Insider threats have been a problem for as long as there have been insiders. What’s changed over time? Well, for one, Brutus and his conspirators didn’t exactly leave a trail of logs and flows when they plotted against Julius Caesar and the Roman Republic. Fast forward 2,000 years, and there’s a good news/bad news update to this story. The bad news is the growth of the scope and impact of insider threats. The good news is that, with the right solution, we can detect and respond to them. One way to protect against insider threats is with a zero trust solution.

Just as Caesar was surprised by his friend’s betrayal (Et tu, Brute?), today’s insider threats are equally hard to detect when there’s no insight or context around user behavior. Security analysts need solutions that spot strange behavior, uncover hidden threats and respond to incidents faster and more efficiently. A zero trust framework helps by never assuming a user should gain access.

The Rise of Insider Threats

According to the Ponemon Institute’s 2020 Cost of Insider Threats Global Report, the frequency of insider threats has increased 47% since 2018. Now add a pandemic, the rise of remote work and workloads migrating to the cloud faster. With this business context, insider threats will continue to grow at pace with the increasing scope of users, endpoints, data and apps. It’s helpful to think about data access from the perspective of zero trust: the smaller the attack surface, the less likely an attack.

It’s true that analysts’ workloads are mounting, but today’s teams aren’t just looking for the bad guy. The Ponemon study also revealed that more than 60% of insider threats come from negligent users, not malicious actors. In turn, the pressure increases to spot bad actors and clueless ones amidst thousands of daily events. IBM X-Force Incident Response and Intelligence Services recently shared common phishing trends that show even well-meaning employees take actions that create vulnerabilities. It continues to be one of the most common, inexpensive and effective ways to gain access.

Download the X-Force Insider Threat Report

Managing Alerts with UBA and Zero Trust

As any security analyst can attest, there’s not enough time in the day to manage the increasing volume of alerts. A basic flag of excessive uploads or downloads is not enough. Screening like zero trust makes a difference. You could also benefit from context supplied by user behavior analytics (UBA), based on what’s normal for each user. Analysts need to be able to prioritize alerts and dedicate time to checking out odd user behavior. They can’t waste time searching multiple sources in order to understand any one event. They need software that can:

  • Analyze network and log data;
  • Provide out-of-the-box behavioral rules and machine learning;
  • Pinpoint strange behavior; and,
  • Generate risk scores based on a user’s actions.

Working together with SIEM tools, the analysts can drill down to view the offenses that contributed to the high-risk score. If needed, they can add those users to a watch list. In some cases, analysts may create their own watch list, like employees who have given notice and are in their final two weeks, so that unusual behavior within that cohort triggers an alert more quickly.

Bottom line: Analysts need enhanced visibility, faster detection and expedited investigation and response.

With quality UBA, SIEM and zero trust, the modern-day Brutus can be quickly identified and stopped in their tracks.

Learn more about the IBM Security zero trust approach to insider threats.

More from Intelligence & Analytics

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Despite Tech Layoffs, Cybersecurity Positions are Hiring

4 min read - It’s easy to read today’s headlines and think that now isn’t the best time to look for a job in the tech industry. However, that’s not necessarily true. When you read deeper into the stories and numbers, cybersecurity positions are still very much in demand. Cybersecurity professionals are landing jobs every day, and IT professionals from other roles may be able to transfer their skills into cybersecurity relatively easily. As cybersecurity continues to remain a top business priority, organizations will…

4 min read

79% of Cyber Pros Make Decisions Without Threat Intelligence

4 min read - In a recent report, 79% of security pros say they make decisions without adversary insights “at least the majority of the time.” Why aren’t companies effectively leveraging threat intelligence? And does the C-Suite know this is going on? It’s not unusual for attackers to stay concealed within an organization’s computer systems for extended periods of time. And if their methods and behavioral patterns are unfamiliar, they can cause significant harm before the security team even realizes a breach has occurred.…

4 min read

Why People Skills Matter as Much as Industry Experience

4 min read - As the project manager at a large tech company, I always went to Jim when I needed help. While others on my team had more technical expertise, Jim was easy to work with. He explained technical concepts in a way anyone could understand and patiently answered my seemingly endless questions. We spent many hours collaborating and brainstorming ideas about product features as well as new processes for the team. But Jim was especially valuable when I needed help with other…

4 min read