SlideShare a Scribd company logo

Insider Threat Detection Recommendations

AlienVault, profile picture
AlienVault

The document discusses insider threats as a primary concern for organizations, especially in the financial sector. It categorizes insiders into three types: non-malicious, malicious, and compromised, and highlights the challenges in detecting and responding to insider threats due to the complexity of human behavior. Various detection and response strategies, including technical controls and monitoring techniques, are recommended to effectively manage insider threats.

Technology
1 of 21
Downloaded 149 times
1
2
Most read
3
4
5
6
Most read
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Most read
21
INSIDER THREAT DETECTION RECOMMENDATIONS www.alienvault.com
According to the second annual SANS survey on the security of the financial services sector, the number one threat companies are concerned about doesn’t relate to nation-states, organised criminal gangs or ‘APTs’. Rather the main worry revolves around insider threats – but what exactly are insider threat indicators and what can be done around insider threat detection and response? Insiders, Moles & Compromises
A NEW OLD PROBLEM The discussion around insider threat detection has increased recently in the financial sector and in other areas as well. Part of this may be attributed to the spotlight Edward Snowden shone on how much damage an employee can cause to an organisation - even one as secretive as the NSA. But insider threats are nothing new. During the height of the cold war, many spies defected to opposing sides, taking with them national secrets and expertise right from under the noses of their spy bosses. As a result, many counter techniques were developed and deployed to keep an eye on insiders with valuable knowledge or skills to prevent would-be defectors to make an escape or pass over information.
WHAT ARE INDICATORS OF AN INSIDER THREAT? When it comes to trading state secrets, insider threat detection is relatively straightforward. But in today’s environments, the definitions start to blur somewhat. We can define an insider as an individual with legitimate access within the corporate perimeter - be it physical or virtual. This would include permanent & temporary employees, 3rd party contractors as well as 3rd party support companies and outsourced service providers. Typically, a threat is defined as something or someone exploiting a vulnerability in a target. In the case of insider threat detection, this can be reframed as someone abusing their trust. Therefore, we can summarize the insider threat as someone who misuses the legitimate access granted to them for the purposes of self-interest that could potentially harm the organization.
A QUESTION OF INTENT Unfortunately, whenever humans are involved, no case is so straightforward ...particularly where the malicious behaviour emanates from within the circle of trust. Differentiating malicious insider behaviour from user error, or even legitimate activity can be a challenge. For example, a user is seen to download a number of files onto their personal device. It could be they are about to tender their resignation and want to take some information with them to their next job. Alternatively, it could be a hard-working and loyal employee wanting to catch up with some work over the weekend. Or worse still, it could be that the users account has been compromised and is being under the control of an attacker masquerading as an insider.
Types of Insiders With this in mind, we can break down insiders into three broad categories: • Non-malicious insider • Malicious insider • Compromised insider
Non-malicious Insider Non-malicious insiders are those users that perform actions, which have no ill intent, but can nevertheless cause harm to an organisation. Such actions could include user error, such as running commands against a production environment believing it is development or losing a company laptop. It can also cover users who are trying to fulfill their job by using non-approved tools. Shadow IT users fall into this scope, where users procure or use a cloud application such as a file-sharing app to increase productivity, but inadvertently expose the company to threats.
Malicious Insider Malicious users are aware of their actions and the negative implications on the organisation, yet still pursue that course of action. This grouping includes a broad set of users. Users which are leaving the organisation may harvest information they believe would be of use to them in future jobs. While they are often aware their actions are in violation of company policy, actions are often justified with a sense of entitlement. This category also includes users that are disgruntled for one reason or another and seek to vent by causing as much disruption or damage to company assets. Activists or employees who feel whistleblower processes are insufficient will also react in a similar manner. At the highest level of this category, employees are engaged in corporate espionage. Providing intellectual property or other sensitive information to competitors, criminal gangs or nation-state sponsored actors.
Compromised Insider The final oft-overlooked category is that of compromised insiders. Typically this is where credentials have been guessed or captured as part of a targeted attack. Although the actor behind the account is not an employee - the use of legitimate credentials would show up as if it were an employee.
These factors combined can be represented in the following matrix where intent is measured against harm. The Insider Risk Matrix INTENT Malicious Non-Malicious Negligible SevereHARM
For example, a company may deem that the risk of shadow IT, i.e. users procuring their own SaaS applications within which they could upload sensitive company data that could be accessed by non-authorised persons, or the SaaS provider could be breached. In this case, the intent would be non-malicious in that the user was trying to perform their job, yet the consequences could be significant. INTENT Malicious Non-Malicious Shadow IT Negligible SevereHARM
Other insider threat indicators could be plotted in the same way to visualise which threats are more severe overall by how far they are positioned up and to the right. From a risk perspective, this alone won’t tell the full story as we are still missing the likelihood. The likelihood can be represented by the size of the bubble on the chart as depicted. INTENT Malicious Non-Malicious Negligible SevereHARM Shadow IT Espionage Disgruntled Employee User Error (Account lockout) User Error (Clicking on Spearphising)
