The threat within: Understanding how to defend against the insider threat

Insider threat

By Gary Southwell, Seceon

The insider threat has become one of today’s most pressing cyber security concerns. In 2016, the Insider Threat Report Spotlight found seventy-four percent of organizations feel vulnerable to insider threats—a dramatic year-over-year increase. However, less than half of all organizations (42 percent) have the appropriate controls in place to prevent an insider attack. The survey also provides greater insight on the source of the threats:  “Privileged users, such as managers with access to sensitive information, pose the biggest insider threat to organizations (60 percent). This is followed by contractors and consultants (57 percent), and regular employees (51 percent).”

Most companies miss the mark when defending against the “insider” threat, which in many cases is not a rogue employee seeking personal gain, but a case of compromised credentials. In fact, 22 percent of all data breaches are caused by compromised credentials and 65 percent of companies expect to suffer a breach due to compromised credentials in the future, according to a survey conducted by the Cloud Security Alliance and sponsored by Centrify. What’s more, most companies are often oblivious to the breach, with data being exfiltrated just hours after the break-in.

The Insider Threat Report Spotlight also describes the challenges to detect and remediate the threats, indicating that only 27 percent of organizations feel they can detect a threat within hours and only 24 percent can remediate the problem within hours after detection. Yet, according to Verizon’s 2016 Data Breach Investigation Report, 81.9 percent of organizations surveyed reported that a compromise took only minutes to infiltrate company systems, with a majority of respondents showing that associated data was exfiltrated within hours of the initial compromise. This means that there is little chance today’s enterprises can actually stop data loss from occurring using current techniques in regards to such threats.

In the end, the cost of such threats is greater than all others. The Insider Threat Report goes on to say that more than 75 percent of organizations estimate insider breach remediation costs reach $500,000. Twenty-five percent believe the cost exceeds $500,000 and can reach in the millions. The challenge with today’s insider threat, or loss of credentials, is to detect and stop the threat before data is accessed, altered or stolen.  

Organizations are at risk from such threats because they are unable to see the threats and therefore, too slow to identify them. Moreover, they often lack the technologies, policies or the staff to stop the threat before significant data loss occurs. What’s needed is a better approach, one that detects and remediates in minutes, not hours and days.  Much has been talked about applying behavioral analytics to help detect the problem faster. Can next generation approaches and technologies in behavioral analytics and machine learning detect threats quickly and help to address staff and policy limitations when defending against the “insider” threat?

First, let’s take a look at the problem more closely. It’s difficult for traditional security tools to discern and detect the use of an insider’s own lost credentials, or the use of new ones created with elevated privileges by a knowledgeable insider. The use of “legitimate” credentials does not trigger a threat response from the system. Considering the case where an insider loses or makes known through techniques such as phishing, his/her credentials to the outside world, current defenses don’t detect if it’s an imposter accessing assets. The same can happen when an employee or contractor is given opportunity and decides to use his or some other created credentials to steal data. In both cases, a behavioral approach lends itself to clearer detection.

A behavioral approach: Is it enough?

However, a behavioral approach alone is not enough to ensure defense against attackers. Behavioral models tend to only flag behavioral indicators that may be dangerous, and can raise hundreds of false-positives on a weekly basis.

Such indicators still need the review of a well-trained analyst to wade through the alerts, and logs to correlate and analyze the information to decide if the behavior does in fact translate into a meaningful threat and then determine what action to take next.  It’s easy to see how such work can take days, let alone hours, for the most skilled analysts.

The next problem is these analysts don’t exist within 95 percent of organizations today. In fact, analysts at 451 Research estimate that less than four percent of enterprises and government organizations have dedicated security staff in a security operations center (SoC) to monitor all these products for possible breaches. And, for the remaining small percent of organizations that do have trained analysts, they are too overwhelmed with the volume of alerts they already receive to act in a timely manner across them all.

According to a March 2016 report conducted by Enterprise Strategy Group, despite having invested significantly in information security solutions to the point of utilizing dozens of point products, nearly 74 percent of the 125 IT and cybersecurity professionals surveyed reported that security incidents/alerts are simply ignored because their teams can’t keep up with the suffocating volume.

Today’s conditions demand a behavioral system that automates the analysis for teams responsible for security and detects and prioritizes legitimate threats as they are happening.  They also demand immediate response to stop the threat once detected rather than accepting best practice in response to be “under one day.”

