Insider threats have been a problem for as long as there have been insiders. What’s changed over time? Well, for one, Brutus and his conspirators didn’t exactly leave a trail of logs and flows when they plotted against Julius Caesar and the Roman Republic. Fast forward 2,000 years, and there’s a good news/bad news update to this story. The bad news is the growth of the scope and impact of insider threats. The good news is that, with the right solution, we can detect and respond to them. One way to protect against insider threats is with a zero trust solution.
Just as Caesar was surprised by his friend’s betrayal (Et tu, Brute?), today’s insider threats are equally hard to detect when there’s no insight or context around user behavior. Security analysts need solutions that spot strange behavior, uncover hidden threats and respond to incidents faster and more efficiently. A zero trust framework helps by never assuming a user should gain access.
The Rise of Insider Threats
According to the Ponemon Institute’s 2020 Cost of Insider Threats Global Report, the frequency of insider threats has increased 47% since 2018. Now add a pandemic, the rise of remote work and workloads migrating to the cloud faster. With this business context, insider threats will continue to grow at pace with the increasing scope of users, endpoints, data and apps. It’s helpful to think about data access from the perspective of zero trust: the smaller the attack surface, the less likely an attack.
It’s true that analysts’ workloads are mounting, but today’s teams aren’t just looking for the bad guy. The Ponemon study also revealed that more than 60% of insider threats come from negligent users, not malicious actors. In turn, the pressure increases to spot bad actors and clueless ones amidst thousands of daily events. IBM X-Force Incident Response and Intelligence Services recently shared common phishing trends that show even well-meaning employees take actions that create vulnerabilities. It continues to be one of the most common, inexpensive and effective ways to gain access.
Download the X-Force Insider Threat Report
Managing Alerts with UBA and Zero Trust
As any security analyst can attest, there’s not enough time in the day to manage the increasing volume of alerts. A basic flag of excessive uploads or downloads is not enough. Screening like zero trust makes a difference. You could also benefit from context supplied by user behavior analytics (UBA), based on what’s normal for each user. Analysts need to be able to prioritize alerts and dedicate time to checking out odd user behavior. They can’t waste time searching multiple sources in order to understand any one event. They need software that can:
- Analyze network and log data;
- Provide out-of-the-box behavioral rules and machine learning;
- Pinpoint strange behavior; and,
- Generate risk scores based on a user’s actions.
Working together with SIEM tools, the analysts can drill down to view the offenses that contributed to the high-risk score. If needed, they can add those users to a watch list. In some cases, analysts may create their own watch list, like employees who have given notice and are in their final two weeks, so that unusual behavior within that cohort triggers an alert more quickly.
Bottom line: Analysts need enhanced visibility, faster detection and expedited investigation and response.
With quality UBA, SIEM and zero trust, the modern-day Brutus can be quickly identified and stopped in their tracks.
Learn more about the IBM Security zero trust approach to insider threats.
Program Director, Security Offerings Management, IBM