Insider Threat Detection

The Negligent Insider

This type of insider threat is simply unaware of the dangers associated with sharing login credentials, opening suspicious emails, or visiting malicious websites. Negligent insiders generally have no ill intentions towards the organization, but the every day careless activities of these insiders present easy access points for attackers to begin their onslaught. Often times, negligent insiders end up with a virus or malware on their computer, which can spread to the company network to conduct an attack.

The Compromised Insider

This insider is a lot like a Negligent insider that has generally done nothing wrong other than opening the wrong email. A compromised insider is someone that has in some way had their credentials compromised. This can happen through a phishing scam, a computer virus, or by sharing their login credentials with the wrong person. The Key differentiator here is that the person working for your organization is to act maliciously, but someone else is using their credentials to appear as if that is the case.

The Malicious Insider

This insider is like a double agent — they work within the organization, but have aspirations to bring harm to the organization or to gain access to the company’s proprietary information for personal gain.

Common sense might sway you to believe that malicious insiders are the most dangerous, and therefore the most prominent kind of insider attacks. While this is true about 47% of the time, negligent and compromised insiders account for the majority of confirmed insider attacks.

This means employees you trust that show no intentions of assisting in a data breach actually account for more attacks than those that deliberately intend to cause harm to an organization.

Type of Organization

Research shows that organizations in the financial sector have a higher chance of being attacked, and when they are attacked it’s the most costly attack on average across all industry sectors.

Region of the World

Given that financial gain is often a goal for any cybersecurity attack, the power of your local currency (or the currency or your customers) can have a significant impact on how often, or heavily your organization is targeted.

Malicious or Criminal Attacks often target the Middle East and U.S. organizations. In a report published by IBM and the Ponemon Institute, it was found that on average organizations in the Middle East, India specifically, and the United States have the largest average number of breached records.

The U.S.

There are a couple of reasons for the US being targeted heavily for insider attacks. First, The US has a powerful currency, so attacks that target financial, or personal data would have a higher yield to an attacker trying to make a return. The US is also one of the worlds largest economies and houses around 28 million businesses. The more businesses to target, the higher the likelihood of them being targeted.

India and The Middle East

Attacks in the Middle East are more prevalent largely due to the fact that they generally go longer periods of time without being detected, which increases the number of records compromised and increases the value or cost of the attack. In other words, Attackers have more time to work when they target organizations in India and the Middle East.

57% of Attacks Targeted Confidential Business Information

Financials, customer data, employee data are by far the most popular pieces of information targeted by attackers. This information can be used to harm or defame the company and its employees, or be held for ransom.

52% of Attacks Targeted Privileged Account Information

Gaining access to privileged account information allows an attacker to expose company secrets, modify existing protocols, or steal and delete valuable information. This information is useful to an attacker because they can log in and navigate through company-owned networks and software without being noticed. They can modify settings to allow something like a back door, or even inject malicious code designed to bring a network down, and/or hold an organization for ransom.

49% of Attacks Targeted Sensitive Personal Information

This is Personally Identifiable Information and Protected Health Information. This information is confidential, and it often involves information of private individuals that have either done business with an organization or have previously been employed there.

32% of Attacks Target Intellectual Property

Trade secrets, research product designs. These pieces of information are often held for ransom by attackers, as they’re often pivotal pieces to a business.

Implement Employee Monitoring

Employee Monitoring is often the most low-cost, high-impact way to take a step towards securing your organization from insider threats. The multi-functionality included in most employee monitoring software allows for the needed visibility and control to gain insight into what insiders at your company are doing with their daily activities, which makes it easier to recognize suspicious activity when it arises. Moreover, you get a sort ‘black box’ that keeps a record of everything that happens, should a breach occur. This makes it much easier to track where a vulnerability originated.

Event Auditing

Auditing is the most important piece of any fraud or insider threats detection and prevention plan. You’ll want to perform audits regularly to make sure you can spot and prevent any fraudulent activity. There is more than one way to perform an adult, but the idea is to get an understanding of what the usual patterns of behavior look like and investigate activity that looks suspicious or out of the ordinary. Overall, this practice is meant to create a sense of accountability among your employees.

You can do this manually, or with the help of software.

Manual Audit

The manual process involves evaluating multiple systems within your company, identifying what actions were performed, and then connecting those actions with assigned roles, transactions, and other expected outcomes. If you see something that doesn’t add up or seems out of the ordinary, you This requires incredible attention to detail.