The size of the bubbles (likelihood) help visualise that whereas espionage can have the biggest impact and is undertaken with the most malicious intent, the likelihood of it occurring is potentially less than that of a disgruntled employee or even shadow IT proliferating within the enterprise. User error encompasses many activities – all of which are non-malicious in nature, however the harm caused could range from negligible such as an account lockout through to severe by allowing an attacker a foothold inside the network by clicking on a phishing link. Shadow IT Espionage
DETECTING INSIDER THREATS Perimeter and preventative controls are largely ineffective in insider threat detection and response, as by their very nature these are threats from within. As a result, different techniques should be deployed to address each type of specific threat based upon the insider threat indicators. Like many security controls, the concept of defense in depth can be applied whereby a collection of procedural, user and technical controls can be applied to detect suspicious insider activity, as depicted in the following controls pyramid. Policies Exec Support User Awareness & Education Whistleblowing & Reporting Channels Outbound Traffic Analysis Login patterns Threat Intelligence Eastwest Traffic Analysis Heuristics Algorithms Endpoint Activily Analytics Access Deviation from Past or Peer Group File Access Patterns Sentiment Analysis Social Media Tracking Machine Learning Procedural & User Controls Technical Controls Emerging Techniques
PROCEDURAL & USER CONTROLS Procedural and user controls are important to get management support and ensure policies implemented are acceptable from a legal as well as cultural perspective. Privacy is a discussion topic that comes up frequently and having transparency in how a company uses data it collects about its employees is required in retaining trust. It also provides a framework whereby aggrieved employees can escalate issues without the need to resorting to conducting harmful acts against the company. Finally, it also raises awareness so that employees can potentially detect and alert suspicious activity.
TECHNICAL CONTROLS The technical controls are an area which has seen a lot of development in recent years. This primarily focuses on analytical techniques to identify suspicious user activity. Primarily these will baseline user activity against its own past actions in addition to base lining against peer activity to identify outliers. The baselines can be set against logins (times / locations), file or system access, network traffic or even endpoint activity amongst others. Threat intelligence can also be a valuable asset in understanding whether outbound traffic is communicating with known command and control or other suspicious transfers. In addition to these techniques, traditional technologies can also be utilized as insider threat detection tools that help identify suspicious activity that may point towards a rogue insider. Endpoint or network DLP (data loss prevention) tools can monitor where excessive files are being exfiltrated out of the organisation. SIEM rules can also be tuned to alert on certain events that are indicative of malicious insider activity.
EMERGING TECHNIQUES Alongside threat intelligence, a number of newer approaches are being developed which can directly or indirectly assist in finding insiders. Social media channels play an ever-increasing role in both legitimate and not so legitimate communications. Having the ability to monitor these channels, particularly where enhanced by specific threat intelligence, greatly increases chances of isolating activity on these typically out-of-band channels. Sentiment analysis is another insider threat detection tool in the arsenal that is garnering more interest. It seeks to identify where an employee may be disgruntled or activist-tendencies which are contrary to the business values.
RESPONSE One of the challenges with any form of detection technology is having adequate skills and resources to investigate and respond to alerts. For this reason, some technologies and businesses are moving to more of a reporting framework for insider threat detection as opposed to raising alerts. With reports, a broader picture is painted around a user and their activity, thus allowing investigations to be conducted based on richer context versus merely a one-off alert. Such mechanisms could include a risk-score against each user based on a number of factors such as grade, access to information, length of service, recent appraisal and so on. Whichever method is adopted, it will still require manual effort to investigate and validate any suspicions of wrongful behaviour.
BATTLE OF ATTRITION While many new techniques have been developed and are continually being developed for insider threat detection and response – dealing with humans, particularly trusted employees, requires a different strategy and approach than dealing with malware. Whereas any suspicious email or file can be relatively easily quarantined or blocked until proven otherwise – employees cannot be suspended or fired based on a couple of indicators or mere suspicion. Also, bear in mind that a large portion of suspicious activity can take place outside the realm of IT systems. This means that companies will need to work with HR and legal departments in advance to determine the best strategy to investigate suspicious activity and how to interact with suspected employees. It becomes a matter of balancing risk – a company may be able to recover a lot easier from an ex-employee taking a copy of the customer database than from an unfair dismissal lawsuit. In the financial sector especially, the stakes are high all around.
AlienVault Unified Security Management (USM) delivers essential Insider Threat Detection and Management capabilities: Behavioral Monitoring • Network Intrusion Detection System (NIDS) • Network flow analysis • Network protocol analysis & packet capture Privilege Escalation Detection • Host Intrusion Detection System (HIDS) • File Integrity Monitoring (FIM) • Detect unauthorized user access attempts Event Correlation • Security Information and Event Management (SIEM) • Detect communications with malicious hosts • Centralized dashboard that prioritizes threats the way you want to see them
Next Steps: Play, share, enjoy! www.alienvault.com • Learn more about AlienVault USM • Watch our 3-minute overview video • Start detecting threats today with a free 30-day trial • Join the Open Threat Exchange

