Insider Threat

New Report Finds Insider Threats on the Rise, Growing Cloud Use, and Lack of Defensive Capabilities Are Causing Concern

Of all the security professionals surveyed for the newly-released 2023 Insider Threat Report from Cybersecurity Insiders, a measly 3% are not concerned about insider threats. The risk posed by company insiders is not new, but a changing workplace (and all the network and IT changes that go along with that) and growing use of the cloud have made these attacks more difficult than ever to detect and prevent. The report shows a clear increase; 60% of respondents experienced an insider attack in 2022, while 8% experienced more than 20. Three-quarters of organizations said insider attacks are getting more frequent and about the same percentage felt they were extremely to moderately vulnerable to them.

The 2023 Insider Threat report (which we sponsored) digs deep into issues like why security professionals are so concerned about insider risk in 2023, how the attack surface for them has changed, and what detection and prevention tools security teams are using to combat them. This blog post summarizes some of the report’s key findings, focused on insider threats in the cloud and defensive technologies. You can download the full report here.

The Deck is Stacked Against Defenders

Since insider threats use legitimate accounts and credentials, it’s challenging for defenders to tell them apart from normal user activity. The report found several specific reasons why detection is difficult. First, many insiders already have credentialed access to applications, networks, and services (chosen by 54% of respondents). The attack surface has increased as well; growing use of SaaS apps that can leak data (44%) and an increase in personal device use with access to corporate resources (42%), gives adversaries more ways to gain entry. 27% of respondents also said that a lack of integrated security that protects data consistently across SaaS, IaaS, on-prem apps, the web, and all devices makes detection more difficult. Security teams need visibility across their whole infrastructure with no blind spots to find insider threats effectively – and many don’t have this capability. (Luckily, Gurucul does have this capability.)

Flying Blind Through the Cloud

Overall, the report found that the cloud doesn’t make defending against insider threats any easier and often makes it harder. 53% of respondents said that detecting insider attacks is harder in the cloud and another 35% said the cloud was the same as on-prem. A lack of good visibility or threat detection tools in the cloud seems to play a role; 45% consider cloud native functionality moderately to extremely helpful for detecting insider attacks.

Defensive Tooling Varies Widely

Visibility and control are paramount for preventing insider attacks. Almost all organizations (87%) consider unified visibility and control across all apps, devices, web destinations, on- premises resources, and infrastructure to be moderately to extremely important. Thankfully, Gurucul provides a single unified interface to view the entire threat landscape across on-prem and cloud.

Performance and speed matter; 87% consider security solution uptime and performance for stopping insider threats moderately to extremely important (for solutions like SASE, CASB, SWG, etc.). Almost half of organizations monitor abnormal user behavior across their cloud footprint (SaaS, IaaS, PaaS) and the web (48%). Security teams without these capabilities will likely struggle to detect insider threats in the cloud.

Almost a third of respondents do not use any type of analytics to detect insider threats, which may help explain why so many of them feel vulnerable to insiders. Those that do use analytics use a variety of types; there is no standardized approach to defenses we can see. 22% use predictive analytics, 33% use user behavior analytics, 35% use activity management and summary reports, and 37% use data behavior, access and movement analytics.

User and Entity Behavior Analytics is a common tool for detecting anomalous behavior that could indicate an insider attack. Eighty-six percent of organizations monitor user behavior in one way or another, which is encouraging. The most common use case is access logging (29%), followed by automated tools to monitor user behavior (25%). Overall, the findings suggest that many companies have decent insider threat defense (or are in the process of building them) but there is still a gap in favor of attackers.

At Gurucul, we’ve found that the best approach to detecting insider threats is to combine many types of analytics together. Our platform combines all of the analytics mentioned above into one. This dramatically reduces the management required from the SOC team while providing robust protection. The Gurucul platform analyzes a huge range of data using advanced behavioral and insider threat machine learning (ML) models and data science. It can pinpoint unintended and malicious privilege access abuse, unexpected lateral movement and external communications, and data exfiltration.

Users can create their own entity-based risk profiles and the platform automatically creates time-based behavioral baselines and continuously learns what behavior is acceptable and what is anomalous. By unifying collection and analysis of telemetry across the entire security stack and applying ML driven security analytics to collected data, Gurucul provides unprecedented context, behavioral indicators, and timeline views for automating threat assessment, mitigation, and response. The end result is significantly faster and more accurate identification of suspicious behavior, context on the risk of threats and users in question, and ultimately better security overall.

