Insider Threat Detection in a Borderless World

Saryu Nayyar

Saryu Nayyar | June 14, 2017

The wide scale adoption of hybrid data center and cloud IT infrastructures is creating new security gaps, risks and an expanded threat plane. In this borderless world, some cloud solutions are completely outside of IT’s purview: sensitive data is stored globally and is being accessed by increasing numbers of employees, partners and customers.

Traditional approaches to defending the network – like using a firewall to keep threats outs – no longer suffice. Networks are no longer contained within the four walls of the enterprise, but instead extend out to distributed IT infrastructures via the cloud. Meanwhile, detecting insider threats in this new environment also requires a different approach. One that combines securing applications, locking down identities and monitoring how identities use applications.

According to the 2017 Verizon Data Breach Investigations Report (DBIR), the majority of insider attacks involve end-users absconding with data in the hope of converting it to cash somewhere down the line (60%). The second most common activity is employees engaging in unsanctioned snooping (17%). These misuse scenarios are reflected in the types of data compromised. Personal information and medical records (71%) are targeted for financial crimes, such as identity theft or tax return fraud and occasionally just for gossip value.

Securing Applications

Organizations must be able to secure applications in an automated fashion – there are not enough security professionals to monitor all employees, their locations and the myriad of applications they use to access sensitive data. Both the applications and the employees that use them are fragmented. They don’t exist in a single space, use a single device or have a single entity.

Therefore, organizations must be able to track individual identities as well as the applications themselves, to determine when a user is accessing the application or certain data elements, such as payment card information, in an unauthorized fashion.

In addition to these complications, the sheer number of people it would require to adequately monitor threats and the bandwidth necessary to handle all access requests for company data, particularly during peak periods, is manually impossible. This is where user behavior analytics and machine learning can help secure application usage.

Locking Down Identities

Traditional identity frameworks often make it cumbersome to limit appropriate access privileges to individual identities. This often leads to “rubber stamping” cloned profiles when provisioning new identities and providing excess access rights that are often not required for specific roles or job functions.

To limit insider threat risks, identities need to be locked down. The challenge for many organizations is determining not only which identities have access to applications they should not, but also which have privileged access permissions within applications they need to perform their jobs.

One way to address this problem, involves the use of identity analytics (IdA) to monitor all access permissions and activity associated with an identity regardless of the device, application or data to pinpoint excess privileges so they can be revoked. Using IdA reduces the access threat plane that can be exploited by malicious insiders.

Monitoring How Identities Use Applications

According to the Verizon DBIR, 82% of insider and privilege misuse breaches take months and years to detect, rather than weeks or less. By monitoring user behavior using machine learning and analytics, a company can identify anomalous actions which warrant further investigation by human security analysts. So, rather than looking for a code acting in a known malicious way, this approach instead focuses on individual identities and their behaviors.

In some instances, risk scores can determine an automated risk response such as step-up multi-factor authentication, remediating access outliers or issuing a self-audit to the user and manager to leverage their unique context not found within a SOC.

Access to the company’s data needs to be limited to specific, legitimate uses. While someone in marketing have legitimate reasons to access customer purchase history for targeted marketing efforts and to develop more wide-reaching marketing campaigns, the marketing department doesn’t need to have access to the customer’s payment card information. Similarly, the accounting department has a legitimate reason to have access to payment card details, particularly if there’s a disputed payment, but doesn’t need access to other personally identifiable information.

Using automation that relies on machine-based learning to identify user behavior that is outside the norm helps companies identify unknown risks. The model uses Big Data, combining different analytical approaches to identify threats, escalating each as necessary to further analytics and, if needed, to human intervention.

By taking this three-pronged approach, which incorporates new identity and behavioral analytics techniques and machine learning, companies can better protect themselves from insider threats. In contrast, CISOs who limit themselves to more traditional security approaches will leave their companies exposed in today’s borderless world.

External Link: Insider Threat Detection in a Borderless World

Share this page:

Related Posts