More Related Content

PPT
IT Security Awareness-v1.7.ppt
OoXair
 
PPTX
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Stephen Cobb
 
PPTX
Cyber Security: Threat and Prevention
fmi_igf
 
PDF
Cyber Threat Intelligence
mohamed nasri
 
PPTX
CYBER SECURITY
Vaishak Chandran
 
PDF
Insider Threats Webinar Final_Tyco
Matt Frowert
 
PPTX
Risk Management Approach to Cyber Security
Ernest Staats
 
PPT
CYBER CRIME AND SECURITY
Sahil Vashishtha
 
IT Security Awareness-v1.7.ppt
OoXair
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Stephen Cobb
 
Cyber Security: Threat and Prevention
fmi_igf
 
Cyber Threat Intelligence
mohamed nasri
 
CYBER SECURITY
Vaishak Chandran
 
Insider Threats Webinar Final_Tyco
Matt Frowert
 
Risk Management Approach to Cyber Security
Ernest Staats
 
CYBER CRIME AND SECURITY
Sahil Vashishtha
 

What's hot (20)

PPTX
Hyphenet Security Awareness Training
Jen Ruhman
 
PPT
Phishing
anjalika sinha
 
PPTX
Ethical hacking
Alapan Banerjee
 
PDF
Cyber threat intelligence ppt
Kumar Gaurav
 
PPTX
Social Engineering
n|u - The Open Security Community
 
PDF
Cyber Security Vulnerabilities
Siemplify
 
PDF
Cyber Security
Ncell
 
PDF
Cybersecurity Awareness Training Presentation v1.3
DallasHaselhorst
 
PPTX
Cybersecurity Awareness Training
Dave Monahan
 
PPTX
Target data breach presentation
Sreejith Nair
 
PDF
Threat Modelling
n|u - The Open Security Community
 
PPTX
Cybercrime and Security
Noushad Hasan
 
PPTX
User security awareness
K. A. M Lutfullah
 
PDF
Insider threat
ARCON TECHSOLUTIONS
 
PDF
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
Edureka!
 
