In looking at the plethora of recent data breaches, it’s easy to think that attackers have gained an unfair advantage over security professionals. The network perimeter has virtually dissolved, compelling enterprises to simultaneously work to keep the bad guys out while tackling multiple insider threats – naïve employees, malicious insiders, careless third parties, and undetected malware or intruders that have already breached network defenses. Legitimate users and activities should not be impeded, but determining what activity to validate and what to allow is not always easy.
Cybercriminals increasingly rely on social engineering campaigns and unsuspecting insiders, weak passwords, and poor cyber hygiene to provide a conduit for their attacks. The most suspicious network behavior shouldn’t be sent into a queue to be reviewed by an analyst when they get to it, it needs to be addressed in real time. And to make things more complicated, in our increasingly digital world, binary decisions – black or white, allow or block – do not work. Enterprises need to shift their approach to information security to be more continuously adaptive and think about how to enable transactions when all the information isn’t available or there is a known level of risk.
Half of IT professionals attest they are more concerned about internal than external threats. According to arecent survey, the specific concerns that are now top of mind are: malware installed by careless employees (via phishing emails, infected web sites and mobile devices); stolen or compromised credentials, stolen data, and abuse of admin privileges. The vast majority of IT pros surveyed agreed that clueless and rule-bending employees worry them most; malicious insiders are considered the higher risk by only 13% of respondents.
Research reports from Verizon and Cisco corroborate what IT teams are claiming: insider threats are increasing and common interventions like security awareness training and basic access controls are not effective. According to Verizon’s 2017 DBIR, 25 percent of breaches involved internal actors, 81 percent of hacking-related breaches were aided by stolen or weak passwords, and 66 percent of malware was installed via email attachments.
However there are several more alarming trends related to incident response. Cisco’s 2017 Annual Security Report highlights some of them: an increase in spam traffic, of which a growing percentage contains malicious attachments; high percentages of security alerts not investigated (44 percent) and legitimate alerts not remediated (54 percent). These trends are a result of some of the persistent constraints security teams experience today (budget, talent, compatibility issues, executive support) and this erodes confidence and undermines the effectiveness of security technologies in place.
Building a culture of security and accountability is key to evolving your employee-driven security measures from “weak link” to “front line defense” caliber. Providing frequent security training that keeps pace with relevant threats is another essential element. Linking specific training exercises to employee errors or habitual non-compliance can drive a more sustained focus on avoiding potentially malicious emails and web sites.
We don’t rely solely on culture, leadership, training, and policy documents to protect the complex systems and valuable data that fuel digital business and infrastructure. Rather, we depend heavily on technology and processes; emerging solutions that combine both are a powerful antidote to insider threats. With security teams being overwhelmed finding a way to better leverage existing technologies and make them more adaptive and automated is going to be a key requirement. The ultimate goal is to provide security that is not disruptive to real business and can preempt the real threats before they create impact. To do this, being able to better identify identity, behavior, and risk of activities along with real-time adaptive response mechanisms can help achieve this.
The starting point to achieve this is User and Entity Behavior Analytics (UEBA). UEBA that incorporates traffic analysis, behavior analysis and real time user feedback can continuously learn and identify suspicious behavior, unexpected use patterns, risk, and the shades of gray.
Combine this with real-time threat prevention that can adaptively respond to threats (or a shift in behavior) based on risk, identity, role, asset being targeted and context and security teams now have an accurate way to automate threat response and reduce incident response burden. Such adaptive responses to threats could include multi-factor authentication, allow, block, notify, end point isolation and others — all of which are designed to match the behavior, the type of user, application and the asset being targeted, and be applied through flexible policies. Real-time engagement with users now adds advanced supervised machine learning into the behavioral analytics, rendering it even more accurate and effective over time.
Let’s look at a practical use case. An organization has a privileged user that accesses multiple servers he doesn’t normally access. Traditionally, an alert is generated and manually reviewed by security professionals. With adaptive real-time response, the user would be prompted to validate their identity using multifactor authentication. If unsuccessful, they can be automatically blocked, potentially stopping an attacker who stole someone’s credentials. This entire process is completed without a security analyst ever needing to get involved. If the user was an outside consultant or an executive, the response could be completely different based on context, risk and policy.
When behavioral insights are combined with adaptive response and enforcement, organizations can improve their ability to proactively defend against sophisticated attacks and insider threats as well as being able to more easily control access to data and systems. This can provide a significant reduction of time spent on incident response allowing the teams to be more efficient and effective.
People behaving badly on the network is a given; adversaries know this and they are targeting your organization by taking advantage of your users, looking for weak links, patterns of carelessness, and virtual doors left ajar. Turn the tables by monitoring for risky activities, and slamming those open doors right in the menacing face of cybercrime.