Insider Threat Detection

A malicious insider threat working at his desk

In the world of cybersecurity today insider threats are a hot topic of conversation, and for good reason. Research conducted by Crowd Research Partners and Cybersecurity Insiders found that 90% of organizations feel vulnerable to insider attacks for multiple reasons that include an ever-changing landscape of technology and devices as well as excessive access privileges and other factors. Moreover, 53% of companies confirmed insider attacks against their organization.

With security breaches increasing by an average of 27.4% year over year, the emphasis on Insiders is well placed.

In the guide below, we’ll detail what exactly an Insider threat is, why they matter, and the best ways to detect and deter an insider threat before an attack occurs.

What is an Insider Threat?

An Insider threat is a person within an organization that presents a threat of being the root cause or entry point for a data breach. Any person that gives an opportunity for a malicious individual to gain privileged access to sensitive information held by an organization using sources within that organization for lateral movement throughout a company network is considered an insider threat.

Many people have access to an organization’s network including current and former employees, contractors, vendors and more. This means the sheer number of potential threats make threat detection incredibly difficult to track and identify before an attack occurs.

Insider threats can be grouped into three main categories

The Negligent Insider

This type of insider threat is simply unaware of the dangers associated with sharing login credentials, opening suspicious emails, or visiting malicious websites. Negligent insiders generally have no ill intentions towards the organization, but the every day careless activities of these insiders present easy access points for attackers to begin their onslaught. Often times, negligent insiders end up with a virus or malware on their computer, which can spread to the company network to conduct an attack.

The Compromised Insider

This insider is a lot like a Negligent insider that has generally done nothing wrong other than opening the wrong email. A compromised insider is someone that has in some way had their credentials compromised. This can happen through a phishing scam, a computer virus, or by sharing their login credentials with the wrong person. The Key differentiator here is that the person working for your organization is to act maliciously, but someone else is using their credentials to appear as if that is the case.

Malicious Website Blocking

This insider is like a double agent — they work within the organization, but have aspirations to bring harm to the organization or to gain access to the company’s proprietary information for personal gain.

Common sense might sway you to believe that malicious insiders are the most dangerous, and therefore the most prominent kind of insider attacks. While this is true about 47% of the time, negligent and compromised insiders account for the majority of confirmed insider attacks.

This means employees you trust that show no intentions of assisting in a data breach actually account for more attacks than those that deliberately intend to cause harm to an organization.

Why do Insider Threats get so Much Attention?

To put it simply, insider attacks are incredibly expensive. In today’s cybersecurity landscape insider threats garner a lot of attention from security professionals for quite a few reasons, including the fact that insider threats are costlier to detect and contain than external attacks.

Why are insider attacks so costly? Insider attacks are more difficult to detect, and they usually take longer to resolve, which increases the overall cost of the attack to an organization.

On average, a malicious insider attack takes 50 days to resolve. The more time an attacker has access to a network, the likelihood of records being taken or deleted increases exponentially, which in turn increases the cost of a breach exponentially. The average cost to resolve a data breach of any kind ranges between $126 and $156 for each compromised record. Take into account the fact that the global average for the number of records exposed or compromised during a breach is 24,089, which brings the average total cost of a single data breach anywhere between $3.0M - 3.6M.

Considering costs at that scale, it’s easy to understand why security professionals are so concerned about insider threats.

  • Attacks are more costly based on organizational size
  • Financial Consequences of cyber attacks are worsening
  • Frequency of attacks has an increase.

Who is at risk of an insider attack?

An insider threat caused a breach that is making its way up to the corporate office.

The honest answer is that any company can fall victim to an insider attack, but research shows us that certain organizations seem to be more attractive than others from the perspective of hackers and attackers. Some factors that increase your chances of being a target include the kind of data your organization holds, the sector in which your organization operates, and what region of the world you reside.

Type of Organization

Research shows that organizations in the financial sector have a higher chance of being attacked, and when they are attacked it’s the most costly attack on average across all industry sectors.

Region of the World

Given that financial gain is often a goal for any cybersecurity attack, the power of your local currency (or the currency or your customers) can have a significant impact on how often, or heavily your organization is targeted.

Malicious or Criminal Attacks often target the Middle East and U.S. organizations. In a report published by IBM and the Ponemon Institute, it was found that on average organizations in the Middle East, India specifically, and the United States have the largest average number of breached records.

Why do Hackers target these regions?

The U.S.