PPTX
Banks and cybersecurity v2
Semir Ibrahimovic
 
PPTX
Insider threat v3
Lancope, Inc.
 
PPTX
Social engineering
Maulik Kotak
 
PPTX
My darkweb-presentation
Paul Wilson
 
PPTX
Email phishing and countermeasures
Jorge Sebastiao
 
Hyphenet Security Awareness Training
Jen Ruhman
 
Phishing
anjalika sinha
 
Ethical hacking
Alapan Banerjee
 
Cyber threat intelligence ppt
Kumar Gaurav
 
Social Engineering
n|u - The Open Security Community
 
Cyber Security Vulnerabilities
Siemplify
 
Cyber Security
Ncell
 
Cybersecurity Awareness Training Presentation v1.3
DallasHaselhorst
 
Cybersecurity Awareness Training
Dave Monahan
 
Target data breach presentation
Sreejith Nair
 
Threat Modelling
n|u - The Open Security Community
 
Cybercrime and Security
Noushad Hasan
 
User security awareness
K. A. M Lutfullah
 
Insider threat
ARCON TECHSOLUTIONS
 
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
Edureka!
 
Banks and cybersecurity v2
Semir Ibrahimovic
 
Insider threat v3
Lancope, Inc.
 
Social engineering
Maulik Kotak
 
My darkweb-presentation
Paul Wilson
 
Email phishing and countermeasures
Jorge Sebastiao
 
Ad

Viewers also liked (9)

PDF
5 Signs you have an Insider Threat
Lancope, Inc.
 
PPTX
Multimedia Privacy
Symeon Papadopoulos
 
PPSX
Insider threats and countermeasures
KAMRAN KHALID
 
PDF
The Accidental Insider Threat
Murray Security Services
 
PPT
Malicious Insiders
gjohansen
 
PPTX
Insider Threat Final Powerpoint Prezi
Kashif Semple
 
PPTX
Insider threat event presentation
IISPEastMids
 
PPTX
Insider threat kill chain
Tarun Gupta,CRISC CISSP CISM CISA BCCE
 
PPTX
Snowden slides
David West
 
5 Signs you have an Insider Threat
Lancope, Inc.
 
Multimedia Privacy
Symeon Papadopoulos
 
Insider threats and countermeasures
KAMRAN KHALID
 
The Accidental Insider Threat
Murray Security Services
 
Malicious Insiders
gjohansen
 
Insider Threat Final Powerpoint Prezi
Kashif Semple
 
Insider threat event presentation
IISPEastMids
 
Insider threat kill chain
Tarun Gupta,CRISC CISSP CISM CISA BCCE
 
Snowden slides
David West
 
Ad

Similar to Insider Threat Detection Recommendations (20)

PPTX
Managing Insider Threat
iris_cheung
 
PDF
Internal Threats: The New Sources of Attack
Mekhi Da ‘Quay Daniels
 
PPT
The insider versus external threat
zhihaochen
 
PPT
The insider versus external threat
zhihaochen
 
PDF
Journal+Feature-InsiderThreat
Anthony Buenger
 
PDF
02 presentation-christianprobst
InfinIT - Innovationsnetværket for it
 
PPTX
How to Protect your organization from within.pptx
JosephMwakai
 
PPTX
The Modern Business Has No Perimeter - ZoneFox
ZoneFox
 
PPTX
Why Insider Threat is a C-Level Priority
ObserveIT
 
PPTX
Why Insider Threat is a C-Level Priority
David Mai, MBA
 
PPTX
Insider Threat Experiences
Napier University
 
PDF
Insider_Threats_in_Healthcare_1651617236.pdf
ramsetl
 
PPTX
Security Advisories - SOC - Finannl.pptx
mettildauthayakumar
 
PDF
Whitepaper-When-Admins-go-bad
banerjeea
 
PDF
Jason Anthony Smith - thesis short summary v1.0
Jason Smith
 
PDF
Cyber Security Services for Mitigating Insider Threats.
kandrasupriya99
 
PPTX
Perimeter Security: Why it's no longer enough, and where cybersecurity must a...
ZoneFox
 
