Gurucul, a leader in behaviour-based security and fraud analytics technology for on-premises and the cloud, has announced that nearly half of the companies surveyed for its 2020 Insider Threat Report are unable to remediate insider threats until after data loss has occurred.
The Cybersecurity Insiders and Gurucul study found that lack of visibility into anomalous activity, especially in the cloud and manual SIEM workloads have increased the risk of insider threats for organisations and prevent many from detecting and stopping data exfiltration.
This 2020 Insider Threat Report was produced with the support of Gurucul by Cybersecurity Insiders, the 400,000-member community for information security professionals, to explore how organisations are responding to evolving security threats.
Some of the report’s key findings include:
- A total of 68% of organisations feel vulnerable to insider attacks
- A total of 53% of organisations believe detecting insider attacks has become significantly to somewhat harder since migrating to the cloud
- A total of 63% of organisations think that privileged IT users pose the biggest insider security risk to organisations
- Organisations cite lack of resources (31%) and too many false positive alerts (22%) as the biggest hurdles in maximising the value of SIEM technology
- Only about one third of organisations are able to detect anomalous behaviour in NetFlow/packet data (35%), service accounts (39%) and cloud resources (30%)
“Insider threats are not limited to employees. They extend to contractors, supply chain partners, service providers and account compromise attacks that can abuse access to an organisation’s assets both on-premise and in the cloud,” said Craig Cooper, COO of Gurucul.
“Lack of visibility and legacy SIEM deployments put companies at risk. Insider threat programs that monitor the behaviour of users and devices to detect when they deviate from their baselines using security analytics can provide unmatched detection, risk-based controls and automation.”
Gurucul provides security analytics solutions that can predict, detect and prevent insider threats. The Gurucul Risk Analytics (GRA) platform monitors in real-time the actions performed by users, particularly those with elevated privileges and employees with access to highly sensitive information.
GRA looks for behaviours that are outside the range of normal, baselined activities to detect indicators of malicious insiders or external intruders who compromised a user’s account.
Download the full report at gurucul.com/2020-insider-threat-survey-report
We hear from a number of IT experts who comment on how to tackle the insider threat.
Rashid Ali, UK Enterprise Sales Manager at Wallix
As businesses pour time, money and resources into tackling external cyberthreats, it is also fundamental to protect against threats within the organisation itself. In fact, despite hackers and ransomware grabbing a lot of media attention, insider threats are the leading cause of cyberattacks.
While the term ‘insider threat’ immediately makes us think of a disgruntled employee with malicious intent, the reality is that these threats can come in all different shapes and sizes. Simply put, anyone with privileged access to critical business systems represents some form of security risk to the organisation. These insiders can be company executives, HR managers, IT admins or even third-party vendors. While each team member might be valued and trusted, not all breaches are intentional. The vast majority of cybersecurity breaches are in fact accidental – meaning even the most trusted of employees pose a security threat. So how can we safeguard against human error?
Organisations need to implement a comprehensive security strategy that encompasses all areas of the business to provide control and access restrictions. This should filter down throughout all the infrastructure layers, including cloud-based systems, on-premises storage and backup servers. This way, even privileged credentials have limited access – meaning that if an error does occur or passwords are stolen/hacked, the breach will also be restricted.
By implementing a form of privileged access management, businesses will be able to centralise account security operations, encrypt passwords and control user access – enhancing the security measures placed around privileged accounts. It’s also essential to ensure that any privileged access management solution is seamlessly integrated – continuing to give employees the same flexibility and support to work in the most efficient way possible. While security is a top concern for company CISOs and CIOs, employees day-to-day are faced with time constraints and sometimes see added layers and multiple password requests as a trade-off between efficiency and security. This is not necessarily the case so it’s important to implement a platform that supports both security and workflow productivity.
With an integrated privileged access management solution, organisations can balance the need to safeguard against cyberthreats, fundamentally improving overall cybersecurity protocol, while enabling a productive and agile workforce. The reality is that anyone with access is a risk to the business – so safeguarding the network and data is fundamental.
John Crossno, Product Manager at Compuware
Due to the huge implications a data breach can have, companies are investing hand over fist to secure their systems and data – Gartner expects spending on information security to reach US$170.4 billion in 2022. However, much of this investment is on technologies to keep the bad guys out; but what happens if the attacker is operating from within the company?
