Insider threats are the biggest cyber security problem for companies because they tend to cause the most damage and are harder to detect and prevent in comparison to attacks from the outside. Insiders are just that – insiders with keys to the kingdom. They know where the sensitive company/customer data is and they have access to it, so they know exactly where to strike if they decide to take action.
Cyber criminals use automated hacking tools continuously to attempt to breach an organization. And, when they do break in, they still need to surveil the network to find the data worth exfiltrating. Insiders are already inside the network and know where the proverbial gold is stored and who has the keys. This is why most cyber criminals try to compromise accounts, effectively making them insiders. All they need to do is find a way to access those keys or use the ones they have.
Gurucul’s Insider Threat detection and deterrence solution includes three key components:
- User and Entity Behavior Analytics (UEBA): Monitor what users are doing in real-time, particularly those with elevated privileges such as system administrators and workers with access to highly sensitive information like intellectual property or customer account data. UEBA looks for behaviors that are outside the range of normal activities to detect rogue insiders or external intruders who have compromised a user’s account.
- The Self-Audit: Bring users into a collaborative relationship with IT security to protect their identities via self-audits to review risk-ranked anomalous behavior and access analytics.
- Identity Analytics: In-depth intelligence about a user’s identity attributes and the privileges he has on the network. This involves analyzing the access rights and entitlements a person has; the activities he has been performing across multiple accounts, both now and in the past; and the typical activities that members of his peer groups are doing. It takes a combination of the right data sources, sophisticated machine learning and perceptive data science to pinpoint truly aberrant actions that are good indicators of misuse of assigned privileges.
Insider Threats by the Numbers
According to the 2018 Verizon Data Breach Report, 28% of all data breaches involved internal actors. While malicious outsiders (72%) were the leading source of data breaches, these made up only 23% of all compromised data. On the other hand, insiders accounted for 76% of all compromised records.
Of note, the Healthcare industry is the only vertical that has a greater insider threat (when looking at breaches) than external threat. There were 750 incidents and 536 confirmed data disclosures reported in the Healthcare segment alone. Of those, 18.4% were Privilege Misuse. 47% of the privileged misuse cases were cases of fun, curiosity or “snooping”; 40% were for financial gain.
Malicious insiders engage in illegal activities for financial gain or vengeance. They either have a beef or want the whole cow. Some employees are just curious or want to snoop on a neighbor, a celebrity or family members. This could be medical records, financial statements or other information. Imagine if you knew that the MVP’s hand was going to keep him out of the Super Bowl 3 days before anyone else, or if a famous celebrity was in the hospital. Others target individual executives (expose inappropriate emails, M&A information or salaries for example), or exact whatever damage they can (like deleting code or changing customer records).
System Administrators or employees with privileged access are the likely candidates for either motive since they have the access needed to steal data or inflict the most damage. However, anyone can be courted by competitors or hackers to surveil internally for cold hard cash. And, individuals with something to hide are susceptible to blackmail.
Here’s the deal: user accounts will get compromised by cyber criminals. Users will click on phishing links in emails. They will download attachments riddled with malware. They’ll click infected website ads. This is not intentional. No one wants their account to be compromised. But, whatever the tactic, cyber attackers will get in and they will compromise your users’ accounts.
These may be privileged users with administrative access or regular users. Hackers do not discriminate. However, they need privilege to install malware or steal data, so they will ultimately seek to compromise administrative accounts. They just might need to go through a regular user account first.
How do you detect when a user account has been compromised? It’s still considered an insider threat because the account belongs to an employee. This is truly where the power of behavior analytics shines. Context and risk scoring are key in determining risky behavior versus normal behavior. Gurucul builds context around users and compares normal behavior against new activities to identify risky behavior. Gurucul also dynamically creates peer groups to see what users are doing in relation to their peers. Real-time, risk prioritized alerts notify you to risky anomalous behaviors.
Behavior Based Security Analytics Identifies High Risk Profiles
Behavior based security analytics is the only way to predict, detect, and remediate the insider threat in real-time. Gurucul pairs User and Entity Behavior Analytics with Identity Analytics on open choice big data to pinpoint threats from legitimate insiders and external intruders using compromised credentials.
Before technologies like ours, companies would put in Data Loss Prevention (DLP) systems and web proxies. These restrict users from being able to email attachments, use USB drives and from going to cloud based file sharing sites. Unfortunately, security officers found out that applying these controls to every employee would have catastrophic impacts to their business. Imagine not being able to send wire information between banks, or sharing a list of new employees with your insurance provider. We would have to go back to FAX machines or the USPS, and business would be slowed to a snail’s pace.
A behavior based security analytics solution allows you to apply different controls to different risk profiles within your organization and automate front line security controls. Risk prioritized alerts help organizations identify high-risk profiles in real-time.
Gurucul Risk Analytics helps security teams by creating a contextual linked view and behavior baseline from disparate systems including HR records, accounts, activity, events, access repositories, and security alerts. A baseline is created for the user and dynamic peer groups. As new activities are consumed, they are compared to the baseline behaviors. If the behavior deviates from the baseline, the behavior is deemed as an outlier. Using behavior analytics and risk scoring algorithms, our machine learning engine enables companies to easily detect and predict abnormal user behavior associated with potential sabotage, data theft or misuse.
The Self Audit
There is one capability that Gurucul uniquely provides for insider threat and detection and deterrence: the self-audit. Users are provided a self-audit much like a credit card statement to view their own risk-ranked anomalous activities, identities, access, devices and other key data points in an easy to use web portal. Developed with a customer CISO and now gaining popularity with other CISOs, it co-opts users into a collaborative relationship to monitor and protect their identities. When users detect an anomaly, the false positive rate is very low, and the context provided is richer and faster than IT can provide. The visibility of specific data sources that are monitored and analyzed against dynamic peer groups also acts as a deterrent against insider threats.
Real World Examples
Account Compromise: A manufacturing company was doing a Gurucul Risk Analytics proof of concept. They fed their SAP information along with some network and firewall logs to our behavior based security analytics platform. Our analytics determined that their product bill of materials had been accessed by a foreign nation. It had been compromised for more than 18 months without them knowing. We were able to reveal this account compromise scenario in a couple of hours. We later learned their share price dropped by 25% due to a lower priced competitive product. We also discovered fraud in their call centers, and have been used to bust credit card theft rings at this particular company.
Malicious Insiders: On the preemptive side, we often identify employees that are a flight risk. We have done deep research on this and have behavior models that predict a user leaving and flag high risk departing users before data is exfiltrated. Employers can use this information to place that individual into a more restrictive policy, that no longer allows them to use public cloud services like Dropbox or Google Drive. In collaboration with DLP, we can prevent suspect employees from using USB drives or sending emails with attachments. These precautions have kept data from leaving the organization for many of our customers.