PDF
Insider threats
izoologic
 
PPTX
ObserveIT - Unintentional Insider Threat featuring Dr. Eric Cole
ObserveIT
 
PPTX
Unintentional Insider Threat featuring Dr. Eric Cole
David Mai, MBA
 
Managing Insider Threat
iris_cheung
 
Internal Threats: The New Sources of Attack
Mekhi Da ‘Quay Daniels
 
The insider versus external threat
zhihaochen
 
The insider versus external threat
zhihaochen
 
Journal+Feature-InsiderThreat
Anthony Buenger
 
02 presentation-christianprobst
InfinIT - Innovationsnetværket for it
 
How to Protect your organization from within.pptx
JosephMwakai
 
The Modern Business Has No Perimeter - ZoneFox
ZoneFox
 
Why Insider Threat is a C-Level Priority
ObserveIT
 
Why Insider Threat is a C-Level Priority
David Mai, MBA
 
Insider Threat Experiences
Napier University
 
Insider_Threats_in_Healthcare_1651617236.pdf
ramsetl
 
Security Advisories - SOC - Finannl.pptx
mettildauthayakumar
 
Whitepaper-When-Admins-go-bad
banerjeea
 
Jason Anthony Smith - thesis short summary v1.0
Jason Smith
 
Cyber Security Services for Mitigating Insider Threats.
kandrasupriya99
 
Perimeter Security: Why it's no longer enough, and where cybersecurity must a...
ZoneFox
 
Insider threats
izoologic
 
ObserveIT - Unintentional Insider Threat featuring Dr. Eric Cole
ObserveIT
 
Unintentional Insider Threat featuring Dr. Eric Cole
David Mai, MBA
 

More from AlienVault (20)

PPTX
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
AlienVault
 
PDF
Malware Invaders - Is Your OS at Risk?
AlienVault
 
PPTX
How to Solve Your Top IT Security Reporting Challenges with AlienVault
AlienVault
 
PPTX
Simplify PCI DSS Compliance with AlienVault USM
AlienVault
 
PDF
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
AlienVault
 
PPTX
Alienvault threat alerts in spiceworks
AlienVault
 
PDF
Open Source IDS Tools: A Beginner's Guide
AlienVault
 
PPTX
Malware detection how to spot infections early with alien vault usm
AlienVault
 
PDF
Security operations center 5 security controls
AlienVault
 
PDF
PCI DSS Implementation: A Five Step Guide
AlienVault
 
PPTX
Improve threat detection with hids and alien vault usm
AlienVault
 
PDF
The State of Incident Response - INFOGRAPHIC
AlienVault
 
PPTX
Incident response live demo slides final
AlienVault
 
PPTX
Improve Situational Awareness for Federal Government with AlienVault USM
AlienVault
 
PPTX
Improve Security Visibility with AlienVault USM Correlation Directives
AlienVault
 
PPTX
How Malware Works
AlienVault
 
PPTX
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
AlienVault
 
PPTX
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
AlienVault
 
PPTX
AWS Security Best Practices for Effective Threat Detection & Response
AlienVault
 
PPTX
Improve Threat Detection with OSSEC and AlienVault USM
AlienVault
 
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
AlienVault
 
Malware Invaders - Is Your OS at Risk?
AlienVault
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
AlienVault
 
Simplify PCI DSS Compliance with AlienVault USM
AlienVault
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
AlienVault
 
Alienvault threat alerts in spiceworks
AlienVault
 
Open Source IDS Tools: A Beginner's Guide
AlienVault
 
Malware detection how to spot infections early with alien vault usm
AlienVault
 
Security operations center 5 security controls
AlienVault
 
PCI DSS Implementation: A Five Step Guide
AlienVault
 
Improve threat detection with hids and alien vault usm
AlienVault
 
The State of Incident Response - INFOGRAPHIC
AlienVault
 
Incident response live demo slides final
AlienVault
 
Improve Situational Awareness for Federal Government with AlienVault USM
AlienVault
 