Read the full 2023 Insider Threat Report. For more information on how Gurucul can help you defend against insider threats, please visit our Insider Threat Solution page.

Of all the security professionals surveyed for the newly-released 2023 Insider Threat Report from Cybersecurity Insiders, a measly 3% are not concerned about insider threats. The risk posed by company insiders is not new, but a changing workplace (and all the network and IT changes that go along with that) and growing use of the cloud have made these attacks more difficult than ever to detect and prevent. The report shows a clear increase; 60% of respondents experienced an insider attack in 2022, while 8% experienced more than 20. Three-quarters of organizations said insider attacks are getting more frequent and about the same percentage felt they were extremely to moderately vulnerable to them.

The 2023 Insider Threat report (which we sponsored) digs deep into issues like why security professionals are so concerned about insider risk in 2023, how the attack surface for them has changed, and what detection and prevention tools security teams are using to combat them. This blog post summarizes some of the report’s key findings, focused on insider threats in the cloud and defensive technologies. You can download the full report here.

The Deck is Stacked Against Defenders

Since insider threats use legitimate accounts and credentials, it’s challenging for defenders to tell them apart from normal user activity. The report found several specific reasons why detection is difficult. First, many insiders already have credentialed access to applications, networks, and services (chosen by 54% of respondents). The attack surface has increased as well; growing use of SaaS apps that can leak data (44%) and an increase in personal device use with access to corporate resources (42%), gives adversaries more ways to gain entry. 27% of respondents also said that a lack of integrated security that protects data consistently across SaaS, IaaS, on-prem apps, the web, and all devices makes detection more difficult. Security teams need visibility across their whole infrastructure with no blind spots to find insider threats effectively – and many don’t have this capability. (Luckily, Gurucul does have this capability.)

Flying Blind Through the Cloud

Overall, the report found that the cloud doesn’t make defending against insider threats any easier and often makes it harder. 53% of respondents said that detecting insider attacks is harder in the cloud and another 35% said the cloud was the same as on-prem. A lack of good visibility or threat detection tools in the cloud seems to play a role; 45% consider cloud native functionality moderately to extremely helpful for detecting insider attacks.

Defensive Tooling Varies Widely

Visibility and control are paramount for preventing insider attacks. Almost all organizations (87%) consider unified visibility and control across all apps, devices, web destinations, on- premises resources, and infrastructure to be moderately to extremely important. Thankfully, Gurucul provides a single unified interface to view the entire threat landscape across on-prem and cloud.

Performance and speed matter; 87% consider security solution uptime and performance for stopping insider threats moderately to extremely important (for solutions like SASE, CASB, SWG, etc.). Almost half of organizations monitor abnormal user behavior across their cloud footprint (SaaS, IaaS, PaaS) and the web (48%). Security teams without these capabilities will likely struggle to detect insider threats in the cloud.

Almost a third of respondents do not use any type of analytics to detect insider threats, which may help explain why so many of them feel vulnerable to insiders. Those that do use analytics use a variety of types; there is no standardized approach to defenses we can see. 22% use predictive analytics, 33% use user behavior analytics, 35% use activity management and summary reports, and 37% use data behavior, access and movement analytics.

User and Entity Behavior Analytics is a common tool for detecting anomalous behavior that could indicate an insider attack. Eighty-six percent of organizations monitor user behavior in one way or another, which is encouraging. The most common use case is access logging (29%), followed by automated tools to monitor user behavior (25%). Overall, the findings suggest that many companies have decent insider threat defense (or are in the process of building them) but there is still a gap in favor of attackers.

At Gurucul, we’ve found that the best approach to detecting insider threats is to combine many types of analytics together. Our platform combines all of the analytics mentioned above into one. This dramatically reduces the management required from the SOC team while providing robust protection. The Gurucul platform analyzes a huge range of data using advanced behavioral and insider threat machine learning (ML) models and data science. It can pinpoint unintended and malicious privilege access abuse, unexpected lateral movement and external communications, and data exfiltration.

Users can create their own entity-based risk profiles and the platform automatically creates time-based behavioral baselines and continuously learns what behavior is acceptable and what is anomalous. By unifying collection and analysis of telemetry across the entire security stack and applying ML driven security analytics to collected data, Gurucul provides unprecedented context, behavioral indicators, and timeline views for automating threat assessment, mitigation, and response. The end result is significantly faster and more accurate identification of suspicious behavior, context on the risk of threats and users in question, and ultimately better security overall.

Resources: