Consideration from statistics

• According to a 2018 study by the Ponemon Institute, 59% of respondents admitted their organization had experienced a data breach by a third party, such as a vendor. Additionally, 42% of respondents said they had experienced an insider security breach in the last 12 months.
• According to a 2018 study by Verizon, insiders were responsible for 58% of data breaches in the healthcare industry. This is due to both the negligent and malicious actions of insiders.
• Based on over 700 cases in CERT's internal fraud database, 59% of leaving employees are expected to take personal information home with them.

Missing an insider threat can have serious repercussions.A 2018 study by the Ponemon Institutefound that the average annual cost of incidents involving insiders is US$8.76 million. It also takes an average of 52 days to resolve each insider fraud incident.

The risks of using traditional insider threat security strategies

Traditional security practices, such as traditional SIEMs, typically involve analysts manually examining log files from multiple sources to try to make sense of the data as a whole. This typically required a lot of copy-pasting from multiple files to put together an investigative journal, and the chances of finding and mitigating true security incidents weren't easy.

Many barriers can stand in the way of identifying and mitigating threats, including:

• Getting the Data You Need Without access to the right data, you have little chance of success. Do you have full access to all the data you need to effectively identify insider threats?
• Making sense of large amounts of data in various systems and physical locations Many systems and services are networked and are potential targets. Can you understand each log?
• Do you have tools at your disposal to identify insiders and distinguish their potential or actual threats from others? Can you identify the user's department, location, peer group, manager, and other important information?
• Which assets are more likely to be targeted by attackers who pinpoint “critical assets”? Is the asset safe, or has it already been compromised without your knowledge? Has the insider already exfiltrated the data?
• What would normal behavior look like for cues, without reliable context for good and bad behavior? Can you identify normal behavior by looking at the log data? For example, did you allow critical assets to be accessed over a VPN connection from China?
• Covering a large attack surface How many employees, vendors, customers, contractors, and other parties have legitimate credentials to access your network? How many of them know how to access their accounts and assets after leaving the organization?
• Training and Awareness Do analysts have the right experience to be effective with modern insider threat identification and mitigation solutions?

Security teams faced with large amounts of log data

Security teams are also tasked with monitoring log data originating from numerous sources, including:

• VPN local network connectivity from remote offices, users' homes, and on the go
• Cloud apps managed by entities outside of your direct control
• A document management system containing confidential company information
• Distributed printers involved in electronic security breaches or security breaches such as printing information out
• Cell phones, tablets, and other unmanaged personal devices that connect to wireless access points and corporate resources
• Employees who receive and reply to personal emails, access social media, and otherwise use the network for personal purposes

Conventional internal fraud countermeasure program

Additionally, traditional security approaches such as correlation rules cannot automate threat detection. It only detects known threats with rules already written. The risks that actually need to be detected are often unknown variants.

In addition, conventional security solutions tend to be reactive work, dealing only after a breach occurs. With so much sensitive data that can leave an organization, it takes an average of 52 days for an organization to resolve an incident with a malicious insider.

A smart approach to managing insider fraud

Expecting analysts to painstakingly manage insider fraud is not a reasonable solution. A smart approach addresses the weaknesses of traditional SIEM solutions.

• Collect all your log data With a smart SIEM, you can ingest all the log data you need without being charged by volume. All important data is available to analysts, so they don't have to pick and choose which logs they presume contain the right clues.
• Automated Continuous Behavioral Modeling The best way to identify abnormal behavior is to first understand what constitutes normal behavior. UEBA (User and Entity Behavior Analytics) automatically creates a baseline of normal behavior and continuously models ongoing behavior.
• Create a smart session timeline Uncovering anomalous behavior requires answering the Who, What, When, Where, and Why. Having a pre-built timeline with contextual information added for every user session gives you this kind of insight.
• Effortlessly detecting anomalous behavior in threat hunting requires a comprehensive, well-designed interface that enables even inexperienced analysts to identify ongoing insider threats. Ideally, you should be able to search the session timeline to reveal threat clues.
• Automated Response A complete solution assigns risk scores to actions and triggers responses based on total risk. Depending on the degree of integration within your IT environment, responses can range from simply flagging users and machines to running automated playbooks to mitigate events without human intervention.

The Importance of Understanding User Behavior

User behavior often provides important warnings for administrators to mitigate and prevent security threats. To manage behavior-based insider threats, you need to define a baseline of normal behavior for each user. Figure 1 shows the potential for internal fraud. This internal fraud is identified by a higher risk score as a result of judging abnormal behavior relative to normal behavior.

Figure 1: Potentially Malicious Activity and
User card showing trends in rising risk scores

Resha ChhedaMore
Exabeam, Inc. Senior Principal Product Marketing Manager

video on demand

Countermeasures against internal threats in the age of promoting remote work
～Risk visualization realized by Exabeam, a leading company in internal fraud countermeasure solutions～

働き方改革やCOVID-19の先行きが見えない中、リモートワークを推進する企業が増えております。リモートワーカーのリスク管理として内部不正対策が注目されております。このセミナーでは内部不正対策のリーディングカンパーであるExabeamを活用した事例やデモをご紹介させていただきます。

Click here to watch