Sometimes the most dangerous security threats come from inside the firewall.
A small minority of employees and other trusted individuals will compromise their organisations, whether by accident or design. Motivations for insider threats include:
These motivations are as old as time. However, because being connected to corporate networks gives individuals access to more network assets than ever, the incident rate of these types of security events has soared. In 2007, a KPMG study reported that only 7% of attacks involved insiders. By 2015, IBM estimated that insiders caused at least 60% of security incidents.
Since the pandemic, insider threat risk has skyrocketed. Incidence rates have grown by almost 50% since 2020. The cost of a typical insider threat incident has also risen by over 30%.
Today, insider threats are common and can be devastating. Many organisations notice an insider threat has occurred long after the fact, such as in the event of intellectual property theft or when sensitive information is leaked online.
According to CISA, insider threats are a “complex and dynamic” security risk. Stopping them means taking a holistic approach to security.
Insider threats succeed when trusted individuals with network access either intentionally (i.e., “malicious insiders”) or negligently (i.e., “non-malicious insiders”) exfiltrate files, damage system assets, or allow third parties to gain network access.
The starting point for an insider threat can be anything from an employee losing a USB key to someone installing ransomware onto a network-connected endpoint in return for a share of the profits.
To spot insider threats before they happen, security teams need to make HR and help desk teams and other employees aware of behavioural risk indicators.
In a concept that CISA describes as using “people as sensors,” stakeholders need awareness training to spot and share potential insider triggers such as:
However, teaching employees how to spot likely insider threat actors is only part of what companies need to do to reduce insider risk.
Organisations also need a tool stack that is capable of:
Insider threat detection tools spot malicious behaviour and activity within an organisation.
They look for common insider threat indicators like unusual login times or file transfers and pick up on suspicious activities that might indicate exfiltration or malware deployment attempts.
Some tools alert cybersecurity teams in real-time, while others can automatically take action before threats escalate.
Common insider threat detection tools include:
Security information and event management (SIEM) solutions collect log data from devices and networks across an organisation’s IT environment.
When configured correctly, a SIEM platform can alert security teams to device and user actions that might indicate an insider threat is in progress, like sensitive data exfiltration or sudden excessive permissions for non-privileged users.
The downside of SIEM solutions is that they can create excessive volumes of false positive alerts. SIEMs often confuse normal user behaviour with malicious activity.
Endpoint detection and response (EDR) solutions collect data from endpoints, analyse it and automatically take a predetermined course of action.
EDRs are useful for stopping insider threats because they can detect unusual usage of user credentials inside a network. For example, an EDR solution can spot incidents when user accounts are accessed from foreign IPs and then take action to stop connections.
To deploy an EDR as an insider threat mitigation tool, it must be carefully configured to assess and triage unusual behaviour without causing disruption.
Log management tools collect device usage logs from endpoints and applications such as user accounts, servers, and printers.
Security teams can configure log management tools to send email alerts when a specific activity, like the use of a printer to print a sensitive document, takes place.
Logging management tools can aid incident response and forensic investigation of insider threats.
User and Entity Behaviour Analytics (UEBA), sometimes also known as User Behaviour Analytics (UBA), are monitoring solutions that leverage AI and machine learning to spot and stop user and device behaviour that might signal an insider attack is in progress.
For example, a UEBA tool could spot and disconnect a user who typically downloads only a few megabytes of data in a normal workday but suddenly downloads multiple gigabytes.
Insider Threat Management (ITM) software is a type of security solution marketed explicitly as a way for companies to manage insider threats.
The functionality of an ITM solution will vary depending on which vendor offers it.
ITM solutions often use some of the same capabilities seen in SIEM, EDR or UEBA solutions but feature a dedicated insider threat dashboard.
Security automation is a technology that allows security teams to automate routine elements of security data collection, analysis, and response. Security automation is a powerful method for detecting and stopping insider threat attack chains early.
Technologies like XDR, SOAR, and self-driving cyber defence use security automation to find and react to potential insider threat activity much faster and more effectively than is possible through manual analysis or predetermined rules.
Security automation can also reduce the amount of false positive alerts that insider threat mitigation activity creates.
99% of the network activity created by trusted insiders is not malicious. Finding the 1% that might be a threat is an incredible challenge. Someone you talk to on Slack, share a building with, or even had a coffee with this morning could become a threat actor due to a multitude of reasons.
In most businesses, network conditions change all the time. No tool will come preset for your network environment or risk tolerance. The tools that your security team configures to a particular rule set will fail when configurations or user behaviour changes.
Without security automation, it is almost impossible for security teams to understand what baseline network behaviour looks like.
SenseOn’s self-driving cyber defence platform overcomes this problem by thinking like a human analyst. Powered by machine learning, SenseOn can learn what “normal” behaviour inside your systems looks like and determine the best way to react to different machine and user activity.
When SenseOn spots deviations from typical device and employee activity on endpoints or servers, it immediately compares the logs it sees to previous cases and its knowledge of MITRE ATT&CK techniques. When activity remains suspicious, SenseOn takes the most efficient action to protect network assets and stop threat movement. Threat cases are then elevated to security teams for further analysis.
To learn more about how SenseOn can help detect and prevent insider threats, schedule a demo today.