We must never forget to look beyond external threats to insider threats to secure our corporate data and IP. We’re seeing a large number of insider threats and that’s a big issue. What’s interesting is that they can come from many different places – employees, contractors, temporary workers, vendors, and business partners. Let’s take the disgruntled employee; how do you know that an employee is disgruntled from an IT standpoint? That’s very difficult to do. It could be a supply chain partner inadvertently causing an insider threat attack – not knowingly, not necessarily maliciously, but that’s still considered an insider threat. And then of course there are account takeover attacks where outsiders steal insider credentials and appear to be legitimate insiders but they’re not. These are also considered insider attacks.
Insider Threat Motives
There are a lot of different motives. There could be financial gain where employees are looking to steal funds. We’ve seen cases where embezzlement has occurred. We’ve seen retaliation from employees who have been put on performance improvement plans. Employees may be upset about not being promoted. A contractor may leave a port open to an AWS bucket – that’s still considered an insider threat even if the initial compromise is not created by a threat actor. The motives are numerous and the insider threat assets and targets are wide, while varied. Cloud infrastructure is a big target as we go forward. A lot of times, an AWS bucket is left open by a contractor or by someone internally. That opens up access to a lot of sensitive data. The point is that anything of value inside an organization is a target.
The impact is pretty severe. If it’s a malicious insider, they already know what to go after. It’s not a question of a threat actor that’s trying to understand where the sensitive data is or what sort of data they can get to. An insider threat actor really understands what to do and where to go after the keys to the kingdom.
Insider Threat Statistics
In the past two years, insider threats have increased by 47%. We’ve seen a lot of supply chain attacks. In 55% of organizations, privileged users are the greatest insider threat. So when you look at zero trust, how’s that model working? Zero trust is meant to limit the usage of where a privileged user can go. We’re seeing every year more than 35 businesses worldwide being affected by an insider threat. It’s not a small number. We focus so much on external threats that we’ve kind of forgotten that internal threats, insider threats, are still a big problem. This goes across all different business types. And this is really around where supply chain attacks and trusted business partners are a huge concern. We’re seeing investment around how organizations can understand their supply chain risk. I think the SolarWinds attack certainly opened a lot of eyes for a lot of people around the susceptibility to those type of attacks. But we’re seeing certainly other areas where supply chain is a big problem.
Technology Investments
There’s been a lot of investment in the last year around things like attack service management, vulnerability assessments, pen testing, even score cards, and certainly XDR. XDR is the new hot thing that’s all over the place. It’s not really well defined, but at the same time, people are looking to invest in more. Because they’ve been promised it’s the next wave of how to protect against threats and attack campaigns that have gotten inside. However, that’s really left insider threats by the wayside. Most people are focused so much on the external threat actor that they haven’t really invested as much in insider threats until this year where people are starting to wake up and see that it’s a big problem.
When External Threats Become Insider Threats
Organizations are realizing they need to focus on external threats and insider threats. What’s fascinating about this, is that an external threat can be an internal threat. We are seeing that supply chain partners or contractors can leave something open that an external threat could take advantage of. Sometimes it’s malicious. We’ve seen cases where an insider will open up a hole for somebody on the outside, knowing that they’re allowing threat actors to come in and profit from their access. So, they’ll open the door for them. It’s very often a case where an insider threat isn’t just someone stealing data. They’re actually working with a threat actor on the outside to do more damage. It’s unfortunate, but it does occur.
Organizations have focused so much on external threats and invested there and bought tools and their security teams have all been aligned around detecting external threat actors. But, how do they handle insider threats? Well, the problem is that they can’t add more resources. It’s hard to find security analysts out there. So that’s another challenge to being able to support more insider threat issues.
Existing Threat Monitoring Programs Do Not Address Insider Threats
So how do you incorporate insider threats into your current threat monitoring program? Well, SIEMs today are not designed for that. You’re just pulling in data from logs, networks, etc. It’s very short term analysis. You really need to think long term in how you look at things. These are very behavioral based. They’re not really static rules and correlation doesn’t really help that much. They’re based on events by someone who’s probably a privileged user already in some cases. So, it’s very difficult to be able to understand insider threats from a traditional SIEM perspective, or even an XDR perspective that tends to be focused on the endpoints.
Next Gen SIEM to The Rescue!
What’s needed is a next generation SIEM which is really focused on user centric analysis. You need to be able to understand how users behave, understand how user activity is impacting systems and networks, and build context around how these things are related. This is also where machine learning models are really key that adapt to how behaviors are looking at baselines of what normal activity is and seeing abnormal behavior and adapting the threat detection. This is where rule based static systems don’t work.
True Machine Learning is Key
Unfortunately, a lot of the machine learning and artificial intelligence out there are really rule-based engines. They’re conditional statements. “If I see this, go do this. If I see this, get more data here and do this.” That’s not adapting to new attacks or new ways of doing things. You absolutely need artificial intelligence and machine learning to understand that this is a new behavior you’re seeing, but it seems like it’s attributable to an attack. Let’s continue to watch it. Maybe mark it as suspicious before marking it as malicious. But do that in automated fashion, not where an individual person has to manually determine, “This looks suspicious.” Then a month later decide it’s actually malicious. It’s very difficult for a person to do while more advanced techniques leveraging machine learning models can do this much more effectively.
Risk Prioritization is Also Important
It’s also important to be able to prioritize exactly how risky user and entity behavior is. Is it more risky than another behavior? How much more?. Being able to prioritize and even apply risk to behaviors is key to helping the security team understand and quantify risk. Is this normal behavior or not? Assigning a risk score to it can be very helpful. Even helping security teams build tagging and rules around risky behaviors, can help refine models so that if they see something marked as high risk, a security analyst can review it and say, “This is okay, this is something that’s normal as part of our environment.” Being able to adapt and learn that next time we see this behavior we don’t want to make that mistake again. Being able to adapt to those type of nuances is very critical.
