Can behavioural analytics calm the insider threat pandemic perfect storm?

News by Davey Winder

58% of organisations say their ability to monitor, detect and respond to insider threat is only somewhat effective, not so effective or not at all effective. Only 12% thinking they are extremely effective.

As if a lack of employee cyber-awareness training and the increasing shift towards cloud application usage wasn't enough, new research suggests that the addition of a forced remote working revolution has created an insider risk perfect storm.

The Insider Threat Report commissioned by Cyberhaven and researched by Cybersecurity Insiders, found that 51 percent of organisations lack the right protection to mitigate the insider threat effectively. Digging into the data reveals that 48 percent of those surveyed have lost critical data thanks to operational disruption or outages caused by an insider incident. Customer data is most at risk (61 percent) followed by financial data (54 percent) and intellectual property (53 percent.)

This perfect storm of insider risk is attributed to three main factors: a lack of employee awareness, insufficient data protection strategies and, particularly relevant as more people are working from home than ever right now, an increase in the number of devices with access to sensitive data. Perhaps most telling, however, is the statistic that reveals 58 percent of organisations say their ability to monitor, detect and respond to this type of threat is only somewhat effective, not so effective or not at all effective. With only 12 percent thinking they are extremely effective at dealing with the insider threat risk.

When it comes to that mitigation, outside of the need for ongoing awareness training, the state of play regarding usage of data behavioural analytics (DBA) caught my eye. Only 24 percent of organisations were found to be using behavioural data analytics, 22 percent user behavioural analytics and 38 percent weren't using analytics at all when it came to insider threat detection. 

Perfect storm indeed

Of the analytics technologies organisations are considering for future adoption, User Entity Behaviour Analytics (UEBA) and Data Behaviour Analytics (DaBA) are equally tied at 36 percent as the most popular choices. "Organisations understand the importance of analytics in pinpointing insider threats," Volodymyr Kuznetsov, co-founder and CEO of Cyberhaven told SC Media UK, "but not all approaches are created equal."

UEBA tracks patterns in employees’ behaviour to spot anomalous activity, but requires a baseline for each that takes weeks or months to establish. "Facing blind spots and lacking context, security teams waste valuable time weeding through false positives," Kuznetsov explains, adding "from the moment a DaBA agent is installed, organisations gain full and instant visibility into the movement and behaviour of sensitive data—from the original source to the final destination where it’s copied, edited or encrypted." It's this speed, accuracy and transparency that helps companies detect exfiltration, he says.

"With a shift to remote work, any UEBA solution will naturally have challenges given the data centre boundaries will have shifted to include VPNs where most work is now occurring," warns Tim Mackey, principal security strategist at the Synopsys CyRC (Cybersecurity Research Centre.)

Thinking about it, in effect Mackey says that unless the UEBA solution was re-tuned to allow for access to sensitive data via VPN, all accesses would be flagged as requiring investigation. "When combined with the reality that for many users, any form of end point monitoring placed on a personal device will be problematic, even solutions such as DLP will be challenged," Mackey says. 

Shareth Ben, senior solutions architect at Securonix, agrees that organisations are seeing a surge in VPN and outbound email activity which in turn are flooding dashboards with alerts, exacerbating the already prevalent issues of alert fatigue. "In this case," Ben told SC Media UK, "the SecOps teams who are behind on the maturity curve will struggle to keep up with the uptick in alerts whereas a more mature team will be able to handle to the surge better using the proven tools and processes they have built over time."

Ben also says that several of his customers have stated that UEBA is an essential, not a luxury to tackle this seismic shift in the workforce engagement landscape. "To detect the needles in the haystack, you need to be able to look for anomalies," he says, "UEBA technologies are best positioned to generate the anomalies and then stitch them together for representing a holistic threat to save time, which is very short for most SecOps teams." 

It's this alert fatigue, combined with resource and staffing constraints, that is holding back those organisations yet to leverage analytics according to Volodymyr Kuznetsov. "In just a few short weeks," he says, "the entire way we work was upended. Attempting to understand what’s normal with UEBA no longer makes sense. There’s a need for speed like never before."

Sam Curry, chief security officer at Cybereason agrees that the entire history of security for the last 15 years has been about how to be fast in collection and smart in application. How do you keep up with hundreds of thousands of alerts a second and still find the needle in the haystack, in other words. "The single biggest tip for organisations [ mitigating the insider threat] is to align with the business and set the expectation for being a machine that stops attacks more and more effectively and efficiently," Curry concludes, "if an analytic like UEBA or DaBA helps with that, hire it. If not, fire it."

And don't forget that user monitoring of any kind will not work in isolation. "Organisations need to be clear on which outcomes they are seeking," Javvad Malik, security awareness advocate at KnowBe4 says, "and how they will use user monitoring technologies to support those outcomes." Before deploying any technology to combat insider threat, Malik recommends two things every organisation should do:. 

1. Understand what insider threats are, their different types. For example, a disgruntled employee stealing data is different from a user forgetting their password and locking out their account, which is different from shadow IT. But all of them are under the broad category of insider threats.

2. Use their own data, external data (threat intel etc) to determine which of the insider threats are the most important to focus on and then deploy technologies and processes to combat those. 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews