Article by Jeannie Warner, Exabeam
Insider threats are an ever-present danger to organisations, manifesting in nightmares such as data breaches and intellectual property theft. Detection of these threats can be particularly challenging.
This article will lay out real-world examples of insider threats and discuss the detection points that can be utilised to identify them. By understanding the common activities associated with insider threats and leveraging data feeds and data science for their evaluation, organisations can significantly enhance their security posture.
The role of modern SIEM solutions in detecting insider threats
Advanced security information and event management (SIEM) solutions play a crucial role in detecting and mitigating insider threats. These solutions have evolved beyond simple log management and correlation, incorporating advanced features to detect anomalies in user behaviour, prioritise alerts, and automate incident response.
Here are four ways modern SIEM systems detect insider threats:
- User and entity behaviour analytics (UEBA) — UEBA capabilities within SIEM solutions use machine learning (ML) algorithms to establish baselines of normal user behaviour and detect deviations from these baselines. This helps identify potentially malicious activities, such as unauthorised access, unusual data transfers, or other signs of insider threats.
- Advanced correlation and prioritisation — Modern SIEM solutions can correlate events across multiple data sources, enabling security teams to detect complex attack patterns that might otherwise go unnoticed. Additionally, these solutions can prioritise alerts based on factors such as the severity of the threat, the sensitivity of the affected assets, and the potential impact on the organisation.
- Automated incident response — By integrating with other security tools, security intelligence, and IT systems, advanced SIEM solutions can automate various aspects of the incident response process, such as gathering evidence, performing threat analysis, and executing remediation actions. This helps security teams respond more quickly to insider threats and reduces the potential damage.
- Centralized visibility and reporting — Advanced SIEM solutions provide a central platform for monitoring and analysing security events across the organisation, offering a comprehensive view of the threat plane. This visibility helps security teams identify trends, spot potential weaknesses in their defences, and make informed decisions about resource allocation and risk mitigation.
9 real-world examples of insider threats
- Sales manager stealing customer information — A sales manager with access to the organisation’s customer database exports sensitive data, such as contact information, purchasing history, and preferences. They may use this information for personal gain or sell it to competitors, potentially damaging the organisation’s reputation and customer relationships.
- Engineer copying product plans for competing startup — An engineer working on a critical project secretly copies proprietary designs, blueprints, or source code to share with a rival company or use in their own startup. This can lead to the loss of competitive advantage and potential legal issues related to intellectual property theft.
- IT manager illegally trading on insider information — An IT manager with access to confidential financial data or upcoming business announcements uses this information to make trades on the stock market, profiting from non-public information. Such actions can lead to regulatory investigations, legal penalties, and reputational damage.
- Scientist selling confidential documents to a foreign country — A scientist working on cutting-edge research sells sensitive documents, such as research findings or experimental data, to a foreign government or organisation. This can undermine national security, compromise the organisation’s competitive advantage, and result in legal ramifications.
- Intelligence agency contractor leaking data to the press — A contractor working for an intelligence agency leaks classified information to the press, potentially compromising ongoing operations, national security, and the agency’s credibility.
- Data analyst’s stolen hard drive with personal information —A data analyst’s personal laptop or hard drive, containing sensitive employee or customer data, is stolen or misplaced. This can lead to data breaches, identity theft, and regulatory penalties for failing to protect sensitive information.
- Employee falling victim to spear phishing attack — An employee is tricked into revealing their login credentials or other sensitive information through a targeted phishing attack. This can give cybercriminals access to the organisation’s network, allowing them to steal data or launch further attacks from within.
- Customer support employee selling credentials to hacker group — A customer support employee, motivated by financial gain or a grudge against the organisation, sells their login credentials or access to sensitive systems to a hacker group. This can result in data breaches, financial loss, and damage to the organisation’s reputation.
- Engineering intern leaving default password vulnerable to supply chain attack — An intern working on a development project accidentally leaves a default password in place, making a critical system vulnerable to unauthorised access. This can lead to supply chain attacks, where cybercriminals infiltrate the organisation through trusted partners or suppliers.
9 detection points for identifying insider threat activities
- Endpoints — Monitor user activity on laptops, desktops, and mobile devices to identify suspicious behaviour, such as unauthorised access or data exfiltration.
- File servers —Track file access, creation, modification, and deletion on file servers to detect attempts to steal or tamper with sensitive data.
- Identity management systems — Monitor user account creation, modification, and deletion, as well as password changes and failed login attempts, to identify potential insider threats.
- Database servers — Keep track of database access, queries, and transactions to detect unauthorised access or attempts to exfiltrate sensitive information.
- Badge readers — Monitor physical access to restricted areas using badge readers, looking for unauthorised entry or unusual access patterns.
- Printers — Track printing activity, especially of sensitive documents, to detect potential data exfiltration attempts.
- Development systems — Monitor code repositories, build systems, and testing environments for unauthorised access, code changes or unexpected duplication/deletion, or data leaks.
- Cloud-based activities — Monitor user activity within cloud-based applications and services to identify potential insider threats or data breaches.
- USB thumb drive access — Track the use of removable storage devices, such as USB thumb drives, to detect data exfiltration attempts or the introduction of malware.
Applying data science to insider threat evaluation
By analysing vast amounts of data and utilising advanced analytics capabilities, organisations can gain valuable insights into user behaviour, identify suspicious activities, and detect potential threats. Here are some key data science methodologies that can be applied to the evaluation of insider threats:
- Behavioural baselining and anomaly detection — Use ML algorithms to establish a baseline of normal credential and device behaviour based on historical data, and flag deviations from the baseline as potential indicators of insider threats. This can help identify previously unknown attack patterns or suspicious activities that deviate from established norms.
- Peer group analysis — Compare the activities of individual users with those of their peers or organisational unit (OU), identifying outliers or unusual behaviour that may signal malicious intent or negligence.
- Privileged account analysis — Analyse the activities of users with privileged access, such as system administrators or executives, to detect potential abuse of power or unauthorised access to sensitive resources.
- Shared account analysis — Monitor the usage of shared accounts, which can be a weak point in security and provide an opportunity for insiders to hide their activities. Look for unusual patterns of access, such as multiple concurrent logins or attempts to access sensitive resources outside of normal working hours.
Conclusion
By understanding the common activities associated with insider threats and using various data feeds and data science techniques for evaluation, organisations can significantly improve their ability to detect and respond to insider threats. Implementing a modern SIEM solution with robust features, such as behavioural baselining, peer group analysis, and privileged account analysis, can provide invaluable insights into the activities within an organisation, enabling effective insider threat detection, investigation and response (TDIR).