Insider threats are often defined to include external attacks (i.e. phishing) compromising credentials for access to desired resources and data. While true insider only incidents account for less than 10%, adding in external attacks increases the incident percentage beyond 60% with some claims as high as 80%. For the narrow or wide definition of insider threats, both are seeking privileged access credentials to databases and files of sensitive company information, customer data, personal information, and access credentials.
This makes identity a security perimeter where Identity Access Management (IAM) is often owned by CIOs with the desire to enable access for business enablement, yet the risk resides with CISOs and VPs of Security. Inside IAM is a pandora’s box of issues where users accumulate access privileges moving from project to project, access clean up is rarely done, weak passwords and account sharing proliferate, dormant accounts are left open, plus former employees often have residual access to confidential data, even more so for cloud apps and data. The description profiles a soft target for cybercrime and nation states.
The recent ‘2018 Insider Threat Report’ notes DLP, encryption of data and IAM as leading deterrences against insider threats. The report also notes leading detection defenses of IDS/IPS, log management, and SIEMs. Interesting as excessive alert noise mainly comes from DLP and IDS/IPS solutions – overwhelming security operations with alert fatigue and dead ends while logging and SIEMs have yet to prove themselves for threat detection after more than a decade. Plus, more than 50% of privilege entitlements are unknown in IAM or AD, as the practice of account level groups to define privileged access is failing. Also, who cleans up AD on a regular basis, the reality is AD is more like a salvage yard.
As data moves to the cloud with SaaS apps plus custom apps leveraging cloud computing elasticity and agile development, private data centers are closing in favor of a cloud first strategy. Visibility is also changing as networks may have 70-80% of traffic TLS encrypted and less and less organizations are inspecting TLS encrypted traffic. Plus, with certificate pinning and mobile apps with certificate chains, many TLS tunnels cannot be inspected. This shifts visibility to endpoints operating in a multitude of environments beyond office or campus networks.
So, cybercrime and nation states play against human weaknesses with phishing and social engineering attacks to compromise endpoints as initial footholds into environments desired. True insiders also seek privileged access credentials or leverage what they have accumulated over various projects. Research shows employees are most likely to commit data theft in a 30-day window before exiting to a new job opportunity. On a more extreme perspective are employee background checks showing a correlation to debt, drugs, DUI, divorce and other characteristics to the probability of insider threats. While most companies are not this extreme, many are monitoring user behavior with machine learning for anomaly detection.
Endpoints have become a critical battlefield for visibility and detection of insider threats, plus gaining access to cloud-based data and apps. Knowing access credentials are desired, provisioning fake accounts in AD with activity to deception decoys both within cloud and on-premises provides the opportunity to detect insider threats. Compromised insiders enable external intruders to enumerate AD to map accounts and activities defining the path to desired resources and data. Deception alerts from AD breadcrumbs and decoys have very high fidelity and require immediate response. Having endpoint detection and response (EDR) capabilities provides the required visibility, real-time and retrospective analysis, and scripted responses. As a rule, detection should be implemented before deception as they work together.
The top recommended detection defense from analysts is the combination of EDR with network traffic analysis (NTA). At Fidelis we have integrated Fidelis Deception with Fidelis Endpoint and Fidelis Network to provide this recommended detection defense.