Insider Threat Best Practice – without the need for an SIEM solution

insider threat best practice

With so much news focusing on external attacks, one of the greatest threats to your organization’s data security, revenue, and reputation is insider threats.

Insiders – employees with access to data that is externally valuable – are responsible for 28% of all data breaches. While 28% may not seem as large as the implied 72% of attacks by external attackers, 28% is actually a massive number.

External attacks leverage automation, pre-programmed code, and the opportunistic nature of targeting millions of email addresses to seek out and find their next victim. Insiders, on the other hand, are individuals who personally perform the threat action. External attacks need to find the data they believe to be valuable, while insiders already know about every bit of your valuable data they have access to.

So, while the 28% number may seem immaterial, it’s quite the opposite.

More than just worrying about privileged users

In fact, insiders can pose a greater threat to the organization than external attackers. Every organization has confidential business data, customer data, employee PII, and intellectual property that should only be used for the benefit of the organization. And, because a malicious insider is using permissions to applications, resources, and data they have been granted as part of their job, it is extremely difficult to determine if activity should be considered a threat or not. That means they can steal information and you may never know it even happened!

Take the example of Sally, a sales admin. She exports out a list of customers that have made six-figure purchases of your products in the last six months. Is she doing this to run an analysis for a new marketing campaign targeting certain companies… or is she making a copy for her new job as a named account sales rep at a competitor? It’s tough to tell.

The insider can be anyone within the organization. In a recent survey, the concern around both privileged IT users and regular employees as potential insider threat actors by IT organizations was nearly identical. And they should be; anyone with access to data that’s considered valuable externally is potentially a threat.

Also keep in mind, almost every external attacker eventually looks like an insider. The use of compromised internal credentials by an external attacker is the most common threat action in data breaches (Verizon, Data Breach Investigations Report 2018). This underpins the need to value of identifying insider threats as early as possible.

Insider Threat Indicators

The goal is therefore to look for indicators of improper or malicious employee behavior. It’s at this point that organizations start considering a Security Information and Event Management (SIEM) solution. It is even included in the recent 5 Best Practices to prevent insider threat from the CERT Insider Threat Centre.

If you’re not familiar with SIEM, it is a log consolidation, analysis, reporting, and alerting solution that corroborates security event data from many sources to give you visibility into what’s going on anywhere in your environment. And that’s where SIEM solutions shine. SIEM solutions can have so much detail on user actions, that it’s tough to find an alternate.

But consider that the only reason organization’s need all that user activity data is usually because threat detection did not happen early enough. Think about it: if you can detect (and, potentially, stop) a threat well before any malicious actions take place, there’s no need for any activity data (in fact, there will be none). And if there’s a way to more easily achieve that end, it’s worth exploring.

So, allow us to make the case for a single, simplified way of providing better security, without the complexity of a SIEM scenario – that being the use of a logon management solution such as UserLock – to provide better security in the area of threat detection.

Read the whitepaper: Logon Management vs SIEM – The Battle for Threat Detection

Share this post :

Avatar

Chris Bunn is the Directeur Général Adjoint of IS Decisions, a global cybersecurity software company, specializing in access management and multi-factor authentication for Microsoft Active Directory environments and the cloud.