Steven Bowcut interviews Sanjay Raja, Gurucul’s VP of Product Marketing and Solutions in the Brilliance Security Magazine Podcast: Insider Threat Trends and Challenges.
Highlights from the podcast are provided below. You may listen to the full podcast here.
Steven Bowcut: Give us, from your perspective, a high-level overview of the scope or the magnitude of the problem that we’re talking about.
Sanjay Raja: We’ve seen insider threats be an impact to organizations for several years now. It’s not necessarily anything new, in terms of insider threat being a concern for security teams. What we have seen is that there’s a large rise in insider threats and insider attacks. We even see threat actor groups, the best example was Lapsus$, advertise publicly to say, “If you’re a disgruntled employee or someone who wants to make money, come to us and help us get in the door of your organization.” There are a few key organizations that were impacted last year, where someone provided access or gave their credentials to a threat actor and shared in some of the disruption profit that occurred. And we’re seeing a lot more news around even nation-state attacks where a foreign government will approach a user and say, either through blackmail or for monetary reasons, “Allow us in the door and let us get in.”
It becomes very challenging when someone who looks like a proper insider suddenly starts doing suspicious things or risky things. Either they’re doing it, or they’ve enabled a threat actor group on the outside, an external group, to be able to do those things. And we’re seeing an increase in that.
Part of that is the change in the workforce, with a lot more remote workers. We’ve all heard about the big migration that occurred during the pandemic around people quitting and changing jobs quickly. So that’s also caused a bit of a rise in terms of insider threat activity. So, we’ve seen those type of things occur. Certainly, it’s been harder for security teams as they migrate towards cloud infrastructures as well to be able to track insiders. And so, there’s a lot of increased challenges, and again, a lot of changes in the workforce that have enabled insider risk.
Steven Bowcut: That’s interesting. That helps me realign my perspective a little bit. And maybe a lot of us in the industry are guilty of this. When I think of insider threats, I typically think of somebody in my organization who just doesn’t have very good cyber hygiene. They’re not doing the things that we’ve taught them to do, or the things that we request they do, and therefore they present a threat to the organization. And now, you’re painting a picture that now you’re seeing a trend towards insiders, disgruntled insiders, maybe even partnering with threat actors to purposely do malicious behavior.
Sanjay Raja: Absolutely. In some cases, the blackmail perspective has been common for years through nation-state governments, in terms of finding information or dirt on somebody, or a family member, that kind of thing. So that’s started to escalate a little bit as well. But you’re absolutely right, people don’t think about supply chain attacks necessarily being an insider threat, but when somebody has access to your internal systems in some way, and they’re able to collect data from there, technically they’re an insider. So even when we look at supply chain attacks or partners that have access to your systems, we consider that an insider threat as well. It might be that there’s a lack of communication between the team that manages your supply chain and your IT. That supply chain partner may not be a partner anymore, but the access was never removed, and that leaves the potential for a leak.
We consider that still an insider threat because again, it’s direct access to some of your data or systems, and that can allow for even lateral movement or spreading to more sensitive data over time, depending on how a threat actor uses it.
Steven Bowcut: What do organizations do? How do they detect that kind of a threat? You talked about behavior analytics. Is that a big part of it? I mean, it’s an authorized credential or the person should be authorized to be in there, but maybe they’re doing things they wouldn’t normally do, or how does that work?
Sanjay Raja: Risky behavior by itself isn’t an indicator of a malicious activity, but malicious activity always starts with risky behavior. It’s very important to be able to understand when there is risky behavior, unusual activity, or anomalous activity. And that’s really what user behavior analytics is about – identifying that risky activity, either from a user or a system.
For example, a person has tried to log into their salesforce.com installation 20 times in the last day. There’s something a little unusual about that activity, but that’s just a start, because when you identify that activity, is it something that you really want to pursue? That’s abnormal activity, but it may not be unusual for, let’s say, for Janice who’s driving in her car and trying to visit a bunch of clients, and she’s trying to access Salesforce from her phone while she’s driving, which is a bad thing to do. But at the same time, if she’s trying to hit that password a bunch of times, that’s not necessarily some unusual activity in that sense, it’s something that’s normal for her as a salesperson on the road.
And so it’s really starting out with that anomalous activity, and identifying that unusual behavior, and then going from there, and then looking at other types of data, whether it’s network data, whether it’s identity analytics, which we talk about in terms of what does this person have access to? What are they supposed to be doing? What are they doing relative to their peers? Do they have access to these systems when their peers don’t? And marrying privilege access policies, entitlements with behavior, and then also looking at network activity, cloud configuration information, networking activity. It’s really painting that overall picture as opposed to looking at individual puzzle pieces.
Behavior analytics is the start of building the puzzle, and seeing that, “Okay, this is a puzzle I need to start to build because there’s something unusual going on.” It’s really getting confirmation and understanding that this is an actual attack, or this is a malicious activity where someone’s trying to steal data or it’s now been where I’ve granted access to an external threat actor that is trying to steal data or install ransomware, cause defacement or disruption, whatever the case is. So, it’s really important to be able to figure that out and confirm that.
Listen to the Full Podcast
Want more? Listen to the full Podcast: Insider Threat Trends and Challenges (18:18):