There are a couple of reasons for the US being targeted heavily for insider attacks. First, The US has a powerful currency, so attacks that target financial, or personal data would have a higher yield to an attacker trying to make a return. The US is also on the of worlds largest economies and houses around 28 million businesses. The more businesses to target, the higher the likelihood of them being targeted.

India and The Middle East

Attacks in the Middle East are more prevalent largely due to the fact that they generally go longer periods of time without being detected, which increases the number of records compromised and increases the value or cost of the attack. In other words, Attackers have more time to work when they target organizations in India and the Middle East.

Type of Records Held

The goal of an attack is often to obtain secret or confidential information held by an organization. The type of information your organization houses may increase the chances of an attack against your company.

Here are the top four categories of information that attackers seem to consider high-value:

57% of attacks targeted confidential business information

Financials, customer data, employee data are by far the most popular pieces of information targeted by attackers. This information can be used to harm or defame the company and its employees, or be held for ransom.

52% of attacks targeted privileged account information

Gaining access to privileged account information allows an attacker to expose company secrets, modify existing protocols, or steal and delete valuable information. This information is useful to an attacker because they can log in and navigate through company-owned networks and software without being noticed. They can modify settings to allow something like a back door, or even inject malicious code designed to bring a network down, and/or hold an organization for ransom.

49% of attacks targeted sensitive personal information

This is Personally Identifiable Information and Protected Health Information. This information is confidential, and it often involves information of private individuals that have either done business with an organization or have previously been employed there.

32% of attacks target Intellectual Property

Trade secrets, research product designs. These pieces of information are often held for ransom by attackers, as they’re often pivotal pieces to a business.

How can I protect my company against insider threats?

A system admin searches through data from insider threat detection software a finds a potential threat

There are numerous ways to protect your organization from insider threats. Your options range from educating employees on phishing emails and other scams via seminars and training to installing Employee Monitoring, or User Behavior Analytics Software designed to identify, prevent, and capture attacks before they become costly. These systems can communicate with your existing tools and automatically trigger your security protocols without having to lift a finger.

With that said, it’s important to take the proper steps and choose the correct actions based on your current situation.

Implement Employee Monitoring

Employee Monitoring is often the most low-cost, high-impact way to take a step towards securing your organization from insider threats. The multi-functionality included in most employee monitoring software allows for the needed visibility and control to gain insight into what insiders at your company are doing with their daily activities, which makes it easier to recognize suspicious activity when it arises. Moreover, you get a sort ‘black box’ that keeps a record of everything that happens, should a breach occur. This makes it much easier to track where a vulnerability originated.

Event Auditing

Auditing is the most important piece of any fraud or insider threats detection and prevention plan. You’ll want to perform audits regularly to make sure you can spot and prevent any fraudulent activity. There is more than one way to perform an adult, but the idea is to get an understanding of what the usual patterns of behavior look like and investigate activity that looks suspicious or out of the ordinary. Overall, this practice is meant to create a sense of accountability among your employees.

You can do this manually, or with the help of software.

Manual Audit

The manual process involves evaluating multiple systems within your company, identifying what actions were performed, and then connecting those actions with assigned roles, transactions, and other expected outcomes. If you see something that doesn’t add up or seems out of the ordinary, you This requires incredible attention to detail.

Automated Audit

With the help of modern technology emerging software can utilize concepts like artificial intelligence and machine learning to help us more accurately spot deviations from standard user behavior, and alert managers when something begin to look suspicious. User Behavior Analytics software, Employee Monitoring software, User Activity Monitoring software, Security Information, and Event Management software, and Productivity software all capture data and employ features that will help make the auditing process much more efficient than a manual auditing process.

Communication with Key Stakeholders

This stage just involves communicating with key stakeholders at your organization. Be sure they’re informed and kept in the loop about major events that are taking place. Direct communication with influential leaders at your organization is the best way to improve internal communication — it creates a ripple effect. Those individuals can help disseminate information and alleviate issues going on within their teams or departments.

Segregation of Duties

You need to have checks and balances in place. By segregating the administrative duties, and implementing stop points where another administrator or someone at a different level of management needs to approve the action. If one person has the authority to initiate, authorize, and complete a transaction, fraud and theft can easily run rampant in a large organization.

Front-line Training

Teaching all employees how to avoid fraud, viruses, and phishing scams is one of the best ways to protect your company from both internal and external threats. When employees know what a phishing scam looks like or how to spot a malicious website, they’re less likely to be one of the negligent insiders that contribute to 51% of confirmed insider attacks.

