It’s commonly understood that the greatest risk to any organization
comes from the insider threat, no matter which industry or sector you work in.
comes from the insider threat, no matter which industry or sector you work in.
Insider threats come from, either unintentional or malicious activity of an individual who’s got authorized access.
THE INSIDER THREAT
Also, you need to know that, in the end, almost every external attack looks like an insider threat. The reason for that is quite simple, compromised
credentials are the most common threat action in data breaches (Verizon, Data Breach Investigation Report 2019).
credentials are the most common threat action in data breaches (Verizon, Data Breach Investigation Report 2019).
For hackers, it’s easier to steal an insider’s credentials and bypass traditional security controls than it is to break through the firewall. This underpins the value of identifying insider threats as early as possible.
SPOTTING INSIDER THREATS WITH USER LOGON ACTIVITY
Insider threats are pretty difficult to spot since the person logging in is using valid credentials. Simply logging all network activity is not enough to protect an organization from either malicious or careless activity. You have to look for leading indicators of improper, malicious, or careless employee behavior.
You can do so by watching for abnormal user activity – but it needs to be
activity that suggests a potential threat, and not necessarily activity that
suggests threat activity is in progress.
activity that suggests a potential threat, and not necessarily activity that
suggests threat activity is in progress.
As an example, you can watch for excessive copying of files, or surges in upload web traffic to spot a potential data breach, but the reality is that once these activities occur, it’s too late – the threat-action has taken
place.
place.
You need to:
1. Watch for abnormal activity that occurs well before threat actions are taken. The earlier detection occurs, the less damage the threat can do.
2. Create as few false positives as possible. If detection parameters are too broad, IT spend their time chasing ghosts and not stopping threats.
3. Don’t just detect the threat. Stop the threat - well before any malicious action takes place.
To do this, you need to focus your efforts on the one part of the attack that can’t be bypassed – the logon.
2. Create as few false positives as possible. If detection parameters are too broad, IT spend their time chasing ghosts and not stopping threats.
3. Don’t just detect the threat. Stop the threat - well before any malicious action takes place.
To do this, you need to focus your efforts on the one part of the attack that can’t be bypassed – the logon.
NOT ONLY PRIVILEGED USERS
You need to watch anyone with access to valuable data – not just privileged users. And when we say anyone, we don’t just mean employees. You need to think about the extended enterprise today of partners, contractors, supply chains... anyone who has access to your network.
Our independent research highlighted six common insider threat personas.
PREVENTING INSIDER THREATS WITH LOGON SECURITY
There is one activity that’s common to every insider threat and that’s the logon, which is why that’s where we need to focus. Whether we talk about endpoint access, lateral movement between endpoints, external access via VPN, remote desktop access, or more, they all require a logon.
For many employees, the only security protecting access is a password, and once the hacker has it they can easily bypass most security controls.
The goal with logon security is to make the logon itself a scrutinized and protected event and offer effective protection against the insider threat.
A logon security solution is there to detect an abnormal access attempt based on the customized logon policies that are set for that particular user. It will either deny or approve the logon and alert IT if stipulated.
This will thwart the following potential insider threat scenarios:
- Exploited users (from phishing attacks or malicious colleagues): it will protect them with controls that will make genuine but compromised credentials useless to attackers.
- Careless user behavior such as password sharing, shared workstations left unlocked or logging into multiple computers.
- Malicious activities: this will allow to identify and attribute access to any data/resource to one individual user which will discourage an insider from acting maliciously.
Even better, employees should be notified with alerts on their own trusted
access. Informed employees are an important line of defense.
- Careless user behavior such as password sharing, shared workstations left unlocked or logging into multiple computers.
- Malicious activities: this will allow to identify and attribute access to any data/resource to one individual user which will discourage an insider from acting maliciously.
Even better, employees should be notified with alerts on their own trusted
access. Informed employees are an important line of defense.
The insider threat is real and it’s here. Today. On your network already. They are the employees you work with every day. A broken-up relationship, a passed up promotion, or personal hardship and they become your security’s worst enemy.
So, having a proactive and cost-effective solution, such as our very own - UserLock, to address insider threats is as important as your endpoint protection, firewalls, and email gateway.