In the world of cybersecurity today insider threats are a hot topic of conversation,
and for good reason. Research conducted by Crowd Research Partners and Cybersecurity
Insiders found that 90% of organizations feel vulnerable to insider attacks for
multiple reasons that include an ever-changing landscape of technology and devices
as well as excessive access privileges and other factors. Moreover, 53% of companies
confirmed insider attacks against their organization.
In the guide below, we’ll define an insider threat, explain why they’re important, and
offer the best insider threat detection tools to deter an attack or help your
company with insider threat management.
An Insider threat is a person within an organization that presents a threat of being the
root cause or entry point for a data breach. Any person that gives an opportunity for a
malicious individual to gain privileged access to sensitive information held by an
organization using sources within that organization for lateral movement throughout a
company network is considered an insider threat.
Many people have access to an organization’s network including current and former
employees, contractors, vendors and more. This means the sheer number of potential
threats make threat detection incredibly difficult to track and identify before an
attack occurs.
Insider threats can be grouped into three main categories:
The Negligent Insider
This type of insider threat is simply
unaware of the dangers associated with sharing login credentials,
opening suspicious emails, or visiting malicious websites. Negligent insiders
generally have no ill intentions towards the organization, but the every day
careless activities of these insiders present easy access points for attackers
to begin their onslaught. Often times, negligent insiders end up with a virus or
malware on their computer, which can spread to the company network to conduct an
attack.
The Compromised Insider
This insider is a lot like a Negligent insider that has generally done nothing
wrong other than opening the wrong email. A compromised insider is someone that
has in some way had their credentials compromised. This can happen through a
phishing scam, a computer virus, or by sharing their login credentials with the
wrong person. The Key differentiator here is that the person working for your
organization is to act maliciously, but someone else is using their credentials
to appear as if that is the case.
The Malicious Insider
This insider is like a double agent — they work within the organization, but have
aspirations to bring harm to the organization or to gain access to the company’s
proprietary information for personal gain.
Common sense might sway you to believe that malicious insiders are the most
dangerous, and therefore the most prominent kind of insider attacks. While this
is true about 47% of the time, negligent and compromised insiders account for
the majority of confirmed insider attacks.
This means employees you trust that show no intentions of assisting in a data
breach actually account for more attacks than those that deliberately intend to
cause harm to an organization.
To put it simply, insider attacks are incredibly expensive. In today’s cybersecurity
landscape insider threats garner a lot of attention from security professionals for
quite a few reasons, including the fact that insider threats are costlier to detect
and contain than external attacks.
Why are insider attacks so costly? Insider attacks are more difficult to detect, and they
usually take longer to resolve, which increases the overall cost of the attack to an
organization.
On average, a malicious insider attack takes 50 days to resolve. The more time an
attacker has access to a network, the likelihood of records being taken or deleted
increases exponentially, which in turn increases the cost of a breach exponentially. The
average cost to resolve a data breach of any kind ranges between $126 and $156 for each
compromised record. Take into account the fact that the global average for the number of
records exposed or compromised during a breach is 24,089, which brings the average total
cost of a single data breach anywhere between $3.0M – 3.6M.
Considering costs at that scale, it’s easy to understand why security professionals
are so concerned about insider threats.
What are our Needs?
Is it providing the data you need?
Is it tailorable to my needs?
Who is at Risk of an Insider Attack?
The honest answer is that any company can fall victim to an insider attack, but
research shows us that certain organizations seem to be more attractive than others
from the perspective of hackers and attackers. Some factors that increase your
chances of being a target include the kind of data your organization holds, the
sector in which your organization operates, and what region of the world you
reside.
Type of Organization
Research shows that organizations in the financial sector have a higher chance of
being attacked, and when they are attacked it’s the most costly attack on
average across all industry sectors.
Region of the World
Given that financial gain is often a goal for any cybersecurity attack, the power
of your local currency (or the currency or your customers) can have a
significant impact on how often, or heavily your organization is targeted.
