How behavior analytics can thwart insider threats

Featured eBooks
Whole-of-State Cybersecurity
The State of Trust in Government
Cybersecurity in State and Local Government
By Saryu Nayyar
 

Connecting state and local government leaders

By Saryu Nayyar

|

A combination of user behavior analysis and identity attributes and privileges can surface anomalous activity, set off alerts and prompt response and mitigation. 

A recent Ponemon Institute study confirms the troubling news that insider threats are on the rise. Ponemon estimates that incidents attributed to insiders have risen 47% since 2018. Not only are the threats more prevalent, but the cost of an insider-caused breach is going up too. According to the study, the average cost of an insider breach rose 31% to $11.45 million. Clearly, this is not something to be ignored.

Who is doing all this damage? Ponemon attributes the acts to negligent insiders (62%), criminal insiders (23%) and credential insiders (14%). A credential insider is an external intruder who has gained access to a network through subversion of a legitimate set of credentials, such as via a phishing expedition. The intruder assumes an insider’s identity and has all the access privileges that the real employee does.

Security professionals say that insider events are more difficult to prevent and detect than external attacks. This is largely because they don’t have the right tools at their disposal. Organizations tend to spend the lion’s share of their IT security budget on tools and resources designed to fight threats originating from outside the organization -- and these are simply the wrong tools to catch insiders in the act.

What’s needed to detect insider threats

Traditional prevention and detection systems that guard against external threats are largely ineffective in detecting and surfacing insider threats. Oftentimes, these systems are primed to look for indicators of compromise (IoCs) that an insider simply doesn’t need to use, such as  excessive login attempts, geographical irregularities, web traffic with non-human behavior, or any number of other tactics, techniques, and procedures (TTPs) indicative of outsider attacks.

The most prominent indicator of an insider attack is abuse of privileges -- doing things the employee doesn’t have legitimate permission to do. Detecting this behavior requires tools that look at the actions of users -- particularly those people with elevated permissions such as systems administrators, managers and executives -- and looking for behaviors that are outside the range of permissible and normal activities. 

One tool designed for this purpose is user behavior analytics. A UBA tool collects past and current data such as user and entity activity, user roles and groups, and account access and permissions from directory services. From that and other data, the tool establishes a baseline of normal activities for individuals and their peer groups. Then big data and machine learning are used to highlight deviations from these baselines. 

While this is a good start in understanding anomalous behavior that could indicate malicious (or unintentionally erroneous) activity, there are ways to further refine the data to help eliminate false positives and false negatives. 

A more effective approach combines UBA with in-depth intelligence about a user's identity attributes and network privileges. People often have multiple digital identities for the various systems they log into and applications they use. Each identity has entitlements associated with it. For example, a user may be allowed to change or update records in a customer database, but only if those customers are assigned to his sales team. He may not have the privilege to even view records of customers assigned to a different sales region.

Altogether, a person’s identities and privileges create a threat plane -- places where data or information can be stolen or damaged in some way, making it possible to triangulate data from three important sources:

  • A user’s access rights and entitlements.
  • His current and past activities across all the accounts assigned to him.
  • The typical activities of his peer groups.

Applying machine learning to these datasets reveals the anomalies indicative of misuse of assigned privileges.  

Determining the risk of a user identity and its activities

Years of manually maintaining identity management systems has led to excessive access privileges assigned to employees. As a result, workers -- or an attacker using a worker’s hijacked account -- often have the ability to move throughout the network and do more than what should be permitted. 

Organizations must strike a balance: the right access for the right users when they need it for their job, and no access when they do not need it. UBA can help in this regard.

To really understand a user identity, and to determine the risk of that identity as a threat plane, it's essential to collect relevant data from a variety of sources, including:

  • Identity management systems
  • Privileged account management systems
  • Directories
  • Log sources
  • Defense-in-depth systems
  • Intelligence sources

Once this data is collected, normalized and stored in a big data repository, it’s ready for machine learning to perform the analytics. The ML algorithms can look at every new transaction by a given identity and score it according to risk. Using clustering and outlier ML makes suspicious behaviors stand out from benign activities.

For even more accurate analysis, the next step is to baseline a user’s behavior and compare it to his dynamic peer group, i.e., those people who perform the same types of activities, have the same types of identities and hold the same privileges. This is more effective than simply comparing a user’s activities to the static groups he is assigned to via the company’s directory services system because, as pointed out earlier, these services tend to be out of date in terms of group memberships and assigned privileges.  

Baselining behavior to dynamic peer groups ultimately reduces the likelihood of false positive alerts often seen with static peer group analysis.

Add a self-audit for one more security measure

Any behavioral anomalies that surface from the processes outlined above are very likely to be true insider threats. Certainly, they would set off alerts to prompt investigation. This, in its own right, would constitute a strong insider threat detection program. But there is one more safeguard that provides the cherry on top: a user self-audit. 

Much like a credit card statement shows every transaction in a time period, individual users can be shown their own risk-ranked anomalous activities, identities, access rights, devices and other key data points via a web portal. When users detect an anomaly, the false positive rate is very low, and the context provided is richer and faster than IT can provide. What’s more, the visibility of what data sources are monitored and analyzed against dynamic peer groups also acts as a deterrent against insider threats.

Detection of insider threats requires a completely different approach and set of tools from detecting threats coming from the outside. A combination of user behavior analysis and identity attributes and privileges can surface truly anomalous activity that is well out of the realm of normal behavior, thus setting off alerts prompting response and mitigation. 

NEXT STORY: Zero trust 2.0: The answer to government’s cyber woes

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.