With insider threats continuing to drive enterprise cyber risk, security teams must find new ways to improve detection of anomalies using system, application, and network log files.

Understanding the Threat

Insiders continue to create growing cyber risk for organizations. New York-based advisory firm TAG Cyber reports, for example, that insider risks have evolved to one of the top three concerns reported by CISO-led teams in enterprise. This should come as no surprise, because with valued assets better protected from external access by modern security tools, malicious actors are now looking inward for shortcuts to gain access or disrupt operations.

The challenge of dealing with insider threats in enterprise generally requires attention to three dimensions of the problem:

  • Compromised or Disgruntled Individual – This is the most common situation, where an trusted insider uses authorized credentials to lead or support an attack. The motivation for such action is either compromise from an outside entity, such as a nation-state, or disgruntlement for a variety of potential personal reasons.
  • Malware-Enabled Insider Access – This case involves malware being inserted into an endpoint, device, or system controlled by some insider. The malware would presumably be designed to utilize the privileges granted that insider to initiate an inside attack. Phishing emails work in this manner.
  • Unintentional Action by Benign Insider – The case of an insider unintentionally creating a breach condition is especially difficult to handle. Security teams will be motivated to show sympathy, and to recommend training and improved awareness in these cases. But such treatment provides an excuse for compromised actors who are caught.

Ultimately, enterprise teams will need to weave together a comprehensive solution that addresses all three of the cases mentioned above. The goal should be to support world-class operations, run by trusted individuals, but with a safety net that ensures that insiders cannot intentionally or accidentally create harmful conditions. This requires a combination of controls focused on people, processes, and technology.

Anomaly-Based Evidence

The cyber security community has come to agree that addressing the cyber risk associated with insiders require a variety of safeguards and incentives. Careful hiring and excellent training for employees go a long way to reducing risk. In addition, sensible security architectures, including cloud-based controls,are effective in reducing insider risk. But the method that has proven most effective in reducing insider risk involves detecting evidence of anomalous behavior.

Referred to in the cyber security community as user behavioral analysis (UBA), this security detection method is dependent on the following functional capabilities:

  • Access to Evidence – Obviously, any UBA solution will require access to those systems, applications, networks, and repositories that might contain evidence that an insider threat is present. Such access must never impede operations, and must be consistent with all legal, policy, and regulatory restrictions. 
  • Processing Capability – The ability to collect and process collected information requires attention to several practical issues. These include capacity for collection and storage, processing methods for real-time and off-line analysis, and inclusion of advanced methods such as machine learning.
  • Action-Oriented Output – Any security detection process will only be useful if the output of the analysis connects easily with practical action. This implies that UBA must generate action-oriented output, or the system can devolve into generating artifacts for reports that are neither read nor utilized.

These three UBA requirements – access to evidence, processing capability, and action-oriented output – serve as a useful basis for enterprise source selection teams who might be reviewing different commercial platform offerings.

InCyber Detection Approach

The approach taken by InCyber toward reducing insider risk is driven by the three requirements listed above. The InCyber solution is also guided, however, by an understanding that most enterprise teams have already deployed security controls to reduce risk – and this could even include an existing UBA system. As a result, the InCyber solution is designed specifically to complement and integrated with existing enterprise security architectures.

The salient aspects of the InCyber detection approach for evidence of insider activity in the enterprise include the following:

  • Augmented UBA Solution – The InCyber solution is designed to augment existing security architectures. It includes open interfaces and data connectors that allow it to be easily inserted into a deployed protection architecture. Such augmentation recognizes that few enterprise teams are starting from scratch in their insider risk program.
  • Collection from Trusted Activity Sources – The data sources for InCyber are comparable to a typical SIEM processing environment. That is, evidence is extracted from log and activity files from virtually any application, system, endpoint, and network considered vital to the enterprise. InCyber will either have a connection ready, or will develop one.
  • Advanced Heuristic Processing – The processing algorithms used by InCyber are designed to use advanced heuristics to identify common threads, meaningful relationships, and subtle connections in the data. The suite uses machine learning and related methods to perform this vital extraction task.
  • External Plus Internal Threat Intelligence – One of the great advantages of the holistic coverage provided by InCyber is that it enables effective combination of both internal and external sources of intelligence. This enables, in theory, connection of legally obtained banking records to validate some conclusion drawn from internal sources.

An important consideration in the use of InCyber is the agentless deployment characteristic of the solution. The platform is designed to collect and ingest the activity and log files already available in the enterprise. This is why InCyber is such an easy tool to integrate into a deployed architecture. It specifically combines, aggregates, and processes data that is already present, and that might contain evidence previously undetected.

One additional point worth emphasizing: While UBA is necessarily focused on detection and response, it can serve as an effective preventive measure by identifying evidence of insider risk before something consequential can materialize. This is an important differentiator for all security analytic solutions, but is especially true for InCyber, given its emphasis on data collection and analysis from such a variety of sources.

For More Information

If you are interested in obtaining more information on the InCyber platform for insider risk reduction, please contact the sales representative in your area. You can also drop us an email at sales@incybersec.com or visit our website at https://www.incybersec.com/.