Don’t Analyse Everything – Analyse the Right Thing to
Detect and Respond to Insider Threats
Detect and Respond to Insider Threats
Jeffrey Kok, Director of Pre-Sales, Asia Pacific and Japan
In 2013,
organizations worldwide started to take insider threats seriously, thanks to a
man named Edward Snowden. Yet, his is just one of many cases of authorized
insiders who have caused damage – both intentionally and accidentally – to the
organizations that trusted them. From the Sage Group incident
in the UK to the case of Harold Martin to, most recently, the IT admin who
allegedly held a university’s email system hostage in exchange for $200,000,
insider threats are a constant in today’s world. What’s worse, these
examples don’t even begin to touch on the 50 percent of breaches each year that are caused by
inadvertent human error.
organizations worldwide started to take insider threats seriously, thanks to a
man named Edward Snowden. Yet, his is just one of many cases of authorized
insiders who have caused damage – both intentionally and accidentally – to the
organizations that trusted them. From the Sage Group incident
in the UK to the case of Harold Martin to, most recently, the IT admin who
allegedly held a university’s email system hostage in exchange for $200,000,
insider threats are a constant in today’s world. What’s worse, these
examples don’t even begin to touch on the 50 percent of breaches each year that are caused by
inadvertent human error.
While many organizations have recognized this
“threat from within” and bolstered protections accordingly, efforts typically
focus on malicious insiders. However, a recent survey[1]
of Information Security Forum (ISF) members shows that the vast majority of
insider breaches were caused by inadvertent employee behaviour; not by
malicious users. To effectively protect against the insider threat, you must
first understand who the insiders are. Insider threat actors can be categorized
into four main groups: Exploited Insiders, External Insiders, Malicious
Insiders and Unintentional Insiders.
“threat from within” and bolstered protections accordingly, efforts typically
focus on malicious insiders. However, a recent survey[1]
of Information Security Forum (ISF) members shows that the vast majority of
insider breaches were caused by inadvertent employee behaviour; not by
malicious users. To effectively protect against the insider threat, you must
first understand who the insiders are. Insider threat actors can be categorized
into four main groups: Exploited Insiders, External Insiders, Malicious
Insiders and Unintentional Insiders.
The
Exploited Insider
Attackers commonly target high-value employees—such as sysadmins, IT help desk
teams and executives—with spear phishing emails, and it only takes one victim
for an attacker to establish a foothold inside the organization. Once inside a
high-value user’s machine, attackers can capture their privileged credentials,
further escalate privileges, execute pass-the-hash attacks to move to connected
systems, and ultimately gain full domain-level access to—and control
over—sensitive data and IT systems.
Exploited Insider
Attackers commonly target high-value employees—such as sysadmins, IT help desk
teams and executives—with spear phishing emails, and it only takes one victim
for an attacker to establish a foothold inside the organization. Once inside a
high-value user’s machine, attackers can capture their privileged credentials,
further escalate privileges, execute pass-the-hash attacks to move to connected
systems, and ultimately gain full domain-level access to—and control
over—sensitive data and IT systems.
The External
Insider
At least 60 percent of organizations[2]
allow third-party vendors to remotely access their internal networks, and just
like employees, these external users can turn into exploited, unintentional and
malicious insiders. Yet, these users are not managed by your organization,
which makes it difficult to secure and control their privileged access to your
resources. According to a recent survey by the Ponemon Institute[3],
49 percent of respondents admitted that their organization has already
experienced a data breach caused by a third-party vendor, and 73 percent see
the problem increasing.
Insider
At least 60 percent of organizations[2]
allow third-party vendors to remotely access their internal networks, and just
like employees, these external users can turn into exploited, unintentional and
malicious insiders. Yet, these users are not managed by your organization,
which makes it difficult to secure and control their privileged access to your
resources. According to a recent survey by the Ponemon Institute[3],
49 percent of respondents admitted that their organization has already
experienced a data breach caused by a third-party vendor, and 73 percent see
the problem increasing.
The Malicious Insider
Malicious
insiders account for just 26 percent of internal incidents[4],
yet they are the most difficult to detect[5]
and are the most costly. Malicious insiders—such as disgruntled employees or
those in need of financial resources—have knowledge of, and access to,
sensitive information and can often legitimately bypass security measures.
insiders account for just 26 percent of internal incidents[4],
yet they are the most difficult to detect[5]
and are the most costly. Malicious insiders—such as disgruntled employees or
those in need of financial resources—have knowledge of, and access to,
sensitive information and can often legitimately bypass security measures.
The Unintentional Insider
Most
employees are not out to steal sensitive information; they’re simply trying to
do their jobs. For some, this means storing files in Dropbox or sending
information via personal email—actions that may seem harmless, but can
unintentionally put data and systems at risk. The Unintentional Insider In a
recent survey from PwC, 50% of organizations reported that their single worst
breach during the previous year was attributed to inadvertent human error[6].
employees are not out to steal sensitive information; they’re simply trying to
do their jobs. For some, this means storing files in Dropbox or sending
information via personal email—actions that may seem harmless, but can
unintentionally put data and systems at risk. The Unintentional Insider In a
recent survey from PwC, 50% of organizations reported that their single worst
breach during the previous year was attributed to inadvertent human error[6].
