J2 Software, is a security-focused technology business delivering practical, world-class security services and solutions to customer and partner communities. Here, cybersecurity expert and J2 CEO John Mc Loughlin, comments on insider abuse and data misuse in financial service organisations and the steps that can be taken to mitigate against them.
Insider abuse and data misuse account for over a third of data breaches in financial service organisations and must be accounted for by controls. Protecting against insider threats requires solutions that can discern between legitimate use and malicious intent and be deployed quickly at tremendous scale.
Many security vendors are claiming to solve insider threats, causing confusion among security teams who are new to the insider threat space. The fact is, insider threats take many different forms, making them difficult to detect, investigate and mitigate.
Insider Threat Surveillance tools evolved from ‘Employee Monitoring’ software, traditionally deployed to monitor targeted high-risk endpoints or for employees with prior negative conduct or suspicious history.
These solutions rely on invasive capabilities to react to insider threat activities including computer screen recording, conversation content scanning, file content scanning, email content scanning and keystroke logging.
Insider Risk Management (IRM) solutions then emerged from the convergence of specific attributes taken from Endpoint DLP, User Activity Monitoring (UAM) and User and Entity Behaviour Analytics (UEBA). They leverage a metadata approach combined with advanced behavioural analysis to arrive at the same outcomes as the Insider Threat Surveillance solutions.
Some key benefits of the IRM approach are the ability to identify risks and threats without impacting privacy, endpoint performance and, most importantly, the capability to proactively remediate insider incidents before they actually happen.
Unlike intrusive employee surveillance capabilities that are system resource and network bandwidth intensive by nature, requiring larger than normal processing power from the endpoint device and additional cloud storage, IRM offers the ability to readily scale to hundreds of thousands of endpoints with continuous visibility in near real-time.
This means out-of-the-box automated reports and dashboards containing intuitive and pivotable visualisations that are easy to understand and actionable within hours of install.
A modern Insider Threat platform must provide an integrated solution which replaces the following legacy point solutions: User Activity Monitoring (UAM), Internal Fraud and Forensics Tools, Data Loss Prevention (DLP) and User Behaviour Analytics (UBA).
Dtex InTERCEPT is a Next-Gen Insider Threat platform which replaces legacy point solutions in a unified solution, while also delivering the following critical requirements:
- Scales to the entire organisation
- Near-zero impact to endpoints and network
- Noise-free telemetry with 24×7 audit-trail
- Cloud-first and deploys in hours
- POPIA / GDPR compliance out-of-the-box
Here is a guideline for an insider threat program to identify real-world attacks:
Reconnaissance
When preparing for data theft, the user typically begins with research. This is where they locate the data that they would like to steal, or, in the case of compromised credentials, where the insider will test the bounds of the stolen credentials’ privileges.
Circumvention
This is the stage where the insider attempts to get around existing security measures, such as web blocking, DLP tools, etc. It is particularly important to have visibility into this activity because it can shed light on intent: if a user is going through great lengths to get around company security, they are acting very deliberately.
This is also often where organisations can see where their security tools are failing. By capturing circumvention activity, Dtex shows analysts where and how users are able to bypass existing measures.
Aggregation
This is when the insider assembles all of the data that they plan to steal, often moving it into one file directory or compressing it in a single location.
Obfuscation
In the Obfuscation step, the insider will cover their tracks in order to avoid detection, often by renaming files, changing file types, or by using more advanced tactics such as steganography. This is another important step to capture in order to prove malicious intent, as well as to understand where other security tools might be failing.
Exfiltration
This is the final step in the process of stealing data: the moment that the data is actually transferred out of the organisation. Many security tools focus only on this specific step and often by way of blocking tools. Rigid rules, however, can’t catch the hundreds of methods that can be used to get data out of the organisation.
Since Dtex sees all activity from the point closest to the user, it has visibility into less common exfiltration methods that other tools often miss.
Conclusion
J2 Software is the provider of Dtex for Africa, working together for more than 16 years to identify and prevent losses from insider threats.
The latest market guide from Gartner titled ‘Gartner 2022 Market Guide for Insider Risk Management Solutions’ discusses the state of insider risk management solutions, including an analysis of available tools.
Click below to share this article