Dark shadow of a hand reaches for computer keyboard showing insider threat and user behavior

Reducing Insider Threat Risk in Uncertain Economic Times

The end of 2022 and the start of 2023 for many organizations has meant taking a hard look at the bottom line. When the economy feels uncertain, many organizations look at budgets and may restructure to try to meet business goals. However, what may be missed in trying to be more cost efficient, is how this impacts the business if security isn’t top of mind. Companies that are downsizing, or still planning to, must have an insider threat program in place or run the risk of falling victim to a massive cyberattack that could cripple the business for months to come, ultimately making the cost reductions a worthless exercise.

We are seeing this more and more at Exabeam. Downsizing and layoffs are indirectly hitting the Security Operations Center (SOC). Technology buying decisions are being driven by a real concern about insider threats in these uncertain and challenging economic times. It’s important to remember “insiders” are not just employees behaving maliciously. Many employees are at constant risk of having their credentials be compromised by external actors. Regardless of the insider profile, these days security leaders need to be working hand in hand with HR to detect insider threats. The cost is too great otherwise.

When Ponemon Institute published its 2022 Cost of Insider Threats Global Report, it estimated that the average cost of an insider-related incident was $15.4M. The main drivers that allow insider threats to persist and disrupt business are compromised and misused credentials. The lack of focus and ability of organizations to counter these kinds of attacks are mind boggling.

Times like these keep the office of the CISO up at night. CISOs bear the responsibility for educating the entire staff on the risks of insider threats and safeguarding credentials, which is still, believe it or not, a very new concept for many organizations. Even a company’s board of directors isn’t exempt from this training, and alongside the C-Suite, they’ll be asked to approve the footed bills and budgets for the programs needed to address insider threats. It is par for the course with credential-based attacks on the rise.

Identifying the inside dangers

An insider threat is a digital crime of opportunity. The perpetrators, whether for their own personal gain or to adversely affect an organization’s reputation, already have two critical things needed to cause real damage: knowledge and access.

Employees — or former employees moving on who still have credential-based access or know how to get it — are already logged in to critical business systems, so in the presence of malicious intent, they can very easily exfiltrate data. Given their access and knowledge of organizational assets, attacks involving malicious insiders are harder to identify or remediate than those that originate from outside the organization.

The most reliable way to manage insider threats and minimize harm to an organization is by using solutions that give a human, credential-based view and inform the defender what’s normal, so then you know what’s abnormal – and only then.

DLP only goes so far at detecting insider threats

Every organization I know has a data loss protection (DLP) solution to try and detect data leaks as well as manage compliance requirements. Despite their well-meaning efforts, few are happy with their solution. Why? They are impossible to operationalize (despite being required by every auditor). While they trigger events, they don’t provide the context needed to act. What’s the context? No one knows. An event with no context is simply impossible to investigate.

The problem is that most DLP solutions are using basic static correlation rules to trigger alerts. If the rules are either too broadly or narrowly defined, which is most often the case, the alerts carry low fidelity, resulting in missed data leak after missed data leak.

Compounding these challenges is the knowledge a malicious insider may have about the security thresholds in place (like how much outbound data transfer triggers an alert). This is how insiders can easily remain under the radar and avoid detection.

Despite their imperfections, having a relevant DLP program in place is still critical, but in addition to DLP, and what will make it better, is understanding normal user behavior. The latter capability is also absolutely critical to identifying insider threats and reducing risks associated with any unwanted incidents.

If you don’t know normal, you’re a sitting duck

We discuss the critical capability of understanding normal user behavior pretty much on a daily basis with our customers and partners. By now, most everyone gets it, and understands that normal keeps changing so you have to understand those ongoing changes too.

Understanding normal behavior is the best way to recognize abnormal behaviors as potentially indicative of malicious activities. If you don’t know normal, you don’t know what’s abnormal, which means you don’t know what’s likely malicious or otherwise in your environment. That’s scary. Would you leave all your house doors and windows open when you sleep at night? Knowing normal is the lock, key, and complete security system.

Organizations that can’t baseline normal user behavior are sitting ducks.

Critical defense mechanisms: automation, timelines, and knowing normal

Under the cloak of valid credentials, malicious insiders hide in plain sight. They are the most difficult intrusions to identify. Suppose your defensive posture is built on legacy security tools that rely on signatures and correlation rules. In that case, that will not save your organization against the threat of bad actors already logged into your systems.