Exposing insider threats

Threats from "insiders" make many IT security departments break out in a cold sweat. And rightly so, because they are already firmly anchored in corporate IT. They therefore pose a particularly high risk after a compromise because they can hardly be detected by normal security mechanisms that are directed outwards. It is therefore difficult to fully protect against insider threats using traditional means. To guard against insider threats and uncover what is happening inside the organization, organizations need the right strategies and technical solutions that go beyond traditional IT security methods.

Insider threats: 50-70% of all security breaches

If you look at what threats are ultimately successful and have been able to penetrate an organization's IT, insider threats are by no means a negligible risk. According to Gartner's Information Risk Research team, insider threats are actually responsible for 50 to 70 percent of all security incidents, and for security breaches specifically, insiders are responsible for three-quarters of them.

The consequences can be severe: The Ponemon Institute estimates that insider threats cost $8.76 million per year per affected company. This is due in no small part to the fact that it takes an average of 280 days to identify and contain each breach - a frightening scenario for any company.

The three main types of insider threats

The most famous example of an insider threat is certainly Edward Snowden.
But its activities, while best known, are by no means typical of the scenarios most organizations face, especially in a commercial context. In the majority of cases, insider threats take three main forms: "accidental," "compromised," or "malicious" insiders.

1. as the name suggests, the "malicious" insider is typically an employee or contractor who steals information. Edward Snowden is probably the most famous example of this, though many other malicious insiders capture information not as whistleblowers but for financial gain, such as the thieves of Swiss bank data a few years ago.

2. the "compromised" insider is considered by many to be the most problematic form, as this person has usually done nothing more than innocently click on a link or enter a password. This is often the result of phishing campaigns, where users are presented with a link to an authentic-looking website in order to trick them into entering login credentials or other sensitive information.

3. and alternatively, but no less dangerous, is the "accidental" or "negligent" insider. Exposing these insiders can be particularly challenging because no matter how much care companies and employees take with cybersecurity, mistakes happen.

Beyond trainings there are technological possibilities of defense

To avoid such simple but, in the worst case, very far-reaching mistakes, many organizations are already making intensive use of training to raise their employees' awareness in this direction. Undoubtedly, some accidental and compromised insider attacks can be prevented simply by training end users to recognize and avoid phishing attempts. But even beyond training, there are technological opportunities that focus on user behavior to better protect against insider threats.

User and Entity Behavior Analysis (UEBA)

Using traditional cybersecurity solutions that only look outward creates a very large blind spot. To address the multi-layered challenges of insider threats, security teams need the technology infrastructures and tools to see the whole picture and therefore all threats - including those from the inside. This is where User and Entity Behaviour Analysis (UEBA) comes in handy. By understanding typical behaviors, security teams can more easily identify when a problem is occurring. AI and machine learning-based solutions are already being deployed by many organizations for effective, proactive protection.

Conclusion: Proactive strategy with analytics increases security

Organizations need the technology infrastructure and tools to see the full threat picture. Modern SOCs therefore use UEBA within their SIEM systems to also protect against human error, negligence and malicious insiders from the inside. Combined with training, such a proactive strategy can dramatically reduce the blind spot on the inside and detect many insider threats early.