Insider threats have been a problem for as long as there have been insiders. What’s changed over time? Well, for one, Brutus and his conspirators didn’t exactly leave a trail of logs and flows when they plotted against Julius Caesar and the Roman Republic. Fast forward 2,000 years, and there’s a good news/bad news update to this story. The bad news is the growth of the scope and impact of insider threats. The good news is that, with the right solution, we can detect and respond to them. One way to protect against insider threats is with a zero trust solution.

Just as Caesar was surprised by his friend’s betrayal (Et tu, Brute?), today’s insider threats are equally hard to detect when there’s no insight or context around user behavior. Security analysts need solutions that spot strange behavior, uncover hidden threats and respond to incidents faster and more efficiently. A zero trust framework helps by never assuming a user should gain access.

The Rise of Insider Threats

According to the Ponemon Institute’s 2020 Cost of Insider Threats Global Report, the frequency of insider threats has increased 47% since 2018. Now add a pandemic, the rise of remote work and workloads migrating to the cloud faster. With this business context, insider threats will continue to grow at pace with the increasing scope of users, endpoints, data and apps. It’s helpful to think about data access from the perspective of zero trust: the smaller the attack surface, the less likely an attack.

It’s true that analysts’ workloads are mounting, but today’s teams aren’t just looking for the bad guy. The Ponemon study also revealed that more than 60% of insider threats come from negligent users, not malicious actors. In turn, the pressure increases to spot bad actors and clueless ones amidst thousands of daily events. IBM X-Force Incident Response and Intelligence Services recently shared common phishing trends that show even well-meaning employees take actions that create vulnerabilities. It continues to be one of the most common, inexpensive and effective ways to gain access.

Download the X-Force Insider Threat Report

Managing Alerts with UBA and Zero Trust

As any security analyst can attest, there’s not enough time in the day to manage the increasing volume of alerts. A basic flag of excessive uploads or downloads is not enough. Screening like zero trust makes a difference. You could also benefit from context supplied by user behavior analytics (UBA), based on what’s normal for each user. Analysts need to be able to prioritize alerts and dedicate time to checking out odd user behavior. They can’t waste time searching multiple sources in order to understand any one event. They need software that can:

  • Analyze network and log data;
  • Provide out-of-the-box behavioral rules and machine learning;
  • Pinpoint strange behavior; and,
  • Generate risk scores based on a user’s actions.

Working together with SIEM tools, the analysts can drill down to view the offenses that contributed to the high-risk score. If needed, they can add those users to a watch list. In some cases, analysts may create their own watch list, like employees who have given notice and are in their final two weeks, so that unusual behavior within that cohort triggers an alert more quickly.

Bottom line: Analysts need enhanced visibility, faster detection and expedited investigation and response.

With quality UBA, SIEM and zero trust, the modern-day Brutus can be quickly identified and stopped in their tracks.

Learn more about the IBM Security zero trust approach to insider threats.

More from Intelligence & Analytics

The 13 Costliest Cyberattacks of 2022: Looking Back

2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack. Let’s look at the 13 costliest cyberattacks of the past year and…

What Can We Learn From Recent Cyber History?

The Center for Strategic and International Studies compiled a list of significant cyber incidents dating back to 2003. Compiling attacks on government agencies, defense and high-tech companies or economic crimes with losses of more than a million dollars, this list reveals broader trends in cybersecurity for the past two decades. And, of course, there are the headline breaches and supply chain attacks to consider. Over recent years, what lessons can we learn from our recent history — and what projections…

When Logs Are Out, Enhanced Analytics Stay In

I was talking to an analyst firm the other day. They told me that a lot of organizations purchase a security information and event management (SIEM) solution and then “place it on the shelf.” “Why would they do that?” I asked. I spent the majority of my career in hardware — enterprise hardware, cloud hardware, and just recently made the jump to security software, hence my question. “Because SIEMs are hard to use. A SIEM purchase is just a checked…

4 Most Common Cyberattack Patterns from 2022

As 2022 comes to an end, cybersecurity teams globally are taking the opportunity to reflect on the past 12 months and draw whatever conclusions and insights they can about the threat landscape. It has been a challenging year for security teams. A major conflict in Europe, a persistently remote workforce and a series of large-scale cyberattacks have all but guaranteed that 2022 was far from uneventful. In this article, we’ll round up some of the most common cyberattack patterns we…