Some of the most damaging attacks on computer systems come not from hackers but insiders that have legitimate access to the system and, whether through malice or negligence, compromise the organization’s security, data and computer systems. This may involve the theft of confidential information, theft of intellectual property or sabotage of a computer system’s security.
Insider threat detection are usually from malicious insiders (that intentionally seek to damage an organization), negligent insiders (that have allowed their credentials to be stolen through disregard of security policies) or infiltrators (external actors that have obtained legitimate credentials through unauthorized means).
Insider threat detection is inherently difficult because these actors usually have legitimate credentials for system access and are hard to identify. There are, however, a range of tools that monitor and highlight normal use with an unusual or forbidden activity that can identify and mitigate these threats.
While disgruntled employees can be a security risk, the most common insider threat occurs when credentials are exposed by employees unintentionally. Phishing (sending emails with suspect attachments and malware or other attempts to get a user to reveal their credentials) is the most common vulnerability for insider threats.
Detecting and managing insider threats requires careful planning when granting access, specifying access permissions and monitoring user activity. Various tools are available to provide an organization with a control framework that represents a set of safeguards, separation of duties and monitoring of user actions to prevent insider threats. These tools include Intrusion Detection and Prevention systems (to prevent unauthorized access), Log Management (to provide a view of all user activity) and Security Information and Event Management (that identify events that could be possible security breaches). These tools are effective in identifying more than half of insider attacks.
Another important aspect of identifying insider attacks is the tracking and monitoring of key system assets and resources. When security professionals monitor these assets they are faster to react to incidents and can precisely identify the assets under threat and the potential impact. Monitoring sensitive data is a central feature of this approach. By tracking data access and transfer security personnel to react quickly and proactively to any breach.
The use of tools that analyze user behavior is also an effective approach to insider breaches. By modelling user interactions on the system User Behavior Analytics tools can classify typical user interactions and use these to detect anomalous behavior when it occurs and take preventive action.