When the challenge of battling inside threats arises, it's tempting to dismiss the process as little more than identifying the rogue employee(s), along with reviewing and refining permissions, controls, and authorizations to prevent recurrence. Depending on the industry, some public apologies may need to be made and some regulatory fines may need to be paid.
The good news and the bad news with insider threats? The good news is most insider threats derive from negligence, not malicious intent, as Katie Burnell, global insider threat specialist at security vendor Dtex Systems, explained in a November Dark Reading webinar about the insider threat. The bad news, she said, is the frequency of negligence is already ahead of where it was in 2018.
Compounding the problem is the fact there are more networks, more devices, and, of course, more data to monitor and secure. Organizations understand they can't equally secure it all. One approach has been to prioritize the monitoring of those users with the highest privileges, perhaps aided by the use of privileged access management (PAM) tools.
Our list of insider threats identifies the "who," but what about the "how" of detection? Log files and SIEM data may offer some forensic footprints to see who accessed which servers, databases, and individual files. But the volumes of monitoring data are too great to do this for all users, security experts agree. This has opened the door to user and entity behavior analytics (UEBA), which flags anomalous behavior by user. Some security vendors are starting to push the idea of "identity as a perimeter," according to ESG analyst Doug Cahill, rather than using the more traditional physical perimeter of the network. "So you monitor who has access and whether they do anything anomalous," Cahill explains.
Vendors are also talking about adding artificial intelligence and machine learning to the security equation. While those implementations remain rather basic, you don't need an algorithm to see this is where security managment is headed. Detecting and stopping malicious insiders will need this extra oomph, which automates tasks otherwise left to humans.
Do you have any experience with the kinds of malicious insiders tagged here?