Augmented Intelligence to Manage Insider Risk

Insider risk has emerged as a top-three concern reported by enterprise CISOs. It’s no surprise, given that insiders do not require authorized access to corporate resources. Insider risk is not a straight-forward problem. Insider threats can arise from unintentional mistakes made by well-meaning employees; insiders can be targeted by external actors for use of their privileges; or a disgruntled employee might purposely abuse privileges to harm the company, seek revenge against a perceived corporate enemy, or exfiltrate data and secrets for personal gain

Mitigating insider risk requires a sophisticated approach to identifying advanced indicators of compromise via threat intelligence and user behavioral analysis (UBA). Monitoring and analyzing patterns of behavior can reveal evidence of attempted or successful malfeasance and provide opportunity for security and operations team to prevent further destructive behavior.

InCyber, Inc. utilizes the core tenets of UBA— access to evidence, processing capability, and action-oriented output—to enable organizations to effectively defend against insider risk. Here, Dr. Abraham Gill, Chairman & CEO, InCyber, Inc., shares insight to current trends and mitigations.

TAG Cyber: Data is everything in an enterprise. Tell us about InCyber’s data collection and processing.
INCYBER: InCyber is user centric and the focus is on user activities as well as external parameters such as integrity, credit score, gambling addiction, etc. We only need five parameters from a client’s database—user ID, time stamp, description, filename, and path to the filename—to start the process of identifying threats and providing the evidence to our clients.

TAG Cyber: UBA is often considered a detection and response capability, yet you talk about InCyber as an early warning system. Can you explain the differences between traditional UBA and your method?
INCYBER: InCyber provides augmented intelligence. This is quite different than UBA. We combine internal information and internal log data with legally obtained external telemetry collected from our customer, such as eCredit rating, integrity information, legal status, and more. UBA doesn’t do that, and the way we correlate data allows us to create intelligence the enterprise can act upon and deter potential high-risk employees, contractors, or consultants. Using the aforementioned type of external data to augment the accuracy of our results leads to 10X fewer false positives than traditional methods.

In addition, our processing algorithms are designed to use advanced heuristics to identify common threads, meaningful relationships, and subtle connections in the data, which means that InCyber can proactively detect potentially bad activity weeks or months ahead of insider threats, thereby reducing clients’ risk.

Millions of employees are now on leave without pay but still have access to the company infrastructure

TAG Cyber: Why is an agentless deployment an important element of your product?
INCYBER: Agents make the users very uncomfortable, plus there is the problem of agent fatigue. Instead, we save time and money by extracting user activities from the database or wherever they are stored by the client. The platform is designed to collect and ingest data that is already present—even finding evidence that may have been previously undetected by other systems—which is why InCyber is such an easy tool to deploy and integrate.

TAG Cyber: Are you seeing any alarming or notable trends in insider risk?
INCYBER: Unfortunately, COVID-19 and the resulting work-fromhome climate caused a substantial increase of insider activities, including malicious theft as well as impersonation of credentials. Bad actors took significant advantage of the fact that their employers weren’t ready to migrate all users to insecure working locations, leaving systems and access less protected than they would be if all employees were on-premises. Plus, the crashing job market left many employees disgruntled and/or stressed. Millions of employees are now on leave without pay but still have access to the company infrastructure—they get to keep their system usernames, user IDs, and passwords—which makes them potentially very dangerous. Combined with the chaos of the pandemic, this is a perfect storm for insider attacks.

TAG Cyber: If organizations could do just one thing (aside from deploying InCyber!!) to mitigate insider risk, what would you recommend?
INCYBER: The most important thing is to collect all the activity logs and restrict access to sensitive data. You can’t do anything about potential threats if you’re not watching what’s going on in your enterprise. Doing this manually is a monumental task, so implement automation.