What Software Should I Consider for Insider Threat Detection?

There are a number of different software categories that can be used to detect and deter insider threats, it’s very dependent upon your goals and what you currently have running in your stack. These tools allow organizations to proactively detect and respond to risky activity in real-time.

Insider Threat Detection Software

Software specifically marketed for insider threat detection. These tools are great, but they’re often costly and generally only perform the duties required for insider threat detection, and not much else for the expense.

Employee Monitoring and User Activity Monitoring Software

Employee Monitoring should be a staple for any organization concerned about security. The software tracks all user activity, effectively giving you all the information you need to identify and investigate the unusual activity. These programs are generally intended for investigating individual users, rather than understanding organizational activity as a whole.

User Behavior Analytics Software

User Behavior analytics software can help automate your auditing process. Much like Employee Monitoring software, UBA software monitors all employee activities over time, but adds a layer of machine learning to understand what usual behavior looks like over a given period of time. Once the software can establish a baseline activity profile for users it will use that information to spot unusual behavior, then automatically flag the proper administrator to investigate further.

Security Information and Event Management

SIEM tools are a lot like UBA software, they capture events from employee activities and flag administrators when specified activities or events take place. New research suggests that companies prefer User Behavior Analytics Software over SIEM tools because SIEM systems tend to create a data lake, which is essentially as useful as an employee monitoring software. That said, many SIEM providers are beginning to add UBA capabilities to their product.

Ideally, you’re looking for a software that combines capabilities from every submarket listed above. The main point here is that you have a lot of options to choose from. It’s critical to your success to find the tool that fits your needs most completely.

Finding and Implementing the best Insider Threat Management Solution for your Business

Identify your goals

What are you trying to do? Generally track activity? Get notified of unusual behavior patterns? Both? Either way, you need to have a clear idea of what you want to be able to do so that when you approach vendors, you don’t waste your time with a solution that only covers half of your needs with all of your budget.

Identify Solutions That Meet Your Needs

Research the Market. Look at articles, read expert reviews, and contact a number of different vendors to evaluate their capabilities and the options available. Be sure to exhaust at least 4-5 options before moving on to the next phase. This step is critical to understanding what the realistic capabilities of the solution are, and the level of customization needed to make them work — if at all possible.

Create a shortlist

Compare costs and capabilities. This is where you ask for trials, and kick the tires on every product to see what I can handle. Try to understand how the solutions fit your needs, and what kind of work it's going to take on your end to make it work. Your goal here is to look for solutions that don’t take long to implement, learn, and begin deriving value from. If it doesn’t fit your needs, or takes way too much time to setup and configure, you probably don’t need it on your list. You should have 3 stellar options by the end of this process.

Make a decision

Crunch time. It can be difficult with so many options, but you should attempt to make the choice that fits all of your needs best. Consider all factors including cost, feature requirements, security, time to value, additional benefits, and overall effectiveness within your organization. Missing on any one of these points could spell the failure of your program. Be sure to test thoroughly before making this decision.

Implementation

Meet with your team and let them know you’ll be implementing a software to improve security. Communication is incredibly important here. If you make it seem your install spy software to check in on employees, it will have a negative impact on the team and overall morale. It’s important to clearly communicate that this is purely for security purposes, and that the information gathered will only be reviewed in the case of a breach, or data-backed inquiry. We recommend disseminating an internet usage policy and mandating that all employees sign it if they haven’t already.

Maintain and improve security audits

Continue business as usual. Be sure to conduct your standard security audits and other best practices explained above to maintain a secure organization.

In Short

You should be concerned about insider threats. They’ve quickly become the easiest way for attackers to gain access to an organizations network. Once inside, an attacker can navigate freely under the alias of an employee that has privileges to find the information the hacker is interested in finding. This cloak of regularity allows attacks to go on for longer periods of time without being detected, which dramatically increases the overall cost of a breach. Be on the lookout for negligent, compromised, and malicious insiders as you conduct an audit. Anyone can become the target of an insider attack, but those in the financial services industry and businesses in the US and the Middle East have the highest likelihood of being hit by an attack due to the potential financial gain and longevity of attacks. Safeguard your organization by Implementing employee monitoring, auditing events that take place on your network, keeping open lines of communication with key stakeholders, segregating duties so that one person can’t request and authorize a transaction, and finally, by training your employees to avoid the common activities that put their hardware and credentials at risk. The bottom line here is that you need to invest in emerging and existing technologies to make it easier for you and your team to spot and prevent insider attacks.