Improve Security Visibility with AlienVault USM Correlation Directives
AlienVault
 
How Malware Works
AlienVault
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
AlienVault
 
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
AlienVault
 
AWS Security Best Practices for Effective Threat Detection & Response
AlienVault
 
Improve Threat Detection with OSSEC and AlienVault USM
AlienVault
 

Recently uploaded (20)

PDF
Cloud-Migration-Best-Practices-A-Practical-Guide-to-AWS-Azure-and-Google-Clou...
Artjoker Software Development Company
 
PDF
Oracle AI Vector Search- Getting Started and what's new in 2025- AIOUG Yatra ...
Sandesh Rao
 
PDF
Unlocking the Future- AI Agents Meet Oracle Database 23ai - AIOUG Yatra 2025.pdf
Sandesh Rao
 
PPTX
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
PDF
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
 
PDF
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
PDF
The Future of Artificial Intelligence (AI)
Mukul
 
PDF
Economic Impact of Data Centres to the Malaysian Economy
flintglobalapac
 
PDF
A Day in the Life of Location Data - Turning Where into How.pdf
Precisely
 
PDF
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
PPTX
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
PDF
BLW VOCATIONAL TRAINING SUMMER INTERNSHIP REPORT
codernjn73
 
PDF
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
PDF
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
PDF
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
PPTX
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
PDF
Doc9.....................................
SofiaCollazos
 
PDF
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
PPTX
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
PDF
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
Cloud-Migration-Best-Practices-A-Practical-Guide-to-AWS-Azure-and-Google-Clou...
Artjoker Software Development Company
 
Oracle AI Vector Search- Getting Started and what's new in 2025- AIOUG Yatra ...
Sandesh Rao
 
Unlocking the Future- AI Agents Meet Oracle Database 23ai - AIOUG Yatra 2025.pdf
Sandesh Rao
 
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
 
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
The Future of Artificial Intelligence (AI)
Mukul
 
Economic Impact of Data Centres to the Malaysian Economy
flintglobalapac
 
A Day in the Life of Location Data - Turning Where into How.pdf
Precisely
 
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
BLW VOCATIONAL TRAINING SUMMER INTERNSHIP REPORT
codernjn73
 
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
Doc9.....................................
SofiaCollazos
 
