Most conversations about IT security — and investments in IT security — tend to focus on external forces trying to infiltrate a network at the perimeter, steal sensitive data and sell it to the highest bidder. However, many experts agree that insider threats represent a significant security risk to organizations.
An insider threat is typically associated with malicious users. For example, a disgruntled or exiting employee might use their network credentials to access data and hand it over to a competitor or new employer.
But it’s not just malicious users. Insider threats often come from people who inadvertently compromise data, whether it involves falling for an email phishing scam, sending files to the wrong address, or saving files where they shouldn’t be saved. Credential theft can also be classified as an insider threat. Many attackers would rather try to compromise legitimate users than penetrate perimeter defenses, which are typically more robust than security inside the network.
Costs and Risks
According to the Ponemon Institute’s 2020 Cost of Insider Threats report, 14 percent of reported incidents were caused by outsiders using stolen credentials, while 62 percent were caused by employee or contractor negligence, and 23 percent by malicious users. Nevertheless, every incident involved people who were able to use legitimate credentials to access systems and resources inside the network.
That’s why insider threats are particularly dangerous and costly to remediate. Malicious activity is difficult to distinguish from harmless activity when it comes from inside. Users often know how to cover up malicious activity, or they can just say they made a mistake. As a result, a breach caused by an insider threat can go undetected for years. The longer it takes to find the problem, the more damage can be done, and the more expensive it is to fix.
The Ponemon study found that credential theft incidents are the most costly — $871,686 on average. However, attacks by malicious insiders are a close second, at $755,760 per incident. Even incidents involving insider negligence cost $307,111 on average.
How Behavior Analytics Works
One way for organizations to detect suspicious insider activity is by deploying behavioral analytics. Behavioral analytics examines system and user behavior, establishes a baseline of normal activity, and applies analytics algorithms to detect deviations in behavior that could signal a problem.
For example, if a hacker steals a user’s credentials but doesn’t act like the user, behavioral analytics will likely recognize this. Alerts are then displayed on a management dashboard so that administrators can investigate. Some behavioral analytics solutions automatically respond to certain types of activity to mitigate risk.
Behavioral analytics solutions should be able to monitor users, devices and applications whether in or out of the office. When suspicious user activity is detected, granular policy controls can be applied, such as activating multifactor authentication, recording user sessions, blocking suspicious applications or quarantining users.
Best-in-class tools use machine learning and artificial intelligence (AI) to detect unusual activity related to network, application and data usage in real time. Over time, as machine learning and AI algorithms learn user behaviors and usage patterns, they become even better at identifying abnormal activity.
Organizations need to recognize that perimeter security is not enough. Behavioral analytics can intelligently protect your network from insider threats, accelerate detection and dramatically reduce risk.