Malicious or Criminal Attacks often target the Middle East and U.S.
organizations. In a report published by IBM and the Ponemon Institute, it was
found that on average organizations in the Middle East, India specifically, and
the United States have the largest average number of breached records.
Why do Hackers Target These Regions?
The U.S.
There are a couple of reasons for the US being targeted heavily for insider
attacks. First, The US has a powerful currency, so attacks that target
financial, or personal data would have a higher yield to an attacker trying to
make a return. The US is also one of the worlds largest economies and houses
around 28 million businesses. The more businesses to target, the higher the
likelihood of them being targeted.
India and The Middle East
Attacks in the Middle East are more prevalent largely due to the fact that they
generally go longer periods of time without being detected, which increases the
number of records compromised and increases the value or cost of the attack. In
other words, Attackers have more time to work when they target organizations in
India and the Middle East.
What
Organizational Information Increases Risk of Insider Threat?
The goal of an attack is often to obtain secret or confidential information held by an
organization. The type of information your organization houses may increase the chances
of an attack against your company.
Here are the top four categories of information that attackers seem to consider
high-value:
57% of Attacks Targeted Confidential Business Information
Financials, customer data, employee data are by far the most popular pieces of
information targeted by attackers. This information can be used to harm or
defame the company and its employees, or be held for ransom.
52% of Attacks Targeted Privileged Account Information
Gaining access to privileged account information allows an attacker to expose
company secrets, modify existing protocols, or steal and delete valuable
information. This information is useful to an attacker because they can log in
and navigate through company-owned networks and software without being noticed.
They can modify settings to allow something like a back door, or even inject
malicious code designed to bring a network down, and/or hold an organization for
ransom.
49% of Attacks Targeted Sensitive Personal Information
This is Personally Identifiable Information and Protected Health Information.
This information is confidential, and it often involves information of private
individuals that have either done business with an organization or have
previously been employed there.
32% of Attacks Target Intellectual Property
Trade secrets, research product designs. These pieces of information are often
held for ransom by attackers, as they’re often pivotal pieces to a business.
What Insider
Threat Detection Tools Should I Use to Protect my Company?
There are numerous
ways to protect your organization from insider threats. Your options range from
educating employees on phishing emails and other scams via seminars and training to
installing Employee Monitoring, or User Behavior Analytics Software designed to
identify, prevent, and capture attacks before they become costly. These systems can
communicate with your existing tools and automatically trigger your security protocols
without having to lift a finger.
With that said, it’s important to take the proper steps and choose the correct actions
based on your current situation.
Implement Employee Monitoring
Employee Monitoring is often the most low-cost, high-impact way to take a step
towards securing your organization from insider threats. The multi-functionality
included in most employee
monitoring software allows for the needed visibility and control to gain
insight into what insiders at your company are doing with their daily
activities, which makes it easier to recognize suspicious activity when it
arises. Moreover, you get a sort ‘black box’ that keeps a record of everything
that happens, should a breach occur. This makes it much easier to track where a
vulnerability originated.
Event Auditing
Auditing is the most important piece of any fraud or insider threats detection
and prevention plan. You’ll want to perform audits regularly to make sure you
can spot and prevent any fraudulent activity. There is more than one way to
perform an adult, but the idea is to get an understanding of what the usual
patterns of behavior look like and investigate activity that looks suspicious or
out of the ordinary. Overall, this practice is meant to create a sense of
accountability among your employees.
You can do this manually, or with the help of software.
Manual Audit
The manual process involves evaluating multiple systems within your company,
identifying what actions were performed, and then connecting those actions with
assigned roles, transactions, and other expected outcomes. If you see something
that doesn’t add up or seems out of the ordinary, you This requires incredible
attention to detail.