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 

Insider Threat Detection Recommendations

  • 2. According to the second annual SANS survey on the security of the financial services sector, the number one threat companies are concerned about doesn’t relate to nation-states, organised criminal gangs or ‘APTs’. Rather the main worry revolves around insider threats – but what exactly are insider threat indicators and what can be done around insider threat detection and response? Insiders, Moles & Compromises
  • 3. A NEW OLD PROBLEM The discussion around insider threat detection has increased recently in the financial sector and in other areas as well. Part of this may be attributed to the spotlight Edward Snowden shone on how much damage an employee can cause to an organisation - even one as secretive as the NSA. But insider threats are nothing new. During the height of the cold war, many spies defected to opposing sides, taking with them national secrets and expertise right from under the noses of their spy bosses. As a result, many counter techniques were developed and deployed to keep an eye on insiders with valuable knowledge or skills to prevent would-be defectors to make an escape or pass over information.
  • 4. WHAT ARE INDICATORS OF AN INSIDER THREAT? When it comes to trading state secrets, insider threat detection is relatively straightforward. But in today’s environments, the definitions start to blur somewhat. We can define an insider as an individual with legitimate access within the corporate perimeter - be it physical or virtual. This would include permanent & temporary employees, 3rd party contractors as well as 3rd party support companies and outsourced service providers. Typically, a threat is defined as something or someone exploiting a vulnerability in a target. In the case of insider threat detection, this can be reframed as someone abusing their trust. Therefore, we can summarize the insider threat as someone who misuses the legitimate access granted to them for the purposes of self-interest that could potentially harm the organization.
  • 5. A QUESTION OF INTENT Unfortunately, whenever humans are involved, no case is so straightforward ...particularly where the malicious behaviour emanates from within the circle of trust. Differentiating malicious insider behaviour from user error, or even legitimate activity can be a challenge. For example, a user is seen to download a number of files onto their personal device. It could be they are about to tender their resignation and want to take some information with them to their next job. Alternatively, it could be a hard-working and loyal employee wanting to catch up with some work over the weekend. Or worse still, it could be that the users account has been compromised and is being under the control of an attacker masquerading as an insider.
  • 6. Types of Insiders With this in mind, we can break down insiders into three broad categories: • Non-malicious insider • Malicious insider • Compromised insider
  • 7. Non-malicious Insider Non-malicious insiders are those users that perform actions, which have no ill intent, but can nevertheless cause harm to an organisation. Such actions could include user error, such as running commands against a production environment believing it is development or losing a company laptop. It can also cover users who are trying to fulfill their job by using non-approved tools. Shadow IT users fall into this scope, where users procure or use a cloud application such as a file-sharing app to increase productivity, but inadvertently expose the company to threats.
  • 8. Malicious Insider Malicious users are aware of their actions and the negative implications on the organisation, yet still pursue that course of action. This grouping includes a broad set of users. Users which are leaving the organisation may harvest information they believe would be of use to them in future jobs. While they are often aware their actions are in violation of company policy, actions are often justified with a sense of entitlement. This category also includes users that are disgruntled for one reason or another and seek to vent by causing as much disruption or damage to company assets. Activists or employees who feel whistleblower processes are insufficient will also react in a similar manner. At the highest level of this category, employees are engaged in corporate espionage. Providing intellectual property or other sensitive information to competitors, criminal gangs or nation-state sponsored actors.
  • 9. Compromised Insider The final oft-overlooked category is that of compromised insiders. Typically this is where credentials have been guessed or captured as part of a targeted attack. Although the actor behind the account is not an employee - the use of legitimate credentials would show up as if it were an employee.
  • 10. These factors combined can be represented in the following matrix where intent is measured against harm. The Insider Risk Matrix INTENT Malicious Non-Malicious Negligible SevereHARM
  • 11. For example, a company may deem that the risk of shadow IT, i.e. users procuring their own SaaS applications within which they could upload sensitive company data that could be accessed by non-authorised persons, or the SaaS provider could be breached. In this case, the intent would be non-malicious in that the user was trying to perform their job, yet the consequences could be significant. INTENT Malicious Non-Malicious Shadow IT Negligible SevereHARM
  • 12. Other insider threat indicators could be plotted in the same way to visualise which threats are more severe overall by how far they are positioned up and to the right. From a risk perspective, this alone won’t tell the full story as we are still missing the likelihood. The likelihood can be represented by the size of the bubble on the chart as depicted. INTENT Malicious Non-Malicious Negligible SevereHARM Shadow IT Espionage Disgruntled Employee User Error (Account lockout) User Error (Clicking on Spearphising)
