Crafting an insider threat program: Why and how

Nmedia - Fotolia


Insider threat detection tools that sniff out dangers from within

Learn about the insider threat detection tools that can zero-in on anomalous user behavior. Malicious or accidental, the insider threat is one of the most dangerous and costly to companies.

Firewalls, intrusion detection and prevention systems, and antimalware are reasonably effective against external...

threats, but they don't detect unauthorized activity inside the network. A recent Crowd Research Partners survey found that when it comes to battling insider threats, organizations employ a combination of policies and training to fight security threats that originate from within. However, there are technologies available now that can strengthen an organization's ability to detect and respond to insider threats, as well as to prevent future malicious activity.

An overview of insider threat detection tools

Privilege escalation, abuse of privileged accounts and data exfiltration represent some of the most serious issues associated with insider security compromises. Identity and access management (IAM) and data loss prevention (DLP) are insider threat detection tools that aim to prevent many issues, but even they can't stop every incident.

Log files are an excellent source of user activity on a network, and most breaches can be discovered through log file analysis. However, the sheer amount of data an administrator must wade through to find evidence of a compromise makes this effort virtually fruitless, especially since the admin is searching for activity that doesn't fit a known pattern. That's where insider threat detection tools that incorporate analytical and machine learning capabilities come into play. These technologies scan for user behaviors associated with privilege escalation, data loss and so on, as well as a range of not-to-pattern activities that are highly difficult to detect through manual reviews.

The technologies garnering a lot of interest are the following:

  • User activity monitoring (UAM): This type of tool monitors and collects in real time all kinds of user activity data, such as email, chat and internet uploads and downloads. When integrated with a security information and event management system, administrators receive alerts when suspicious or anomalous activity is detected. Many products include machine learning algorithms and risk scoring to identify high-risk users and track the behaviors of lower-risk users that can become threats.
  • User behavior analytics (UBA): A big step up from UAM is UBA, which sifts through and analyzes different types of data logs to establish a baseline of normal user behavior and identify patterns of abnormal or anomalous behavior that may indicate an insider threat. The beauty of UBA is its ability to use algorithms to analyze a wide and deep pool of data, understand its context and make correlations. A UBA system provides actionable insights in the form of reports and dashboards that prioritize risks.
  • User and entity behavioral analytics (UEBA): The latest and most comprehensive of the three technologies is UEBA. It provides the same type of analytics as UBA but also analyzes endpoints, networks and applications -- whether on premises, in the cloud or mobile. In this respect, UEBA correlates user and entity behavior for more accurate and effective threat detection.

UAM has been around for a while, but keep in mind that the UBA and UEBA markets are in flux. For example, the line between UBA and UEBA is quickly blurring, with some UBA vendors incorporating new features and rebranding their product as UEBA.

Act now, expect results in the future

The key to behavioral -- and entity -- analytics is detection and analysis of patterns over time. Because behaviors differ among users, be aware that an insider threat detection tool can take weeks or months to gather enough data to create an accurate baseline of normal activity and to tease out difficult-to-detect anomalies.

In its Insider Threat Report 2016, Crowd Research Partners found that the 57% of organizations consider the combination of policy and training to be the most effective means for battling insider threats. However, coupling these two people-centric methods with technology products strengthens an organization's ability to detect and respond to insider threats, as well as to prevent future malicious activity. 

Next Steps

Accidents and negligence are often overlooked forms of insider threats

How hackers hide attacks using company employees

What to do when the employee clicks that link?

This was last published in January 2017

Dig Deeper on Risk management