Insiders,
like all attackers, can have a variety of end goals, but they also all have one
thing in common: they target the data and systems to which they have access.
Any asset that sits between the attacker’s initial point of access and the
attacker’s final end goal can be at risk. As such, all data and systems in your
organization (especially those that enable lateral movement) are potential
targets.
like all attackers, can have a variety of end goals, but they also all have one
thing in common: they target the data and systems to which they have access.
Any asset that sits between the attacker’s initial point of access and the
attacker’s final end goal can be at risk. As such, all data and systems in your
organization (especially those that enable lateral movement) are potential
targets.
While it’s
not easy to predict who will go rogue, research points to some key indicators
that can help you identify high-risk users prior to an attack. Seventy percent
of malicious insiders had been reprimanded for inappropriate behaviour—missing
work, arguing with co-workers or poor performance—prior to carrying out
malicious activity[7].
Organizations can benefit from applying increased scrutiny to such employees.
not easy to predict who will go rogue, research points to some key indicators
that can help you identify high-risk users prior to an attack. Seventy percent
of malicious insiders had been reprimanded for inappropriate behaviour—missing
work, arguing with co-workers or poor performance—prior to carrying out
malicious activity[7].
Organizations can benefit from applying increased scrutiny to such employees.
Here’s how
you can use this new capability to improve your insider threat detection,
investigation and response processes:
you can use this new capability to improve your insider threat detection,
investigation and response processes:
Identify and define risks. Define the activities
that are particularly high-risk in your organization, and customize your
solution to alert you when these activities occur. The activities considered
“high-risk” will likely differ from organization to organization, but if you’re
not quite sure where to start, check out these recommendations as a starting
point.
that are particularly high-risk in your organization, and customize your
solution to alert you when these activities occur. The activities considered
“high-risk” will likely differ from organization to organization, but if you’re
not quite sure where to start, check out these recommendations as a starting
point.
Track everything. When your privileged
users access high-value systems, record everything they do. By tracking each
and every action they take during privileged sessions, you’ll have a data
stream that can be automatically analysed. If something suspicious occurs,
you’ll have a full video recording to review exactly what happened.
users access high-value systems, record everything they do. By tracking each
and every action they take during privileged sessions, you’ll have a data
stream that can be automatically analysed. If something suspicious occurs,
you’ll have a full video recording to review exactly what happened.
Automate threat detection. You don’t have the time
to manually sift through session recordings to look for suspicious behaviour –
nor should you. Automate the review of privileged user sessions to detect
high-risk activity as soon as it occurs.
to manually sift through session recordings to look for suspicious behaviour –
nor should you. Automate the review of privileged user sessions to detect
high-risk activity as soon as it occurs.
Respond quickly. With the automated
review of user activity, you can be alerted to potential insider attacks
immediately. Once you see the alert, you can investigate the situation, watch
the suspicious session if it’s still in-progress, and terminate the session to
stop any further damage from occurring.
review of user activity, you can be alerted to potential insider attacks
immediately. Once you see the alert, you can investigate the situation, watch
the suspicious session if it’s still in-progress, and terminate the session to
stop any further damage from occurring.
Prioritize audit review. Enable your auditors to
be more effective. By applying risk indexes to recorded sessions, auditors can
easily prioritize sessions for review, complete audits faster and deliver
greater value to the business.
be more effective. By applying risk indexes to recorded sessions, auditors can
easily prioritize sessions for review, complete audits faster and deliver
greater value to the business.
When it
comes to threat detection, there is a lot of data you can analyse, but to protect your
organization’s most sensitive assets, you need to focus on what matters most.
By proactively analysing privileged user activity on high-value assets, you can
focus your efforts on your most sensitive users and information to gain
prioritized, actionable alerts that can help you quickly detect and respond to
attackers inside your network.
comes to threat detection, there is a lot of data you can analyse, but to protect your
organization’s most sensitive assets, you need to focus on what matters most.
By proactively analysing privileged user activity on high-value assets, you can
focus your efforts on your most sensitive users and information to gain
prioritized, actionable alerts that can help you quickly detect and respond to
attackers inside your network.
[1] “Information Security Forum Examines Security Risks of Insider
Threats.” Information Security Forum, January 2016
Threats.” Information Security Forum, January 2016
[2] “Global Advanced Threat Landscape Survey.” CyberArk, 2014
[3] “Data Risk in the Third-Party Ecosystem.” Ponemon Institute Research
Report, April 2016
Report, April 2016
[4] “Understand The State Of Data Security And Privacy: 2015 To 2016.”
Forrester Research, January 2016
Forrester Research, January 2016
[5] “Verizon 2016 Data Breach Investigations Report.” Verizon, April 2016
[6] “2015 Information Security Breached Survey.” HM Government, Conducted
by PwC, June 2015
by PwC, June 2015
[7] “Preventing and Profiling Malicious Insider Attacks.” Australian
Government Department of Defence, April 2012
Government Department of Defence, April 2012
For the LATEST tech updates,
FOLLOW us on our Twitter
LIKE us on our FaceBook
SUBSCRIBE to us on our YouTube Channel!
