The Reveal Platform
Detecting insider threats requires distinguishing between acceptable activities and those that either put the organization at risk or are outright malicious. Doing so is easier said than done. Many organizations simply don’t have the systems and solutions in place to identify such threats in a timely manner.
The layered security stack present in most organizations is important for maintaining a strong posture against external threats, but the tactics, techniques, and procedures (TTPs) and indicators of compromise (IoCs) that traditional solutions are built to recognize generally don’t apply to insider threats — who are already within the perimeter and who already have the necessary privileges to access resources.
Instead, catching malicious and compromised insiders requires using predictive security analytics to connect dots that, collectively, show malicious behavior, and doing so without generating false positives that waste resources and lead to alert fatigue — a task complicated by the enormous volume and infinite variety of completely benign behaviors corresponding to everyday activities.
To deliver these outcomes, a modern insider threat solution must be able to:
Ingest threat signals from the identity plane:
The ability of a system to detect and predict identity threats is directly related to the breadth and depth of signals available. Consequently, an insider threat solution should be able to ingest data from a variety of identity (and related) components — both from within the organization (e.g., user directories, applications, IAM platforms, the existing security stack, etc.) and external
to it (e.g., threat intelligence feeds, social media content).
Generate dynamic behavioral baselines that incorporate observations:
An insider threat solution must be able to account for both the ever-changing nature of many roles within the modern workforce, as well as the reality that identity directories — for a variety of reasons — are unable to accurately capture or represent the nuances of each role. More specifically, the insider threat platform must be able to automatically create dynamic peer groups and build ever-changing time-based norms.
Predict and detect insider threat activity:
With accurate, dynamic baselines in place, predicting and detecting malicious activity is conceptually straightforward — ingest signals in real time, interpret them as behaviors, and compare to the baselines.
However, in practice, an insider threat solution’s efficacy depends upon its ability to ingest, process, and analyze data at scale, including applying clustering and outlier algorithms.
Traditional security tools — especially security incident event management (SIEM) platforms — simply weren’t built with these specific requirements in mind, which is why a specialized internal threat platform offers the highest efficacy and best value for organizations looking to safeguard against such risks.
An insider threat refers to the risk associated with or attributable to individuals within an organization — and, in particular, with those who have authorized access to sensitive information, systems, or resources.
With today’s extended workforces, insiders include employees, contractors, temporary workers, and business partners (e.g., vendors, suppliers, customers), any of whom can become an insider threat actor:
Careless Insider: An insider who unknowingly introduces risk, for example through negligence, lack of awareness, or failure to follow established security protocols.
Malicious Insider: An insider who intentionally breaches security policies and misuses their privileges, typically for personal gain or to harm the organization.
Compromised Insider: An insider whose credentials or access rights have been compromised, enabling threat actors to gain unauthorized access to privileged resources.
The most common form of insider threat is unauthorized disclosure of sensitive information. This type of incident occurs when an individual with authorized access to confidential data — e.g., customer data, trade secrets, personally identifiable information (PII), protected health information (PHI), financial information, etc. — shares it with unauthorized individuals or entities.
The cause can be as innocent as misaddressing an email or including the wrong attachment (e.g., more data than intended, or the wrong data), or as malicious as deliberately disclosing proprietary knowledge to a competitor for personal profit.
Detecting insider threats requires distinguishing between acceptable activities and those that either put the organization at risk or are outright malicious. Doing so is easier said than done, and the reality is that many organizations simply don’t have the systems and solutions in place to identify such threats in a timely manner.
For example, the traditional security stack is primarily focused on perimeter defense, and relies on a variety of components that use rules to deny entry or passage of suspicious traffic, and to block known security problems based on a database of attack signatures. These components also identify probes and open vulnerabilities to exploit around the network perimeter and internal systems.
These layered defenses are important, but the TTPs and IoCs that they are built to recognize generally don’t apply to insider threats — who are already within the perimeter and who already have the necessary privileges to access resources.
“66% of organizations consider malicious insider attacks or accidental breaches more likely than external attacks.”
– Techjury
Rules simply don’t work for insider threats, because it’s not possible either to perfectly anticipate every abuse scenario or to codify how to interpret and process the many signals associated with malicious activities.
Instead, catching malicious and compromised insiders requires using predictive security analytics to connect dots that, collectively, show malicious behavior. Moreover, these dots must be connected:
To deliver these outcomes, a modern insider threat solution needs three fundamental capabilities.