Worryingly, this type of attack is a frequent occurrence, with 34% of all breaches involving insider actors. Insider threats are so much harder to detect, as on the surface, the perpetrators’ actions appear legitimate. There is also the challenge of monitoring the access and usage of much of an organisation’s personally identifiable information, given that for large organisations, it usually resides on the mainframe. The mainframe brings the advantage of being a highly securable data repository, which is incredibly difficult to breach. Equally though, if an insider does breach the mainframe, the results can be severe.
To protect against insider threats on the mainframe, organisations need to have the right systems and processes in place, as the platform is an incredibly complex rabbit warren of databases. So much so, that research from Compuware revealed that this complexity has created a security blind-spot for 84% of organisations, who say it is difficult to monitor which employees are accessing which mainframe data and what they are doing with it. As a result, when investigating suspicious or malicious employee behaviour, security teams have a sketchy, incomplete view.
The only effective way of protecting the hugely valuable and sensitive data that resides on the mainframe from insider threats is to capture a complete picture of mainframe user activity in real-time. Organisations need insight into which users are accessing what information and when, in addition to which applications they are accessing, what data, and how the data is manipulated. This granular level of insight can only be obtained by directly capturing complete start-to-finish user session activity data in real-time and integrating it into a SIEM system such as Splunk and CorreLog, so it can be analysed for patterns that are out of line with normal employee behaviour.
With this approach, organisations will have the ability to spot malicious employees or unwelcome insiders at the crime scene and in the early stages of a data breach. That’s a win-win for security teams and those whose personal data they are entrusted with protecting alike, going a long way towards ensuring an organisation doesn’t just become another statistic on the rapidly lengthening list of data breach incidents.
Ray Pompon, Principal Threat Research Evangelist, F5 Networks
The 2019 F5 Labs Application Protection report revealed that 14% of all breaches were directly attributable to employee accidents and a further 20% were lost to employee negligence related to storage of confidential data in email. That doesn’t consider the additional 22% of 2019 breaches resulting from employees being duped by phishing. In other words, billions of personal records were put at risk by ‘inadvertent insiders’. It is a prickly problem and one that is only going to get worse as multi-cloud deployment scenarios become operational prerequisites. Alarmingly, F5 Labs noted over 27 major leaks in cloud and cloud databases in the past three years directly caused by misconfiguration of access controls. Nearly half of those happened in 2019. As more organisations race to the cloud, more accidents are occurring. Considering how easy cloud systems are to use, it’s no surprise. It doesn’t take much engineering skill for someone to populate a cloud database, secure or not, and get started on the new gold rush. Gartner has predicted that, ‘through 2025, 99% of cloud security failures will be the customer’s fault’.
When it comes to better tracking employees to reduce insider threats, organisations need to consider both the malicious and accidental insider. Most companies provide access to corporate data (internal apps, email) through staff-owned devices, yet aside from setting basic screen lock requirements, few actually control the data that goes onto these devices. Corporate and personal data is now everywhere – spread across internal applications and the multi-cloud. Organisations need to ensure that, beyond simply tracking devices, they have proper data governance in place and that they enforce consistent security policies regardless of where the app and data reside.
Businesses also need to realise that policy, more than technology, will be key to success. Organisations must understand the entire data lifecycle for all of their apps: who owns the data, who has access, how it is retrieved and how is it deleted.
Phishing will remain one of the most common and most successful forms of accidental insider breaches and cyberattacks for the foreseeable future, and that’s simply because it doesn’t inherently rely on a weakness in technology. Phishing and spear-phishing attacks continue to evolve and are no longer crude and easy to spot. Organised cybercrime groups and nation-states expend significant effort to understand their victims and take advantage of social engineering techniques. Education is critical and can reduce the success of phishing attacks by a third, but technology needs to support us. There must be a move away from password-based authentication schemes and until we reach that point, multi-factor should be used absolutely everywhere.
Ultimately, business leaders need to improve at leading by example and supporting continually evolving awareness-raising programmes. They also need to ensure existing defence postures are rigorously interrogated and enhanced to cope with ever-expanding attack surfaces and increasingly ingenious cybercriminal activity.
