September is Insider Threat Awareness Month, and in recognition, we’re running new articles that shed light on a different commonly-misunderstood aspect of insider threats. In our last article, we talked about why insider threats are a bigger problem than ever, and why the declaration of Insider Threat Awareness Month is a positive sign of shifting tides. Today, we’re going to dive further into the details of insider threat detection.
Previously, we broadly discussed the importance of visibility in insider threat detection. To summarize: insider threats are a growing problem in today’s world because the perimeter is disintegrating and users can interact with company data and technology in an immeasurable number of ways. This is why solely rule-based solutions and perimeter-focused tools are no longer as effective as they once were: there are simply too many ways for threats to slip through the cracks.
The only choice, then, is to eliminate the blind spots.
So, how do organizations do that? This is the question that thousands of security professionals are now trying to answer, especially when every security solution promises to offer the answers. Many are turning to the product category of User Activity Monitoring. In the case of federal organizations, policy even goes so far as to make UAM mandatory for some networks.
The general concept of user visibility is absolutely a start, but the answer is not as simple as deploying a standard monitoring tool and moving on.
Organizations need to understand the difference between a legacy UAM approach and a modern UAM approach – a difference that is rooted in information vs. intelligence.
Traditional UAM solutions are collecting large amounts of data. Many of them are providing detailed windows into everything a user does, including relying heavily on content data like screen captures or keylogging. Despite this, things still slip through the cracks.
That’s because these legacy UAM solutions are merely collecting information. Modern solutions need to go beyond that to collect intelligence.
Defining the Difference
The definition of information is simple: information is data, knowledge without the full scope of context, quantity without quality. All UAM solutions, modern and legacy, begin with information. The difference is that modern solutions take it a step further.
So where does ‘information’ become ‘intelligence’?
The concept of Security Intelligence dates back to almost a decade ago. One early definition, from 2011, describes Security Intelligence as “the real-time collection, normalization, and analysis of the data generated by users, applications and infrastructure that impacts the IT security and risk posture of an enterprise. The goal of Security Intelligence is to provide actionable and comprehensive insight that reduces risk and operational effort for any size organization.”
As the security solution and threat landscape has evolved, the definition of Security Intelligence – or at least its core components – have largely stayed intact. A more recent definition of Security intelligence (SI) defines it as the information relevant to protecting an organization from external and inside threats as well as the processes, policies and tools designed to gather and analyze that information.
Therefore, intelligence provides more actionable insights, allows for more useful decision-making tools, and is the key to more strategic security approaches: “SI is a comprehensive approach that integrates multiple processes and practices designed to protect the organization.” (SOURCE)
Confusing solutions that simply collect information with those that provide actionable intelligence will result in alert fatigue, high rates of false positives and a frustration that little to no actionable insights are being produced to improve the existing security measures.
In short, information is structured data that has been processed and presented in such a way that it is meaningful to the reader/ viewer. But achieving intelligence takes it a step further: intelligence is information that is collected (in real time) and processed/ analyzed to produce relevant findings, or actionable insights, specific to the business and applied to bolster the security posture.
Building a true, modern UAM approach starts with generating intelligence, not just information.
Evaluating the Solutions
That leaves the biggest question: how, exactly, can organizations do this? If we refer back to earlier definition(s), we can identify a handful of key components for ‘intelligence’: real-time, organization-wide data collection, analysis of data and, highly relevant, actionable insights.
By evaluating tools against these three qualities, organizations can build a intelligence-focused, rather than a simply information-focused, approach.
Real-time, organization-wide data collection
In order to be actionable and truly useful, a modern UAM approach needs to start with a functional dataset. Firstly, that means that the data must be collected from the whole enterprise, not just a “high-risk” subset of users. 100% of our User Threat Assessments find some form of undetected insider threat, and those threats come from anywhere and everywhere in the organization, not just pre-determined “risky” employees.