We will examine each capability and explain how they work in concert to help organizations manage insider threats..
Not long ago, identity infrastructure was regarded as merely a utility for managing credentials and access permissions — but as digital transformation reshaped how organizations operate, the ability to manage and leverage digital identities became ever-more challenging.
As a result, identity infrastructure grew, extending into practically every corner of the IT environment. However, as well as enabling members of the workforce and other entities (e.g., devices, systems) to access necessary resources, this same infrastructure should be regarded as a vast threat surface — and one that’s difficult to harden, for a few reasons:
Identity is complex: Any individual digital identity within the modern workplace typically has multiple authorizations and entitlements, which vary from application to application and resource to resource.
Identity is fractured: Any individual human user may have multiple digital identities corresponding to the many systems they use (for context, Okta’s Businesses at Work 2023 report revealed that large companies use an average of more than 200 software applications). Even organizations with centralized directories (e.g., Active Directory) often have many other identity repositories,
which may or may not be tightly integrated with the central source of truth.
Identity is hard to manage: Digital identities are incredibly dynamic; combined with the inherent complexity of the domain, this dynamism makes identity extraordinarily difficult to manage. Access privileges must account not only for the classic joiner/mover/leaver (JML) scenarios, but also common occurrences like the introduction of new applications or systems, and rarer — but massive — changes like company reorganizations or acquisitions. Even today, identity management often involves tedious, manual processes that are prone to human error; over time, little errors add up, resulting in users (and orphaned accounts) with legacy access privileges that vastly exceed what their current role requires.
In the context of these challenges, the ability of a system to detect and predict identity threats is directly related to the breadth and depth of signals available. Consequently, an insider threat solution should be able to ingest data from a variety of identity (and related) components (Table 1).
Beyond the data sources within an organization’s own IT environment, additional threat context can be gained by incorporating external signals, including threat intelligence feeds and social media content (e.g., for sentiment analysis.
Table 1 — Potential sources of identity threat signals
| Component | Explanation |
| Human Resources (HR) & Enterprise Resource Planning (ERP) Systems | These systems are often the authoritative sources for the many digital identities being used within an organization. |
| Identity and Access Management (IAM) & Identity Governance and Administration (IGA) Systems | Collecting data from these identity systems allows an insider threat solution to understand the legitimate access rights associated with different users and their peers. Tip: Make sure the source includes the extended workforce (e.g., contractors, partners, vendors, etc.), if applicable to your organization. |
| Directories | Many organizations use directories such as Active Directory (on-premises) and AzureAD (cloud), but other potential sources include LDAP directories and other directory services. |
| Privileged Access Management (PAM) Systems | Many organizations use specialized tools to control and track the activities of powerful accounts, such as those belonging to system administrators, database administrators, security professionals, and so on. With all the things that these accounts can do, they are prime for privilege abuse — they’re often targeted by spear-phishing attacks — and must be monitored closely. |
| Logs | Logs are an invaluable source for connecting dots and attributing activity within an expansive IT environment — data can be collected from log aggregators, SIEMs, syslogs, databases, applications, and the network. |
| Security Stack | Additional (and valuable) context can be gained by ingesting alerts and other data from the existing security stack, including such elements as:
|
Sifting through massive volumes of user activity — even when aided by machine learning algorithms to help understand appropriate user behavior patterns — can help to spot anomalous behavior, but without accurate baselines can generate an overload of false positive alerts.
Unfortunately, building baselines solely upon the user information provided by an organization’s user directory is insufficient, for at least three reasons.
First, to facilitate easier provisioning, the directory services (e.g., Active Directory and similar products) organizations use tend to put people into static groups based upon one or more factors like:
This information is somewhat useful for analyzing identities, privileges, and activities; however, as noted previously, these groupings usually become outdated over time. And even when kept up to date, it’s unrealistic to assume that all users with the same official role/title, within the same team, within the same location — or even sharing a combination of these and other factors — will also share the same behaviors.
Second, the sheer number of distinct groups that exist in many organizations — particularly larger and older ones — presents an additional challenge. In some cases, an organization’s identity directory may even include more groups than individual user identities.
And third, behaviors change over time — sometimes very gradually (e.g., as a user becomes more proficient, takes on new responsibilities, etc.) and sometimes very suddenly (e.g., a user fills in for a colleague on leave or is assigned to a new project that requires them to access different systems and data).
Consequently, an insider threat solution must be able to account for both the ever-changing nature of many roles within the modern workforce, as well as the reality that identity directories — for a variety of reasons — are unable to accurately capture or represent the nuances of each role.
