Beware of the insider threat.
For those of us in information security, those words represent sage advice we’ve heard (and given) for years. Long before Eric Snowden and the incident involving the National Security Agency (NSA) hit the headlines.
“We have met the enemy” … or so we think.
Maybe it’s an overused sentence. But we often use military terms and phrases to depict the work we do in information security—words like strategy, adversaries, threats, perimeter defenses, attacks, incidents, and assaults. After all, cybersecurity is a battle. And so is protecting against insider threats.
The term “insider threat”—thanks in part to the entertainment industry—conjures up a lot of different images: rogue employees seeking financial gain; disgruntled workers bent on revenge; shadowy figures engaged in international espionage. While books and movies tend to sensationalize events, these activities are not far-fetched and shouldn’t be disregarded.
In fact, insider threats can result in substantial loss and damage. According to a Ponemon Institute study, security incidents caused by insiders can be very expensive to organizations, ranging in cost based on the type of incident. And according to Brian Contos, vice president and chief security strategist at Securonix (as reported in this CSO Online article), it takes 55 days on average to uncover a malicious insider, and “the average cost per day of the damage is about $21,000.”
In simple terms, insider threats (with respect to information security) are exactly what they sound like: threats posed to sensitive company information and assets by those entities residing inside security confines and boundaries. In other words, these threats come from so-called “trusted” sources, and their actions stem from a combination of access, opportunity, and motive. And these insiders typically fall into one of three categories.
First, there are negligent insiders. These are users who have authorized access to systems and data and unknowingly put sensitive information at risk. These users don’t intend to do harm, but they make a mistake or err in judgment that leads to information being shared with unauthorized parties, lost data, or other damage.
Next, there are malicious insiders. These are the aforementioned people out for personal gain or revenge, willing to break laws to get what they want. These are users who have legitimate access to systems and intentionally steal information, destroy data, or disrupt operations.
Lastly, there are “functional” insiders. These are actors who have stolen valid credentials or taken over an authorized endpoint and pose as a legitimate, trusted user. They are able to access sensitive information and perform system functions under the guise of their stolen identity. And since they are operating with valid credentials, they can be very difficult to identify.
Wait a minute. That user did what?
Information security is like walking a tightrope. Employees need access to systems and data to do their work. But they should have access to only what they need to perform their job and no more. Striking the right balance between easy access and maximum protection, and maintaining that balance, is difficult but essential.
That’s one reason insider threats create such a dilemma for security professionals. Because these threats originate from so-called “trusted” sources, they are difficult to identify until it’s too late. With that fact in mind, the impulse is to tighten security controls even further. And while that may be necessary in some cases, more stringent controls may be viewed as prohibitive and counterproductive, if the controls are too restrictive.
The rise of user behavior analytics (UBA) software is helping in the battle against insider threats. By employing big data security analytics algorithms and machine learning, UBA solutions identify user behavior that is unusual—or outside of the bounds of what is typical—and alert security analysts for further investigation. These solutions enable security professionals to build user profiles based on a user’s typical activities to establish a baseline. When a user’s behavior deviates from the baseline, it creates an anomaly. While it doesn’t mean something malicious is happening, it does give security analysts visibility into unexpected behavior, such as a user uncharacteristically logging onto a system at 2am and downloading files.
User behavior analytics focuses on all activities associated with a user. It analyzes the devices they use, the applications they access, and the data they consume. It tracks what they do and when they do it and calls out the outliers—the activities that deviate from the establish “normal” for each user.
As a result, UBA solutions are fast-becoming a critical element in the defense against insider threats, especially the “functional” insider. Because if a user’s credentials are compromised and the user begins behaving unexpectedly, the software will see it and report it, enabling security analysts to take action before it’s too late. Hence, it’s no wonder user behavior analytics software, according to International Data Corporation (IDC), is predicted to be one of the fastest growing segments of the security products market at 12.2% CAGR.
While user behavior analytics solutions won’t eliminate insider threats, they do offer an added layer of protection to minimize the risk associated with them. And in our increasingly complex operating environments, less risk is good.
