As much as we hate to admit it, we have come to exhaustion trying to keep up with news of more companies losing our personal data. The classic perimeter security model, the leading security doctrine of our time, relied on one primary assumption: A single element is exclusively responsible for granting and revoking network credentials. Needless to say, this assumption is null and void in most modern day organizations. Cloud environments and mobile devices and applications have alone created numerous parallel universes in which system admins are required to inforce their age old policies.
While no one wants to hear their personal medical sheet or credit data is being sold online to crime rings, we have to realize it's not the computers causing organizations to miscarry our prized information. With every data breach and sophisticated cyber attack creating a flood of views and opinions about all things wrong with everything in cybersecurity, we seem to be losing focus on the bigger picture: People are the ones responsible for committing the angering crimes mentioned above and they are predominantly in charge of making sure these events do not happen.
Here is one thing most security vendors will agree on: Users require authorized access to critical resources to get their jobs done, thus making the classic "perimeter security model” obsolete. The most reasonable option, that of creating a disciplined and restricted work environment, is not really a viable option for organizations seeking to adopt new technologies that improve efficiency and operational costs. Top that off with the fact that harsh restrictions cripple even the most efficient companies and damage functional and critical work processes.
And yet, organizations are still choosing to invest the majority of their information security budgets into building virtual walls around critical assets and the network perimeter, while potentially avoiding the inherent insider threat issue.
Three factors will determine how critical your “Insider Threat” is:
1. Data sensitivity - To what degree of direct financial damage will you be exposing your customers and company to due to the loss of data? With credit information and banking credentials always a top priority, personal identification information is also lately being considered a priority with the evolution of phishing techniques enabling attackers with a wide new variety of online schemes. Other information reflecting mostly customer tastes and preferences are at a low risk.
2. Routine access rate – How often do employees and customers access sensitive data and to what extent? Most companies use their sensitive data daily. The extent of different uses by employees and clients alike raise risk levels substantially.
3. Level of uniqueness – Is your data collected from unique sources and using specialized methods? Companies collecting voice recordings, personal call-log data, and geographic locations, for example, are also exposed to higher risk than standard commerce companies. Unique information can be abused in distinct ways and makes it a more prized prospect for malicious attackers and rogue insiders.
As you can see, the insider threat is more immense and tangible than one could imagine. After realizing the level of risk your organization is exposed to, it's time to think of proper handling. It is generally thought that users are very easily distinct and, as a result, easily monitored and investigated. The truth is quite the opposite. The sheer amount of data that can be collected to provide full user action visibility is endless. Using endpoint agents, SIEM, and even employee reports, security teams can find themselves swamped with irrelevant information.
One key differentiator that can help find the rogue needle in the haystack is leveraging users' own behavioral patterns to distinguish the emergence of a potential threat. Behavioral patterns are built over long courses of time and are very difficult to mimic precisely. Using anomaly detection and machine learning technologies, mathematical and statistical models are able to identify even the most subtle change of behavior, fitting to a threatening profile.
Like in most areas of life, relativity is everything. Using the power of relativity, plain user-access logs can transform into meaningful security insights, directing security resources to where they are truly needed. For example, imagine mapping all multiple access attempts over a large network and providing higher risk values to users with an abnormal access time. This simple report can help reach an exclusive threat group of potential compromised users. Now imagine taking that exact group and seeing who has been observed accessing their machines in abnormal hours and you receive a specific profile of potential compromised users acting in abnormal hours. Though fitting only a small segment of possible threats, imagine deploying similar reports continuously over time, leveraging the data collected to improve detection success rates.
To conclude, while companies can and will continue adding additional agents and security appliances to battle common intrusion methods, the imaginary walls and fences of perimeter security must make way to a new method of detection and investigation. Companies that adopt smarter solutions to help protect the human factor, rather than the machines, can better understand the context in which a user is operating. They can then build a comparative risk model to identify outliers in user activity and gain enhanced network visibility.
Idan Tendler is the Chief Executive Officer and Co-Founder of Fortscale, a provider of Big Data analytics-driven security solutions for Fortune 1000 companies. Before founding Fortscale, Tendler was a lead agent of the 8200, the cyberwarfare division of the Israeli Defense Forces. He is a serial entrepreneur and a recognized expert in the fields of cybersecurity and threat intelligence.