How to improve insider threat detection

What is an insider threat?

Of all the threats facing today’s enterprise networks, insider threats are among the most dangerous. An insider threat is a current or former employee in an organization who has access to part or all of the organization’s sensitive data, and who uses their access to this data negligently or maliciously.

Insiders can operate in various ways, and can be divided into three categories:

1. Negligent insiders are those who disregard policies and engage in risky behavior, such as sharing login credentials, opening suspicious emails or visiting malicious websites.

2. Compromised insiders are those who have had their account credentials compromised. Negligent insiders often become compromised insiders as a result of their actions.

3. Malicious insiders are those who abuse their positions to harm an organization. They may do so for personal gain or to benefit another organization. According to a recent report from Cybersecurity Insiders, accidental insider-related breaches are just as common as deliberate, malicious incidents. Of the 472 cybersecurity professionals surveyed, 51% were most concerned about accidental incidents, while 47% were most concerned about deliberate insider attacks. Additionally, 90% said that their organizations are at least “slightly vulnerable” to insider threats.

An example of a negligent insider was recently seen in the RSA attack where an employee clicked an attachment named, “2011 Recruitment Plan.xls”. This file was used to infect the employee’s desktop computer with a backdoor file, which further helped the attackers to break into SecurID that uses two-factor authentication system.

How to detect these threats?

Detecting insider threats can be a challenge. It’s difficult to reach and maintain high accuracy levels when it comes to detecting every employee and former employee through monitoring and analysis. Now, as the IT sector is growing, more attention is being given to insider threat detection by investing in cybersecurity programs and applications.

Managing and detecting insider threats is a multifaceted task, extending beyond employees to remote vendors and other users involved in the organization. The basic goal of this task is to strengthen and secure your data from theft, fraud and damage.

Who and what is at risk?

While any company may be a victim, research shows that certain companies such as those dealing with banking and finances encounter these issues more frequently. In addition, public sector infrastructure, such as networks used by government agencies, is at a high risk. The kind of data your organization works with, the region it operates in, and the sector it is part of, are the major factors that determine the likelihood of being affected by insider threats.

Protecting any data requires understanding which IT asset is prone to an attack. The most important assets are database, file servers and cloud-based infrastructures that contain

employee, customer and financial information. The other assets that are recently garnering attention are endpoints such as personal mobile phones, laptops, and business applications.

How to combat malicious insiders?

To mitigate these risks and protect systems, insider threats need to be identified quickly and correctly. Malicious insiders may transfer data from one drive to another, attempt to bypass security controls, and access confidential data that isn’t relevant to their work. In some cases, they also install unapproved and unnecessary applications or software. Watch out for these activities to identify a malicious insider easily and implement effective damage control.

Enable context-aware security

Context-aware security restricts access to a network from unauthorized devices, which helps shut out attackers using compromised logins. Simultaneous logins from different devices can also be blocked. Knowing who has access to a network and how that access is being used keeps organizations one step ahead.

Opt for Data Loss Prevention (DLP) mechanisms that ensure end users do not send confidential information either via email or file transfer systems. This usually means access to limited approved websites, and strong filtering and monitoring of emails sent outside the network. Encryption of data - in active use, in transactions, and at rest - is another step that ensures information is not easy to read or transfer.

Provide training

Training your peer about the company-specific threats and vulnerabilities will make them aware of the risks, challenges and responsibilities they may face. This training can be based on physical and network access levels, account privilege rights and job responsibilities.

Phishing has been identified as the biggest enabler of an accidental insider attack. Phishing is the practice of sending malware over email through either a fraudulent website link or an attachment to make the user give away important information such as credit card details and identification. While users can be trained to avoid and report phishing attacks, implement strict regulations that enable strong passwords, auto-lock devices and secure Wi-Fi networks.

Use an analytics program

Properly deploying and configuring an advanced analytics program makes it possible to correlate the output from a variety of security tools. The results can, in turn, be used to identify insider threat leads for investigative purposes. Analytics can also shed new light on processes and policies that are missing or need improvement. Analytics platforms, grant insight into high-risk behaviors across an organization.

dummy-image

Shomiron Dasgupta

Guest Author Shomiron Dasgupta, Founder & CEO, DNIF NextGen SIEM Platform - a renowned name in the tech space, with his extraordinary skillset as an intrusion analyst and immense passion for tech advancements, has been building threat detection systems for close to two decades and has established partners in 14 countries across several industries like healthcare, insurance, transport, banking, and media.

Also Read

Stay in the know with our newsletter