It is true that 58% of organisations say that their ability to monitor, detect & to respond to an insider threat is only ‘somewhat effective’, ‘not so effective’ or ‘not at all effective’. Just 12% seem to think they are ‘extremely effective’!
In addition to a lacking in employee cyber-awareness training, & the increasing shift towards Cloud application usage, there is research suggestive that the factor of a forced remote-working explosion has created an insider risk so-called ‘full house’.
The recent Insider Threat Report was commissioned by Cyberhaven & researched by Cybersecurity Insiders,& found that 51% of organisations don’t have the right protection to mitigate the insider threat properly. Reviewing data shows that 48% of surveyed have lost critical data because of operational disruption or outages attributed to a reported insider incident. Customer data seems most at risk (61%) then followed by financial data (54%) & then intellectual property (53%.)
This ‘tsunami’ of insider risk is associated with 3 main factors: a lack of employee awareness, insufficient data protection strategies &, particularly relevant with many more people working from home than before, a big increase in the number of devices with access to sensitive data.
Very revealing, however, is that 58% of organisations state that their ability to monitor, detect & respond to this sort of threat is only ‘somewhat effective’, ‘not so effective’ or ‘not at all effective’. 12% only seem to think they are ‘extremely effective’ at handling the insider threat risk.
When it comes to that mitigation, outside of the need for ongoing awareness training, the state of play regarding usage of data behavioural analytics (DBA) is important. Only 24% of organisations use behavioural data analytics, 22% user behavioural analytics & 38% were not using analytics at all when it came to insider-threat detection.
UEBA & DaBA
Out of a range of analytics technologies organisations are looking at for use, User Entity Behaviour Analytics (UEBA) & Data Behaviour Analytics (DaBA) are both at 36% as the most common used. “Organisations understand the importance of analytics in pinpointing insider threats,” Volodymyr Kuznetsov, Co-Founder & CEO of Cyberhaven observed “but not all approaches are created equal.”
UEBA follows patterns in employees’ behaviour to find strange activity, & this requires a baseline for each, taking weeks or months to set-up. “Facing blind spots & lacking context, security teams waste valuable time weeding through false positives,” Kuznetsov suggests, further saying “from the moment a DaBA agent is installed, organisations gain full & instant visibility into the movement & behaviour of sensitive data—from the original source to the final destination where it’s copied, edited or encrypted.”
It is a combination of this speed, accuracy & transparency that helps companies detect ex-filtration, he further observed.
“With a shift to remote work, any UEBA solution will naturally have challenges given the data centre boundaries will have shifted to include VPNs where most work is now occurring,” warns Tim Mackey, Principal Security Strategist at the Synopsys CyRC (Cybersecurity Research Centre.)
Mackey states that unless the UEBA solution was re-vamped to also have access to sensitive data via VPN, all accesses would be marked as needing investigation. “When combined with the reality that for many users, any form of end point monitoring placed on a personal device will be problematic, even solutions such as DLP will be challenged,” Tim commented.
Shareth Ben, Senior Solutions Architect at Securonix, has also agreed that organisations are now witnessing some growth in VPN & outbound email activity, which then go on to bombard dashboards with many alerts, thus worsening these ‘alert fatigue’ issues. “In this case the SecOps teams who are behind on the maturity curve will struggle to keep up with the uptick in alerts whereas a more mature team will be able to handle to the surge better using the proven tools & processes they have built over time.”
Needles in the Haystack
Ben also flags up that some customers have said UEBA is an essential, not a luxury, to tackle this massive shift in the landscape. “To detect the ‘needles in the haystack’, you need to be able to look for anomalies,” he confides, “UEBA technologies are best positioned to generate the anomalies & then stitch them together for representing a holistic threat to save time, which is very short for most SecOps teams.”
This ‘alert fatigue’, added to resource & staffing restrictions, is stopping those organisations yet to use analytics observes Volodymyr Kuznetsov. “In just a few short weeks,” he pointed out, “the entire way we work was upended. Attempting to understand what is normal with UEBA no longer makes sense. There’s a need for speed like never before.”
History of Security
Sam Curry, Chief Security Officer at Cybereason agrees that the history of security for the last 15 years has really centred on how to be ‘fast in collection’ & ‘smart in application’.
The problem is how do you keep up with 100s of 1,000s of alerts a second & still identify what really matters, “The single biggest tip for organisations in mitigating the insider threat is to align with the business & set the expectation for being a machine that stops attacks more & more effectively & efficiently,” Curry concludes, “if an analytic like UEBA or DaBA helps with that, hire it. If not, fire it.”
User monitoring just does not work in isolation! “Organisations need to be clear on which outcomes they are seeking,” Javvad Malik, Security Awareness Advocate at KnowBe4 says, “and how they will use user monitoring technologies to support those outcomes.” Before deploying any technology to combat insider threat, Malik suggests 2 things must happen:.
- Understand what insider threats are, their different types. For example, a disgruntled employee stealing data is different from a user forgetting their password & locking out their account, which is different from shadow IT. But all of them are under the broad category of insider threats.
- Use their own data, external data (threat intel etc) to determine which of the insider threats are the most important to focus on & then deploy technologies and processes to combat those.
An insightful & interesting approach to these problems.