Insider risk has emerged as a top-three concern reported by enterprise CISOs. It’s no surprise, given that insiders require authorized access to corporate resources. Insider risk is not a straight-forward problem. Insider threats can arise from unintentional mistakes made by well-meaning employees; insiders can be targeted by external actors for use of their privileges; or a disgruntled employee might purposely abuse privileges to harm the company, seek revenge against a perceived corporate enemy, or exfiltrate data and secrets for personal gain. Mitigating insider risk requires a sophisticated approach to identifying advanced indicators of compromise via threat intelligence and user behavioral analysis (UBA). Monitoring and analyzing patterns of behavior can reveal evidence of attempted or successful malfeasance and provide opportunity for security and operations team to prevent further destructive behavior.InCyber, Inc. utilizes the core tenets of UBA— access to evidence, processing capability, and action-oriented output—to enable organizations to effectively defend against insider risk. Here, Dr. Abraham Gill, Chairman & CEO, InCyber, Inc., shares insight to current trends and mitigations.
TAG Cyber: Data is everything in an enterprise.Tell us about InCyber’s data collection and
INCYBER: InCyber is user centric and the focus is on user activities as well as external parameters such as integrity, credit score, gambling addiction, etc. We only need five parameters from a client’s database—user ID, time stamp, description,filename, and path to the filename—to start the process of identifying threats and providing the
evidence to our clients.
TAG Cyber: UBA is often considered a detection
and response capability, yet you talk about
InCyber as an early warning system. Can you
explain the differences between traditional UBA
and your method?
INCYBER: InCyber provides augmented intelligence. This is quite different than UBA. We combine internal information and internal log data with legally obtained external telemetry collected from our customer, such as eCredit rating, integrity information, legal status, and more. UBA doesn’t do that, and the way we correlate data allows us to create intelligence the enterprise can act upon and deter potential high-risk employees, contractors, or consultants.Using the aforementioned type of external data to augment the accuracy of our results leads to 10X fewer false positives than traditional methods.In addition, our processing algorithms are designed to use advanced heuristics to identify common threads, meaningful relationships, and subtle connections in the data, which means that InCyber can proactively detect potentially bad activity weeks or months ahead of insider threats,
thereby reducing clients’ risk
now on leave
without pay but
still have access
to the company
TAG Cyber: Why is an agentless deployment an important
element of your product?
INCYBER: Agents make the users very uncomfortable, plus there is
the problem of agent fatigue. Instead, we save time and money
by extracting user activities from the database or wherever they
are stored by the client. The platform is designed to collect and
ingest data that is already present—even finding evidence that
may have been previously undetected by other systems—which
is why InCyber is such an easy tool to deploy and integrate.
TAG Cyber: Are you seeing any alarming or notable trends in
INCYBER: Unfortunately, COVID-19 and the resulting work-fromhome climate caused a substantial increase of insider activities,
including malicious theft as well as impersonation of credentials.
Bad actors took significant advantage of the fact that their
employers weren’t ready to migrate all users to insecure working
locations, leaving systems and access less protected than they
would be if all employees were on-premises. Plus, the crashing
job market left many employees disgruntled and/or stressed.
Millions of employees are now on leave without pay but still have
access to the company infrastructure—they get to keep their
system usernames, user IDs, and passwords—which makes them
potentially very dangerous. Combined with the chaos of the
pandemic, this is a perfect storm for insider attacks.
TAG Cyber: If organizations could do just one thing (aside from
deploying InCyber!!) to mitigate insider risk, what would you
INCYBER: The most important thing is to collect all the activity
logs and restrict access to sensitive data. You can’t do anything
about potential threats if you’re not watching what’s going on
in your enterprise. Doing this manually is a monumental task, so