Karl Lankford, Director of Solutions Engineering, Beyond Trust
When we think of insider threats, we often imagine disgruntled employees seeking revenge on their former employers’ business. In reality, a vast majority of these threats are most often caused by honest mistakes such as clicking on malicious links or opening phishing emails.
Either way, insider threats can be very difficult to detect and pose a threat that businesses struggle to address.
In fact, in our Privileged Access Threat Report from this year, we revealed that two-thirds of IT professionals believe their organisation has likely had either a direct or indirect breach due to employee access in the last 12 months, with 58% treating the threat of misused or abused insider access as critical.
So how can organisations ensure they’re effectively protecting themselves to address this risk? Here are my top tips on combating the insider threat.
Control or eradicate email attachments and links – Emails are the primary attack vectors in use today and while a message in itself may not be dangerous, links and attachments are. Today’s security product vendors are offering real-time malware assessment of links and attachments and will quarantine a suspicious attachment and prevent connecting to a dangerous link.
Properly manage and control access to data and critical systems – Role-based permission, removal of administrator access and the principle of least privilege are your friends. Work with your HR team and line of business managers to understand user roles and the types of application and data access they need to do their jobs. Then, assign only that access level and no more. Take advantage of identity governance and PAM solutions to effectively manage role-based permissions for onboarding, role changes and offboarding, and removing access when employees leave the business.
Know where your data is – An important counterpart to my second tip is knowing where mission-critical and sensitive data resides in the system so you can lock it down with appropriate permissions. If you don’t know where it is, how can you protect it with the right level of access?
Monitor employee behaviour and look for anomalies – This can be done at many levels, including action monitoring software. It’s not intrusive to look for excessive data dumps or repeated attempts to look at files or directories that are not permitted, it’s good business.
Raise security awareness – Finally, there is the need for ongoing security awareness training that is an integral part of company culture and not an afterthought or a ‘checklist’ item. A company that partners with employees to ensure security awareness will do better than one that forces compliance or just performs training to check a box.
However, the challenge of mitigating insider threats is that most organisations don’t have fully integrated privileged access management (PAM) tools.
I’ll leave you with this important point. While evaluating attack vectors, researching competitors and gauging the threat from organised crime or foreign adversaries, it’s easy to conclude that external attacks should be the primary focus of defence. This conclusion can often be wrong. The critical element is not the source of a threat, but its potential for damage.
By evaluating threats from this perspective, it becomes obvious that although most attacks might come from outside the organisation, the most serious damage is done with help from the inside.
Javvad Malik, Security Awareness Advocate at KnowBe4
Insider threats is a term used to combine a number of threats and can mean many things.
At a broad level, there are three main types of threats which form an insider threat. A malicious insider, a non-malicious insider and a compromised insider.
Malicious users are aware of their actions and the negative implications on the organisation, yet still pursue that course of action.
It can include users who take company information when moving jobs or disgruntled users who want to damage the company.
At the extreme end are employees engaged in corporate espionage. Providing intellectual property or other sensitive information to competitors, criminal gangs or nation-state sponsored actors.
Non-malicious insiders are those users that perform actions which have no ill intent but can nevertheless cause harm to an organisation. For example, shadow IT, where users will procure or use a cloud application such as a file-sharing app to increase productivity, but inadvertently expose the company.
The final, often overlooked, category is that of compromised insiders. Typically, this is where credentials have been guessed or captured as part of a targeted attack. Although the actor behind the account is not an employee, the use of legitimate credentials would show up as if it were an employee.
As insiders form a variety of threats, a layered approach should be taken. This includes technical controls which can look at user behaviour and raise alarms where something appears out of the ordinary, such as a large transfer of files to external destinations.
When dealing with humans, often the best detection and remedial action is having a strong security culture within the organisation so that people themselves can help to identify any issues. For example, it is rare to see an employee become disgruntled overnight and come in to cause harm the next day. So, having good line managers that can spot the signs early and who can help affected employees would be a far more effective approach than relying on technology alone.
Ultimately, it’s a delicate balancing act. At the moment, technology is not sufficiently advanced to fully understand humans and make rational decisions, which is why, in today’s enterprise, everyone has a role to play in ensuring the security of the organisation, and their colleagues. Neglecting to foster a security culture and ignoring the human element is a mistake no company can make in this day and age.