At the 2019 RSA Conference, a survey of 650 IT professionals revealed that 75% feel vulnerable to insider threat. This information from industry experts proves that there is dichotomy in the perception of cyberthreat across the media and IT professionals. This marks a significant shift from the frequent headlines warning of external cyberattacks that frequently occur in news sources and proves the critical nature of internal threat.
Indeed, the individuals surveyed, ranked user errors (39%) and malicious insiders (35%) as more worrisome than account compromise (26%) by external attackers. Perhaps the most disturbing fact is that nearly half of respondents said they can’t detect insider threats before data has left their companies.
The breach at Wipro earlier this year is a powerful reminder that account compromise attacks are essentially insider threats. In the case of the Indian IT outsourcing and consulting giant, employee user account credentials were stolen in phishing attacks, allowing the fraudsters to look like insiders and to target the company’s downstream customers.
As the Wipro example illustrates, IT supply chains are popular targets because they have many vulnerabilities. Contractors, vendors, and partners pose some of the greatest risks.
For convenience, companies often grant third-parties privileged remote access to accomplish their work. Often, this access is forgotten and not deprovisioned once the work has concluded, leaving an open attack vector. These remote access pathways are often insecure and untracked and can be taken over by attackers.
Conventional remote connectivity methods, such as VPNs, lack granular access controls and can be exploited via stolen credentials and session hijacking.
The 2018 Ponemon Institute survey found that 59% of companies have suffered a breach caused by one of their vendors.
Despite the threat of account compromise attacks, disgruntled or departing employees remain a greater security risk. These employees often exfiltrate confidential data for financial gain or in retaliation for some perceived wrong, such as being passed over for a promotion.
Unfortunately, security information event management (SIEM), data loss prevention (DLP) and other rules-based security products can only detect known threats, while insider attacks represent unknown threats.
While external attackers must first penetrate the network before finding the information they seek (while remaining undetected), malicious insiders already know where all the valuable data is, and how to access it.
To protect against insider threats, organisations should implement the following best practices:
● Create specific policies, procedures, and access rights for each employee role
● Establish user training about the dangers of phishing, and the importance of not opening untrusted links and attachments, etc.
● Implement multi factor authentication (MFA) on critical systems, applications and transactions
● Remove administrator rights on desktops
● Segment the network
While most of these techniques are fairly well known, new approaches that employ security analytics have emerged to enable organisations to detect insider threats before data is exfiltrated or systems are sabotaged. These solutions use machine learning to profile normal human and entity/device behaviours, and then apply algorithms and statistical analysis to detect meaningful anomalies that may be associated with sabotage, data theft, or misuse of access privileges.
The adoption of behaviour analytics can help address another major challenge in detecting insider threats, namely digital transformation initiatives involving hybrid (on-premise and cloud) environments. This increasingly popular computing architecture creates an extended attack surface. Typically, a company’s on-premise security weaknesses will migrate to the cloud, creating new and potentially bigger issues.
To put the scale of digital transformation initiatives, and threats, into perspective, according to Gartner: 90% of companies will move to a hybrid cloud infrastructure by 2020. While some of the best practices listed above are difficult, if not impossible, to implement in cloud infrastructures, security analytics that monitor user behaviour and detect anomalies can be utilised to better protect the increasing number of hybrid environments.