And beyond that, this data must be collected in real-time or as close to real-time as possible. In today’s landscape, your data collection needs to move as quickly as your users do. If there are situations where data collection or analysis is delayed, that delay can very easily be exploited by a malicious insider – and in general, will slow down your response time and critically hinder time to resolution.
This collector should also cause, at the most, negligible latency to endpoint operations.
Ask the solution
- What types of data are collected?
- What happens to user activity data when a user is off network or tethered to a mobile hotspot/ public Wi-Fi?
- Is there a limit to the amount of collected user data stored locally on a device should there be no connection up to the server to transmit the data?
- What is the time between data being collected from an endpoint, and logic and analytics being applied in order to generate meaningful and actionable alerts?
Analysis of data
The methods and metrics used to process the data are paramount. Without expert analytics run on your data, the information produced will not surmount to intelligence. A rich data set coupled with leading analytics provides a solid foundation for security intelligence.
Actionable insights are key to improving your security posture. Little or weak analysis of the data will lead to poor alerting and the inability to translate findings into actions for the business.
A tool that will map to industry standards / frameworks, such as the MITRE ATT&CK framework or the NITS framework, is an even bigger benefit.
Ask the solution
- Does the solution normalize behavior? Does the solution learn what is ‘normal’ for a user, and compare the user vs colleagues in a similar role and compare the user vs the rest of the company?
- What metric or measures does the solution use to decide what is ‘normal’ for a user?
- How easy is it to create additional rules and alert categories for specific custom use-cases?
Highly relevant and actionable insights
Alerting needs to strike a fine balance. You do not want a solution that leaves you with alert fatigue. Nor do you want a solution that produces alerts few and far between. What’s more, these alerts need to be relevant. If the tool gets it right, you’ll be receiving alerts that are rarely false positives and are directly applicable to your business use cases and areas of interest for security intelligence.
Alerts need to be clear, concise and contextual. An alert with a user name, risk score and no other context lacks any meaning and makes triaging difficult, if not impossible – resulting in much longer investigation times and delayed time to resolution.
A modern UAM solution needs to provide alerts that are actionable and informative, and those alerts need to trigger based on a system that allows for simple tuning and correction.
Ask the Solution
- What’s the estimated number of alerts, per user, per day?
- Are risk scores cumulative for a user or are they all independent?
- How will the alerts help the business inform decisions for improvements/ changes to security measures?
- Aside from alerts, what other metrics and reporting will the tool produce in order to provide insights into user behavior, user practices that may expose the business to information security risk?
- What format are the reports provided in? Can they be auto-exported to email daily/ weekly?
Conclusion
Visibility into what users are doing on endpoints and how they interact with corporate data is a fundamental building block of an effective insider threat program. However, it’s not enough to treat this requirement as a “one-size-fits-all” approach. User monitoring in itself is not a blanket answer. Organizations need a modern approach to UAM.
The key to that is understanding the difference between a solution that simply provides large quantities of information versus one that provides actionable intelligence. As the above points have demonstrated, that difference lies in real-time, scalable visibility, analytics / machine learning, and truly actionable alerts.
What’s more, taking this route will mean cost savings for storage fees, faster endpoints that aren’t bogged down with heavy collectors, and information that is much easier to understand and analyze. This is an approach that can be utilized by private and public sector organizations alike. Even the goals of federal directives requiring UAM can — and should — be met with modern tools.
This is one thing that will hold true throughout Insider Threat Awareness Month, and in the Insider Threat space in general: visibility is key, and quality will always trump quantity – and when it comes to creating a future-proof, effective insider threat strategy, these tenants are non-negotiable. We have already discussed the history of insider threats, the state of the present landscape, and the needs of current security postures – the next step is the future. In our next article, we’ll cover what it takes to build a long-term sustainable insider threat approach, how you can use your insider threat tools to proactively iterative, and the importance of understanding and closing the gaps.
To learn more about how Dtex offers a modern approach to Insider Threat policy compliance, click here to download the whitepaper, “Dtex and Federal Organizations.”