Incidents of fraud, theft and abuse enacted by rogue insiders present organisations with the ultimate in targeted threats. These are executed against them from highly motivated actors, operating with a high degree of internal organisational knowledge and comparative ease of access. Such threats have the ability to create sizable risks in relation to digital assets and are also the most challenging to manage.
Security leaders have to understand their organisation’s context and operations in order to strike a balance between protection, control and creating value.
Users tied up in complex and over-controlling systems are unable to perform. Too light a touch sees key assets and resources too easy to misuse, alter or steal. Blending layers of organisational, physical and technical policy and management can provide a meaningful way of reducing internal cyber attacks, but no solution can be perfect. Organisations must also enable themselves to identify and recognise illegitimate internal actions and make timely interventions.
Our digital behaviour creates an ever growing stream of transient data.
This spans across networks that connects systems, resources and users together. Organisations are collecting petabytes of network flows and log data in the hopes of detecting attacks. These systems turn into unwieldy analysis projects that typically detect an attack after it has done damage.
It's a waste of valuable time and money as security analysts forensically sift through historical metadata. This is evident when you consider that attackers spy, spread and steal inside a victim’s network an average of 205 days before they're detected. Also, 69% of the time, a data breach is reported by an external party*. Big data alone isn’t the answer. In research earlier this year we also found that insider threats are surging as budgets retreat.
However, emerging techniques in algorithm-based data science, machine learning and behavioural anlysis show that automation can make Big Data more useful and actionable. Constantly monitoring raw network traffic provides primary evidence of everything that is happening right now on the network, rather than a passive, out-of-date snapshot.
From there, sophisticated mathematical algorithms can distil context and understanding of threat actions. This can be recognised, illegitimate or unexpected access, privilege escalation behaviour, and data exfiltration (in plain sight or covert).
This all happens in real time and the results can then be scored and prioritised based on threat certainty, and presented to security analysts.
They can see exactly what their internal threat landscape looks like, identify the highest priority risks and make immediate corrective interventions. Dramatically reducing the detection timeframe results in significant efficiency and effectiveness gains. Insider security issues are identified and managed before they escalate in severity and impact the organisation further.
When insider threats strike, time is of the essence. Interested? Read the tech note: "Key Steps to Stop Insider Threats"
* Mandiant M-Trends Report 2015