Automated Audit
With the help of modern technology emerging software can utilize concepts like
artificial intelligence and machine learning to help us more accurately spot
deviations from standard user behavior, and alert managers when something begin
to look suspicious. User Behavior Analytics software, Employee Monitoring
software, User Activity Monitoring software, Security Information, and Event
Management software, and Productivity software all capture data and employ
features that will help make the auditing process much more efficient than a
manual auditing process.
Communication with Key Stakeholders
This stage just involves communicating with key stakeholders at your
organization. Be sure they’re informed and kept in the loop about major events
that are taking place. Direct communication with influential leaders at your
organization is the best way to improve internal communication — it creates a
ripple effect. Those individuals can help disseminate information and alleviate
issues going on within their teams or departments.
Segregation of Duties
You need to have checks and balances in place. By segregating the administrative
duties, and implementing stop points where another administrator or someone at a
different level of management needs to approve the action. If one person has the
authority to initiate, authorize, and complete a transaction, fraud and theft
can easily run rampant in a large organization.
Front-line Training
Teaching all employees how to avoid fraud, viruses, and phishing scams is one of
the best ways to protect your company from both internal and external threats.
When employees know what a phishing scam looks like or how to spot a malicious
website, they’re less likely to be one of the negligent insiders that contribute
to 51% of confirmed insider attacks.
What Software Should I
Consider for Insider Threat Detection?
There are a number of different software categories that can be used to detect and deter
insider threats, it’s very dependent upon your goals and what you currently have running
in your stack. These tools allow organizations to proactively detect and respond to
risky activity in real-time.
Insider Threat Detection Software
Software specifically marketed for insider threat detection. These tools are
great, but they’re often costly and generally only perform the duties required
for insider threat detection, and not much else for the expense.
Employee Monitoring and User Activity Monitoring Software
Employee Monitoring
should be a staple for any organization concerned about security. The
software tracks all user activity,
effectively giving you all the information you need to identify and investigate
the unusual activity. These programs are generally intended for investigating
individual users, rather than understanding organizational activity as a whole.
Some, such as ActivTrak, are built for overall trand analysis.
User Behavior Analytics Software
User Behavior Analytics
software can help automate your auditing process. Much like Employee
Monitoring software, UBA software monitors all employee activities over time,
but adds a layer of machine learning to understand what usual behavior looks
like over a given period of time. Once the software can establish a baseline
activity profile for users it will use that information to spot unusual
behavior, then automatically flag the proper administrator to investigate
further.
Security Information and Event Management
SIEM tools are a lot like UBA software, they capture events from employee
activities and flag administrators when specified activities or events take
place. New research suggests that companies prefer User Behavior Analytics
Software over SIEM tools because SIEM systems tend to create a data lake, which
is essentially as useful as an employee
monitoring software. That said, many SIEM providers are beginning to add
UBA capabilities to their product.
Ideally, you’re looking for a software that combines capabilities from every
submarket listed above. The main point here is that you have a lot of options to
choose from. It’s critical to your success to find the tool that fits your needs
most completely.
Insider Threat Management With ActivTrak
ActivTrak's comprehensive approach to insider
threat management ensures that administrators have the information they need to
prevent and detect insider threats.
ActivTrak is an easy-to-install, low-maintenance insider
threat detection solution that just works. It’s continuously tracking and
reacting for you, freeing up your time to focus on securing other areas of your
environment.
Here are a few reasons why ActivTrak is an ideal solution for Insider Threat
Detection:
Alarms trigger automated security alerts and reactions. Terminate an
unauthorized application, send on-screen notifications, capture screenshots, and
watch video playback when the event took place.
Behavioral data is available on the dashboard within moments of installation.
Review reports and screen captures to locate suspicious application usage,
website history, and USB activity.
Gain visibility when a user evokes in-browser Incognito Mode and understand if
the user is attempting to evade detection, and why.
Investigate security breaches and come to a data-supported conclusion about what
happened, when it happened, and who was responsible.
