Identifying and Isolating Insider Threats
Understanding malicious, negligent and compromised insider threat context and patterns are necessary to accurately identifying and isolating a threat
According to the “2020 Cost of Insider Threats” report published by the Ponemon Institute, the average cost to the business of an insider threat incident was $11.45 million dollars, an increase of more than a 31% in only two years. The frequency of insider threat attacks spiked by more than 47% in the same time period.
Effectively managing insider threats, however, is certainly not an easy or clear-cut task. A dynamic, constantly evolving security environment — alongside a rapidly changing threat landscape — has created a reality that is anything but black and white. And this has rendered it impossible to protect organizations from insider threats with the elementary lock-and-block, yes-or-no, good-or-bad approaches of yesterday.
At DTEX, our philosophy towards our business is the same as our philosophy towards technology: people come first. Our future depends on bright, energetic, talented people who share a passion for building the next generation of user behavior intelligence. We invite you to bring your talent to one of our offices and help create our future, expanding our reach and influence worldwide.
Users that intentionally engage in activity to harm the enterprise.
Users that introduce insider risk due to careless behavior or human error.
Users whose credentials are compromised and leveraged by outsider infiltrators
Context is Key
The reason why DLP and SIEM solutions aren't effective on their own is because they don’t take history, trends, and context into account. This results in lots of false positives, wasted time, and ineffective monitoring. DTEX tracks each of your employees’ normal behavior and crafts finely-tuned alerts based on unusual activity changes. By putting each user’s behavior in context through four distinct steps, we create intelligent insider threat detection that picks up on only the activity that really matters.
1. Profile Known Risks: Sometimes the threat is known.
Over the past decade, DTEX has continued to evolve and refine its library of known high risk activities. Every endpoint event is parsed through the DTEX library to highlight known high-risk behaviors.
2. Baseline Normal Behavior: Sometimes the threat is new.
When trying to identify new or unknown threats, DTEX first focuses on what is normal. A baseline of normal activity is created for each user, device and application. Baselining metrics can include:
- Endpoint utilization metrics – Cluster analysis of software applications used, working hours, websites visited and task switching behavior
- File access metrics – What files are regularly accessed, from where and in what quantities
- Account access metrics – What login accounts are regularly accessed (users often have access to multiple accounts)
To determine whether activities are abnormal, we compare a user’s recent events against themselves (i.e. their own historical baseline), against their peer group (i.e. the baseline of users in similar departments or roles) and against the entire organization.
3. Understand the Context: The reason WHY is overlooked.
However, "why" is often the most important factor in any Insider Threat investigation and usually can't be answered without the experience of a seasoned security analyst with extensive domain knowledge.
DTEX has simplified this by incorporating contextual information of the events leading up to, and following, an Insider Threat event. An analyst can then use these contextual cues to easily investigate, acknowledge or ignore alerts generated by the system.
4. Evaluate the Risk: A risk is not always a risk.
Some security risks, like malware, are black-and-white problems. Human risks, however, are rarely so simple. DTEX understands this and incorporates the company IT Acceptable Use Policy within the Risk Model so that acceptable behaviors can be ignored and policy breaches highlighted.
The severity associated with known risky behavior, abnormal behavior and the context behind each event is aggregated into a single Insider Threat score which is used to prioritize alerts.