By Shareth Ben, Insider Threat SME at Securonix
In the first part of this series, we discussed how insider threats can be mitigated by a well-thought-out insider threat program that includes people, processes, and technology. This article dives deeper into the technology part of that equation. We’ll discuss what to look for in technology tools to best combat insider threats, where to start once you have those tools, and how to put the people and processes together with technology in order to achieve the best outcome.
What type of technology is required?
The ideal technology platform for insider threat combines technical and non-technical indicators of insider risk in order to compute a risk score that can be used to prioritize alerts for escalation and triage.
The following functionalities are critical factors to look for in an insider threat detection and management technology.
The tool should have the ability to ingest a variety of technical and non-technical indicators of user activity. This is typically done using connectors and collectors of various types depending on the target system.
Normalize, Aggregate, and Correlate
The tool should have the ability to normalize, aggregate, and summarize the user activity in preparation for data analysis and machine learning.
Insider Threat Specific Content
The tool should come with the necessary out-of-the-box content to meet your basic insider threat monitoring needs. It should also provide the ability to create custom content for industry-specific use case requirements. The detection mechanism should consist of standard rule-based violation triggers and user behavior-based anomaly detection. It is this combination that proves to be most effective against insider threats.
Once the nefarious behavior is detected, the tool should facilitate stitching or chaining individual events into one holistic threat. For example, a user who has been identified as a flight risk is identified as accessing and downloading an abnormal amount or type of data, followed by an attempt to exfiltrate that data.
Once the insider threat behavior has been detected using threat chains, these alerts need to be risk scored in order to prioritize the threats from the noise.
When it comes to insider threats, the situation is seldom black and white. The security analyst requires a tool that can provide the necessary context in order to be able to complete their investigation of the prioritized threats.
Incident Response Workflows
When a prioritized threat is deeded escalation worthy, the tool should facilitate the necessary escalation and triage workflow amongst the concerned parties.
Where to Start
While organizations can decide their own pace for onboarding data based on their insider threat monitoring goals, an iterative approach is highly recommended. We have seen several successful insider threat projects begin with a foundational layer and build incrementally over time to reach a better maturity state.
The following table proposes the types of data that organizations should consider ingesting based on their maturity.
Data Exfiltration Detection
|Windows authentication logs and security events|
Unix authentication logs (if applicable)
Single sign-on (SSO) logs
Critical database activity logs
Content sharing logs (Box, Dropbox, etc.)
SharePoint logs or similar
|Unix audit logs if applicable|
Endpoint detection and response (EDR) logs
AWS CloudTrail logs
|File integrity monitoring|
|Business-specific application authentication and activity logs|
Data sources that are identified as business-critical
What does an ideal program look like in terms of people, process, and technology?
Going back to the initial formula, let’s put the pieces together for an effective and practical insider threat program.
An insider threat working group (ITWG): Defines the risk appetite specific to the organization and drives consensus across key business units including HR, legal, compliance, IT security and lines of business.
An insider threat program (ITP): A core team that is ideally a mix of technical and non-technical staff members. These staff members are well versed with the data they are dealing with, understand the organization’s culture, and know-how to observe and differentiate between the different types of risks. Having someone with prior investigation experience is ideal but not a requirement.
Training and enablement: The ITP team should obtain adequate training and enablement to use the technology for insider threat detection.
Based on the risk appetite of the organization, and after identifying what they need to protect, the ITWG should create the policies and procedures required to manage the identified risks.
Clearly articulate and establish the escalation and triage processes. There are different levels of escalation from level 1 to level n depending on the size of the organization and staff capabilities. The key is to have a standard and repeatable process which allows for scalability.
Standard operating procedures are essential to make sure there is consistency in dealing with insider threats.
The technology should support both user behavior threat detection and rule-based threat detection.
It should be able to stitch together multiple alerts using threat chains, and rank alerts according to risk.
It should support automated playbooks and responses in order to reduce manual work which would be otherwise required. This can only be attained when a program reaches a state of maturity. Organizations should not attempt to do this until the foundational components are in place.
Beyond the ITP: Putting the right tools in place
Having a strong ITP is an essential step towards combating insider threats, but a strong team requires a strong tool to use for insider threat detection. The section above outlines the capabilities that an effective insider threat prevention technology should possess, but finding a tool with all of these capabilities may not be as straightforward.
Threat chains can be enabled both manually and in an automated manner. However, manual threat chaining is a tedious, cumbersome process and requires the manual correlation of massive amounts of data, which would require a significant effort and a large team. Automated threat chaining, coupled with an accurate risk scoring capability, is an essential requirement in order to more easily minimize insider threats.
If the technology can also respond to identified threats in an automated fashion, the value to the ITP is significantly increased, as an analyst can only handle a limited number of events. According to research, the typical security analyst suffers burnout within 1-3 years!
A capable SIEM tool, with automated threat identification, threat chaining, and remediation capabilities is essential for a successful ITP.
Insider threats are increasingly relevant for organizations today as attacks grow more sophisticated. Establishing an insider threat program (ITP) is an important step towards building an insider threat-resistant organization.
The key is to start small and grow the program footprint over time. Organizations should start with an assessment of what exactly they want to protect and identify the types of risks they want to mitigate before embarking on the implementation of the program itself. Then select the technology that flows best around the risk-tolerance and data priorities for your organization, with the ideal technology minimizing the manual work for analysts, so they can focus on dealing with identified incidents.
About the Author
Shareth Ben, Insider Threat SME at Securonix.Shareth is an information security professional with over a decade of program management experience, serving the security needs of Fortune 500 clients. Currently, he is focused on providing insider threat and cyber threat solutions by bringing synergies between people, process and technology to mitigate risks to enterprises. He is passionate about improving the security posture of organizations by providing thought leadership and best practices based on lessons learned in the field. Shareth has a Master’s degree in Information Systems and a Bachelor’s degree in Computer science.