“Gurucul really stood out because the analytics engine was the most powerful. I don’t think there’s a day that goes by where we don’t have a new interesting use case. we didn’t think of before. We’re down to the level of ingesting physical security logs from our parking ramp to determine who is here. Could they really have done what they did? They weren’t even at the building. These types of use cases, there’s really no end to it.”
– William Scandrett, CISO, Allina Health
Dynamic peer groups
Unlike static groups and attributes, which are assigned to a user, dynamic peer groups define groups of users based upon the activities they are observed performing and the behaviors they are observed exhibiting, as well as the types of privileges associated with their digital identities.
As a result, dynamic peer groups yield a much tighter clustering of behavior — and much more accurate and actionable baselines.
Time-based norms
To enable even more effective predictive analysis, dynamic peer groups should be used in combination with time-based norms — which simply means that an insider threat solution should be able to understand and learn from behavioral shifts that are expected and/or acceptable.
For example, consider the scenario in which a department manager is on leave for two weeks. During that time, an employee within the department temporarily assumes the manager’s responsibilities. This team member’s digital identities now have new, company-sanctioned privileges for a short time. Within this context, behaviors that deviate from the user’s historical baseline are now understood to be completely normal — so risk scores remain unchanged, and no alerts are generated.
With accurate, dynamic baselines in place, predicting and detecting malicious activity is conceptually straightforward:
In practice, an insider threat solution’s efficacy depends upon its ability to ingest, process, and analyze data at scale, including applying clustering and outlier algorithms
Once an insider threat solution has moved beyond baselines and is operating in its steady state, there should be very few alerts.
For descriptions of the top twelve fundamental use cases enterprises should consider for their insider threat program please read our Key Insider Threat Uses Cases datasheet.
Traditional cybersecurity tools were built to fend off external adversaries; as such, their capabilities are tailored for defending the perimeter and looking for indicators of compromise associated with initial access and intrusion actions. However, the reality is that internal threats behave much differently than external ones — which calls for a different defensive strategy.
The most effective way to pinpoint the presence of insider threats — without creating a lot of false positive alerts — is to overlay user activities with user identity intelligence, cluster identities into dynamic peer groups, create time-based behavioral baselines, and continuously learn what is acceptable behavior in order to spot the unacceptable behavior.
Doing so takes a combination of the right data sources, the ability to create meaningful and dynamic behavioral baselines, and time-tested data science to pinpoint deviations that indicate malicious activity.
The right platform for a difficult job
The Gurucul REVEAL Security Analytics Platform is the core of any insider threat prevention program. It monitors an organization’s environment, natively ingests any data across multiple data sources, and analyzes this data using advanced behavioral and insider threat machine learning (ML) models and data science. Gurucul can pinpoint unintended and malicious privilege access
abuse, unexpected lateral movement and external communications, data exfiltration — and other internal threats.
Several attributes make the platform uniquely capable of predicting and detecting internal threats, including:
Identity-centric risk modeling: Gurucul combs through every user, account, and entitlement, and links them together to provide a complete view of every user. The insider threat solution then correlates this human-centric behavioral information with information security data to surface anomalous activity.
Flexible entity model: Define your own entity-based risk profiles and monitor beyond users, devices, servers, and machines. For example, a sensitive document can be defined as an entity and integrated with Gurucul’s behavioral-based approach with an analysis of the overall risk across multiple telemetry sources to detect misuse or unauthorized access to the document.
User behavior baselining, analytics, and monitoring: Gurucul creates time-based behavioral baselines and continuously learns what is acceptable behavior. By unifying collection and analysis of telemetry across the entire security stack and applying ML-driven security analytics to collected data, Gurucul provides unprecedented context, behavioral indicators, and timeline views for automating threat assessment, mitigation, and response.
Peer-group analytics: Gurucul natively supports static and dynamic peer-group definition and analytics. It automatically groups users to create baselines and detect unusual deviations from peer group baselines. It also supports advanced dynamic peer-groups, created automatically based upon feature data analysis and data cardinality.
Sentiment analysis: As part of an overall insider threat program, Gurucul unifies data feeds from HR applications, social media, emails, website visits, and more to profile a user’s sentiment — to ascertain indicators of discontent prior to departing the organization or attempting to steal data/IP.
Please visit our website to learn more about our insider threat management capabilities or to schedule a demonstration at your convenience.