  • 13. The size of the bubbles (likelihood) help visualise that whereas espionage can have the biggest impact and is undertaken with the most malicious intent, the likelihood of it occurring is potentially less than that of a disgruntled employee or even shadow IT proliferating within the enterprise. User error encompasses many activities – all of which are non-malicious in nature, however the harm caused could range from negligible such as an account lockout through to severe by allowing an attacker a foothold inside the network by clicking on a phishing link. Shadow IT Espionage
  • 14. DETECTING INSIDER THREATS Perimeter and preventative controls are largely ineffective in insider threat detection and response, as by their very nature these are threats from within. As a result, different techniques should be deployed to address each type of specific threat based upon the insider threat indicators. Like many security controls, the concept of defense in depth can be applied whereby a collection of procedural, user and technical controls can be applied to detect suspicious insider activity, as depicted in the following controls pyramid. Policies Exec Support User Awareness & Education Whistleblowing & Reporting Channels Outbound Traffic Analysis Login patterns Threat Intelligence Eastwest Traffic Analysis Heuristics Algorithms Endpoint Activily Analytics Access Deviation from Past or Peer Group File Access Patterns Sentiment Analysis Social Media Tracking Machine Learning Procedural & User Controls Technical Controls Emerging Techniques
  • 15. PROCEDURAL & USER CONTROLS Procedural and user controls are important to get management support and ensure policies implemented are acceptable from a legal as well as cultural perspective. Privacy is a discussion topic that comes up frequently and having transparency in how a company uses data it collects about its employees is required in retaining trust. It also provides a framework whereby aggrieved employees can escalate issues without the need to resorting to conducting harmful acts against the company. Finally, it also raises awareness so that employees can potentially detect and alert suspicious activity.
  • 16. TECHNICAL CONTROLS The technical controls are an area which has seen a lot of development in recent years. This primarily focuses on analytical techniques to identify suspicious user activity. Primarily these will baseline user activity against its own past actions in addition to base lining against peer activity to identify outliers. The baselines can be set against logins (times / locations), file or system access, network traffic or even endpoint activity amongst others. Threat intelligence can also be a valuable asset in understanding whether outbound traffic is communicating with known command and control or other suspicious transfers. In addition to these techniques, traditional technologies can also be utilized as insider threat detection tools that help identify suspicious activity that may point towards a rogue insider. Endpoint or network DLP (data loss prevention) tools can monitor where excessive files are being exfiltrated out of the organisation. SIEM rules can also be tuned to alert on certain events that are indicative of malicious insider activity.
  • 17. EMERGING TECHNIQUES Alongside threat intelligence, a number of newer approaches are being developed which can directly or indirectly assist in finding insiders. Social media channels play an ever-increasing role in both legitimate and not so legitimate communications. Having the ability to monitor these channels, particularly where enhanced by specific threat intelligence, greatly increases chances of isolating activity on these typically out-of-band channels. Sentiment analysis is another insider threat detection tool in the arsenal that is garnering more interest. It seeks to identify where an employee may be disgruntled or activist-tendencies which are contrary to the business values.
  • 18. RESPONSE One of the challenges with any form of detection technology is having adequate skills and resources to investigate and respond to alerts. For this reason, some technologies and businesses are moving to more of a reporting framework for insider threat detection as opposed to raising alerts. With reports, a broader picture is painted around a user and their activity, thus allowing investigations to be conducted based on richer context versus merely a one-off alert. Such mechanisms could include a risk-score against each user based on a number of factors such as grade, access to information, length of service, recent appraisal and so on. Whichever method is adopted, it will still require manual effort to investigate and validate any suspicions of wrongful behaviour.
  • 19. BATTLE OF ATTRITION While many new techniques have been developed and are continually being developed for insider threat detection and response – dealing with humans, particularly trusted employees, requires a different strategy and approach than dealing with malware. Whereas any suspicious email or file can be relatively easily quarantined or blocked until proven otherwise – employees cannot be suspended or fired based on a couple of indicators or mere suspicion. Also, bear in mind that a large portion of suspicious activity can take place outside the realm of IT systems. This means that companies will need to work with HR and legal departments in advance to determine the best strategy to investigate suspicious activity and how to interact with suspected employees. It becomes a matter of balancing risk – a company may be able to recover a lot easier from an ex-employee taking a copy of the customer database than from an unfair dismissal lawsuit. In the financial sector especially, the stakes are high all around.
  • 20. AlienVault Unified Security Management (USM) delivers essential Insider Threat Detection and Management capabilities: Behavioral Monitoring • Network Intrusion Detection System (NIDS) • Network flow analysis • Network protocol analysis & packet capture Privilege Escalation Detection • Host Intrusion Detection System (HIDS) • File Integrity Monitoring (FIM) • Detect unauthorized user access attempts Event Correlation • Security Information and Event Management (SIEM) • Detect communications with malicious hosts • Centralized dashboard that prioritizes threats the way you want to see them
  • 21. Next Steps: Play, share, enjoy! www.alienvault.com • Learn more about AlienVault USM • Watch our 3-minute overview video • Start detecting threats today with a free 30-day trial • Join the Open Threat Exchange