May 31, 2022
Insider threats represent a complex challenge for cybersecurity professionals – but not an insurmountable one.
While large-scale external threats like ransomware often make headlines, insider threats command relatively little media attention. Many simply go unnoticed, sometimes for years.
According to AT&T’s Insider Threat Spotlight Report released in May 2022, 56% of security professionals report insider threats becoming more frequent over the prior 12 months. Almost three-fourths of organizations reported feeling vulnerable to insider threats, yet less than half put robust controls in place to prevent these types of attacks.
There’s a good reason why malicious insiders don’t attract much media attention. From a traditional security operations perspective, they’re practically invisible.
How do you catch someone who is supposed to be where they are?
While certainly challenging, it’s not impossible. Mitigating insider threat risk requires equipping highly-qualified security experts with purpose-built technologies they can rely on.
Know What to Look For: Qualifying the Malicious Insider
When information security professionals talk about “malicious insiders”, they typically focus on a handful of stereotypical images. You might imagine disgruntled employees deleting database files as an act of revenge, or corporate spies sent by competitors to steal trade secrets.
These things do happen, but they don’t represent the majority of insider threat scenarios. In many cases, the threat comes from simple, preventable acts of employee fraud.
Employees who overreport hours, give secret discounts to friends, or embezzle company funds rarely think of themselves as “malicious”. In fact, criminologists who study company fraud have long noticed that these employees often think their actions are justifiable.
Those losses can add up. One of the reasons why ransomware attacks attract so much attention is because threat actors demand huge payments in one lump sum. Employee theft and fraud cost US companies $50 billion per year, but those losses are less noticeable because they’re spread out.
That same fact also explains why insider threats are so challenging to detect. Stealing one dollar from a million different transactions is much less noticeable than stealing $1 million all at once. This is especially true when organizations entrust their employees with the credentials and authentication necessary to pull it off.
User & Entity Behavior Analytics (UEBA) Technology is Designed to Catch Insider Threats
One of the major drawbacks of SIEM 1.0 technology is that it focuses almost entirely on external threats.
Early SIEM platforms routinely failed to detect malicious insider activity because they treat insiders as authorized users. They had no way to gain a “big picture” understanding of user activities with respect to the organization.
Modern SIEM platforms enhanced with User & Entity Behavior Analytics technology work differently. Platforms like Exabeam create a baseline for routine user behaviors and compare real-world activities against that baseline. Every suspicious action an authorized user takes increases their threat score. Once that score hits a certain threshold, it triggers an alert, prompting a security analyst to investigate.
This Big Data approach gives executives unprecedented visibility into where their organizations are leaking profits. It empowers them to prevent fraud and loss in a proactive way.
Exabeam’s UEBA platform was instrumental for United Airlines’ loss prevention strategy. As a founding member of the world’s largest airline alliance, the company’s success hinges on its ability to report smuggling activities and prevent privilege abuse. Upon implementing Exabeam into its security framework, United Airlines discovered a group of 35 employees giving family flight travel privileges to non-family members – often for personal profit.
Let Castra Help You Mitigate Malicious Insider Risk
These types of threats don’t attract the kind of media attention that Russia-linked cybercrime groups currently enjoy. But by focusing so much of its attention on those threats, the greater cybersecurity community might be letting more challenging and persistent threats go unnoticed.
Detecting and mitigating those threats requires a UEBA-enabled security information and event management platform, operated by highly experienced analysts. Castra is a managed detection and response vendor that specializes in using best-in-class SIEM technologies like Exabeam and USM Anywhere to catch and prevent malicious insiders in complex enterprise environments.
Learn how Castra can enhance your security posture. Schedule a meeting with us, today!