While many organiSations are buffing up their security layers, most of the focus is on preventing direct threats that come from outside, and detecting threats from within is neglected. But insider threats are a problem for all organisations, often going completely under detected by in-place security measures.
New research from cyber security firm Imperva has shown the true extent of the issue- it found that insider threat events were found in 100% of the environments, confirming suspicions that they go routinely undetected.
Insiders – be they employees, contractors, business associates or partners – pose the biggest risk to enterprise data since they are granted trusted access to sensitive data.
In most cases, insiders took advantage of granted, trusted access to data, rather than trying to directly hack in to databases and file shares, and they weren't caught by any existing in-place security infrastructure.
'Just finding anomalies in user behavior will not solve the insider threat problem,' said Amichai Shulman, co-founder and CTO of Imperva.
'Enterprises need to have granular visibility into which users are accessing data, and more importantly, the actual queries and data accessed by each user. This deep level of insight proved critical to separating actual incidents from anomalies.'
The research found that while all of the customers involved in the study had the 'right' security layers in place, they were not able to identify many types of compromising, negligent, or malicious behavior.
Often their security tools produced many alerts, making it impossible to capture actual incidents. This can mean the security team investigates only incidents that are 'louder' than other incidents.
While this makes sense and does bring some value, it often does not pose a threat to seasoned hackers who know how to hide their activity.
The incidents were only found in the sea of anomalies by using multi-layered detection mechanisms of machine learning-based behavioral analysis and deception technology to live production data and networks.
> See also: Why insider threats are still succeeding
Machine learning was used to analyse detailed activity logs of the data accessed by insiders, and deception technology added context to the analysis by identifying anomalies indicative of compromised end-points and user credentials.
Data breaches usually take place over a relatively long period of time spanning weeks to months and even years, with attackers gaining small bits of sensitive information over time. But this process should be nipped in the bud, say the researchers, before damage is done.
'One of the goals of any security program should be to have early detection capabilities for breaches,' said the report. 'For example, detect the behavior patterns of reconnaissance stage activity, before any specific damage can take place. Using early detection, a security breach discovery and investigation operation will typically span hours or days.'