Machine learning demands context

Some organizations have tried to use approaches solely dependent on machine learning to accomplish this level of protection. Initially, machine learning provided a good way to identify patterns and relationships, but in practical terms, machine learning tends to generate a great deal of false-positives, creating the same problem we see with behavioral approaches, which demand that a human analyst sort through the findings to determine a course of action and steps for remediation.

A better approach would be to use an intelligent system with rule sets whose thresholds are aided by machine learning so that known threat behaviors can be tailored to appropriate behavior for the system. Correlating these behaviors together can fit general threat patterns that indicate a true attack, machine learning can be used to add anomalous behavior as an input to this mix.  

The correlated output would then allow the system to maintain a high degree of confidence in the results before presenting a threat, allowing analysts to see all sources of correlation before enacting steps to remediation.

Combine behavioral analytics and machine learning with real-time remediation

Today, there are a number of innovative solutions from emerging providers, including Seceon, that leverage advanced technologies such as user behavioral analytics, machine learning and in-memory processing for this type of data collection, analysis and automated remediation in real-time.

With any of these technologies, however, the challenge is to deploy them strategically, understanding the implications any single action will have on specific applications, network connections, employees, customers etc. Following are some of the considerations that organizations can use to evaluate these emerging solutions:

  1. Easy to understand, prioritized alerts: By automatically connecting multiple threat indicators and correlating them in context to surface genuine threats, these next generation technologies can help security teams address attacks as they happen with plain English alerts. A single-line threat alert with drill-down context enables security teams to understand the severity of the threat easily and quickly and take action to fix it automatically.
  2. Fully automated threat detection for compromised credentials, insider and all other attacks: The need for automated threat detection applies to organizations of any size or cyber security skill level.  For the Fortune 500 with significant resources and staff already in place, automation of threat detection can eliminate threat alert overload and enable greater efficiency for security teams addressing attacks as they occur and ensuring the correct remediation and reporting of the threat. For small to medium-sized businesses with limited or no security analyst staff, automated technology enables a virtual SoC team of sorts, giving skill- and resource-constrained teams a chance to stay ahead of these threat actors.
  3. Automatic threat remediation in real-time: With faster detection must also come faster remediation. Analysts must react quickly to stop the threat actor in his tracks. Once the threat is revealed, the system must be intuitive and provide immediate recommended actions to stop the threat. Ideally, the system will allow such actions to be taken directly from the same screen which detected the threat, allowing for “push button,” or if desired, fully automated threat remediation. This minimizes the effort and can easily cut the amount of time for human response, literally down to seconds of elapsed time from the moment the threat was detected and verified. Rapid response demands a system that enables a single analyst to recognize a threat and immediately disable user credentials, or if progressed further, isolate a user from the network before data is exfiltrated from the organization. For many large organizations this will require changes in current procedures. The reality is modern organizations must adapt their policies and procedures to react faster, leveraging a system that can automatically halt the use of compromised credentials and issue new ones in real time to minimize the risk of data loss and business disruption.

Policy driven

Security and policy go hand in hand. A good system that detects threats can also be used to set policies, for example, providing only certain people or groups with access. A good system should also recognize who accesses these resources and the typical patterns of what they do with them, and then allow staff members to determine what policies should be created, in essence, creating a white list that creates protected groups and provides alerts if anyone outside the group tries to access protected data.

In this way we can address vexing challenges—determining the right course of action to protect information without causing undue side effects by blocking productivity of users that regularly use these data sources.  

Look to new solutions

Do you have to go to a big name vendor to get such solutions to be sure they are effective? In fact, emerging solution providers are shown to have delivered the highest incremental cost savings at $1.1 million and $0.8 million respectively in the face of insider threats, according to the Ponemon Institute’s 2016 Cost of Insider Threats report.

“We found that solutions focused on visibility and transparency, rather than stringent controls and limitations, are driving the most impact in terms of cost savings and return on investment,” said Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute. “Our recommendation for combatting costly insider threats is building a layered defense that delivers a comprehensive range of capabilities across visibility, detection, context, and rapid response.”

We couldn’t agree more.

Gary Southwell is co-founder and chief strategy officer for Seceon, a threat detection and management company that aims to visualize, detect, and eliminate cyber threats in real-time. He has more than 25 years of strategic business and security product planning experience, and is responsible for driving Seceon’s pending patents in threat modeling with applied behavioral analytics.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s