Automated Audit

With the help of modern technology emerging software can utilize concepts like artificial intelligence and machine learning to help us more accurately spot deviations from standard user behavior, and alert managers when something begin to look suspicious. User Behavior Analytics software, Employee Monitoring software, User Activity Monitoring software, Security Information, and Event Management software, and Productivity software all capture data and employ features that will help make the auditing process much more efficient than a manual auditing process.

Communication with Key Stakeholders

This stage just involves communicating with key stakeholders at your organization. Be sure they’re informed and kept in the loop about major events that are taking place. Direct communication with influential leaders at your organization is the best way to improve internal communication — it creates a ripple effect. Those individuals can help disseminate information and alleviate issues going on within their teams or departments.

Segregation of Duties

You need to have checks and balances in place. By segregating the administrative duties, and implementing stop points where another administrator or someone at a different level of management needs to approve the action. If one person has the authority to initiate, authorize, and complete a transaction, fraud and theft can easily run rampant in a large organization.

Front-line Training

Teaching all employees how to avoid fraud, viruses, and phishing scams is one of the best ways to protect your company from both internal and external threats. When employees know what a phishing scam looks like or how to spot a malicious website, they’re less likely to be one of the negligent insiders that contribute to 51% of confirmed insider attacks.

Insider Threat Detection Software

Software specifically marketed for insider threat detection. These tools are great, but they’re often costly and generally only perform the duties required for insider threat detection, and not much else for the expense.

Employee Monitoring and User Activity Monitoring Software

Employee Monitoring should be a staple for any organization concerned about security. The software tracks all user activity, effectively giving you all the information you need to identify and investigate the unusual activity. These programs are generally intended for investigating individual users, rather than understanding organizational activity as a whole. Some, such as ActivTrak, are built for overall trand analysis.

User Behavior Analytics Software

User Behavior Analytics software can help automate your auditing process. Much like Employee Monitoring software, UBA software monitors all employee activities over time, but adds a layer of machine learning to understand what usual behavior looks like over a given period of time. Once the software can establish a baseline activity profile for users it will use that information to spot unusual behavior, then automatically flag the proper administrator to investigate further.

Security Information and Event Management

SIEM tools are a lot like UBA software, they capture events from employee activities and flag administrators when specified activities or events take place. New research suggests that companies prefer User Behavior Analytics Software over SIEM tools because SIEM systems tend to create a data lake, which is essentially as useful as an employee monitoring software. That said, many SIEM providers are beginning to add UBA capabilities to their product.

Ideally, you’re looking for a software that combines capabilities from every submarket listed above. The main point here is that you have a lot of options to choose from. It’s critical to your success to find the tool that fits your needs most completely.

Identify Your Goals

What are you trying to do? Generally track activity? Get notified of unusual behavior patterns? Both? Either way, you need to have a clear idea of what you want to be able to do so that when you approach vendors, you don’t waste your time with a solution that only covers half of your needs with all of your budget.

Identify Solutions That Meet Your Needs

Research the Market. Look at articles, read expert reviews, and contact a number of different vendors to evaluate their capabilities and the options available. Be sure to exhaust at least 4-5 options before moving on to the next phase. This step is critical to understanding what the realistic capabilities of the solution are, and the level of customization needed to make them work — if at all possible.

Create a Shortlist

Compare costs and capabilities. This is where you ask for trials, and kick the tires on every product to see what I can handle. Try to understand how the solutions fit your needs, and what kind of work it's going to take on your end to make it work. Your goal here is to look for solutions that don’t take long to implement, learn, and begin deriving value from. If it doesn’t fit your needs, or takes way too much time to setup and configure, you probably don’t need it on your list. You should have 3 stellar options by the end of this process.

Make a Decision

Crunch time. It can be difficult with so many options, but you should attempt to make the choice that fits all of your needs best. Consider all factors including cost, feature requirements, security, time to value, additional benefits, and overall effectiveness within your organization. Missing on any one of these points could spell the failure of your program. Be sure to test thoroughly before making this decision.

Implementation

Meet with your team and let them know you’ll be implementing a software to improve security. Communication is incredibly important here. If you make it seem your install spy software to check in on employees, it will have a negative impact on the team and overall morale. It’s important to clearly communicate that this is purely for security purposes, and that the information gathered will only be reviewed in the case of a breach, or data-backed inquiry. We recommend disseminating an internet usage policy and mandating that all employees sign it if they haven’t already.

Maintain and Improve Security Audits

Continue business as usual. Be sure to conduct your standard security audits and other best practices explained above to maintain a secure organization.