Spot sudden changes in user schedule and passive time, providing additional
context to abnormal usage patterns.
Consult the Risk Level Report to see which users exhibit high-risk behavior and
which suspicious activities occur more frequently.
Check in on your team any time, anywhere from the desktop or our mobile app.
Finding and Implementing the Best Insider Threat Management Solution for your Business
Identify Your Goals
What are you trying to do? Generally track activity? Get notified of unusual
behavior patterns? Both? Either way, you need to have a clear idea of what you
want to be able to do so that when you approach vendors, you don’t waste your
time with a solution that only covers half of your needs with all of your
budget.
Identify Solutions That Meet Your Needs
Research the Market. Look at articles, read expert reviews, and contact a number
of different vendors to evaluate their capabilities and the options available.
Be sure to exhaust at least 4-5 options before moving on to the next phase. This
step is critical to understanding what the realistic capabilities of the
solution are, and the level of customization needed to make them work — if at
all possible.
Create a Shortlist
Compare costs and capabilities. This is where you ask for trials, and kick the
tires on every product to see what I can handle. Try to understand how the
solutions fit your needs, and what kind of work it's going to take on your end
to make it work. Your goal here is to look for solutions that don’t take long to
implement, learn, and begin deriving value from. If it doesn’t fit your needs,
or takes way too much time to setup and configure, you probably don’t need it on
your list. You should have 3 stellar options by the end of this process.
Make a Decision
Crunch time. It can be difficult with so many options, but you should attempt to
make the choice that fits all of your needs best. Consider all factors including
cost, feature requirements, security, time to value, additional benefits, and overall
effectiveness within your organization. Missing on any one of these
points could spell the failure of your program. Be sure to test thoroughly
before making this decision.
Implementation
Meet with your team and let them know you’ll be implementing a software to
improve security. Communication is incredibly important here. If you make it
seem your install spy software to check in on employees, it will have a negative
impact on the team and overall morale. It’s important to clearly communicate
that this is purely for security purposes, and that the information gathered
will only be reviewed in the case of a breach, or data-backed inquiry. We
recommend disseminating an internet usage policy and mandating that all
employees sign it if they haven’t already.
Maintain and Improve Security Audits
Continue business as usual. Be sure to conduct your standard security audits and
other best practices explained above to maintain a secure organization.
Recap: Insider Threat Management
You
should be concerned about insider threats. They’ve quickly become the easiest
way for attackers to gain access to an organizations network. Once inside, an attacker
can navigate freely under the alias of an employee that has privileges to find the
information the hacker is interested in finding. This cloak of regularity allows attacks
to go on for longer periods of time without being detected, which dramatically increases
the overall cost of a breach. Be on the lookout for negligent, compromised, and
malicious insiders as you conduct an audit. Anyone can become the target of an insider
attack, but those in the financial services industry and businesses in the US and the
Middle East have the highest likelihood of being hit by an attack due to the potential
financial gain and longevity of attacks. Safeguard your organization by Implementing
employee monitoring, auditing events that take place on your network, keeping open lines
of communication with key stakeholders, segregating duties so that one person can’t
request and authorize a transaction, and finally, by training your employees to avoid
the common activities that put their hardware and credentials at risk. The bottom line
here is that you need to invest in emerging and existing technologies to make it easier
for you and your team to spot and prevent
insider attacks.
Workforce Productivity and Analytics Software for Teams
ActivTrak collects and normalizes user activity data providing visibility, analytics and
context. Get the real story behind HOW your employees work and what hinders their
productivity so you can streamline and optimize business tools, processes and teams.
Uncover poor operational processes and workflow bottlenecks
Analyze productivity activities and behavior patterns
Get visibility into cloud application proliferation and usage trends
Gain insights into remote employee work patterns and time management
Identify insider threats to reduce security vulnerabilities
Get alerted to employee activities that introduce compliance risk
Easily generate detailed reports for audit trail requirements