why they’re doing what they’re doing before they cause any damage.
And these costs keep rising by the year.
The Ponemon Institute conducted two studies on the cost of insider threats: in 2018 and in 2020. According to their reports, the total average cost of a threat increased by 31% between 2017 and 2019, from $8.76 million to $11.45 million. Companies from North America suffer the most from insider attacks and their consequences: the average cost in this region increased from $11.1 million to $13.3 million. The average total spending on a single insider threat incident (including monitoring, investigation, escalation, incident response, containment, ex-post analysis, and remediation)also went up from $513,000 to $756,760
If you’re looking for a way to improve your security monitoring, our team of experts at Iraje Software can help you make an assessment and come up with a solution. We offer support to all available SIEM solutions out of the box which can help your organization to protect every endpoint device, bypass alerts, and server access within your network in your system or outside your network, and so on. If you want to take your company’s security to the next level, then consult with us today. For more details, kindly reach us at firstname.lastname@example.org