This guest blog was contributed by Sanjay Raja, Gurucul.
The new reality of economic uncertainty, a shifting security perimeter that includes remote and hybrid employees and expanded use of the cloud and SaaS apps has driven insider threats to new heights. The recent 2023 Insider Threat Report from Cybersecurity Insiders found that insider attacks have become more frequent and most security professionals feel they're vulnerable to them. Poor visibility into the cloud and uncertainty around a potential return to the office or permanent hybrid work were particular areas of concern. Here’s a deep dive into these results, what they mean for enterprise security teams, and how they can defend against these threats.
This report was based on a survey of hundreds of cybersecurity professionals from Cybersecurity Insider’s 600,000-member online community. Gurucul sponsored the research but was not involved in its creation. It covers the latest trends and challenges involved with risky insiders and how organizations are preparing to better protect their critical data and IT infrastructure.
A High Priority for Security Teams
A miniscule three percent of respondents to this survey are not concerned about insider threats; overall it’s very much on the minds of IT and security professionals. About three-quarters of organizations reported that insider attacks were more frequent in 2022 and that they are vulnerable to these threats. These are damaging attacks that can result in a loss of critical data, brand and reputation damage from a successful breach, disruption to normal operations and all the legal and financial penalties that come along with it. While the reported vulnerability level is sobering, it’s encouraging to see that security teams largely understand the risk here and are taking it very seriously.
What are These Attacks and Where Do They Come From?
Because trusted insiders have approved access privileges, it is challenging for defenders to distinguish legitimate users from malicious attacks. Nearly half of respondents in this survey reported that internal attacks were more difficult to detect and prevent than external attacks.
The term “insider threat” covers a wide range of situations. Like many types of malware, these attacks are primarily for monetary gain, but may also be intended to damage a brand’s reputation, steal IP, commit fraud, or intentionally sabotage some piece of infrastructure. These attacks can be malicious, where an employee conducts the attack with the intent to harm their employer, but they can also be an employee ignoring a security policy with no malicious intent. Employees can also violate policies by accident (perhaps by accessing company files from a personal device at home without realizing it isn’t allowed) or accounts/machines can be taken over by an attacker without the legitimate user ever knowing. This last one is of greatest concern to cybersecurity professionals. The report also found that accounts belonging to privileged IT users and third-party contractors, vendors or temporary workers are a higher priority to the security team than those of regular employees.
Limited Visibility into Cloud Insiders
53% of respondents said that detecting insider attacks is harder in the cloud, perhaps because of the increased attack surface and difficulty in getting network and user data from the cloud. A strong majority also said that unified visibility and control across all apps, devices, on-prem resources and infrastructure to be important to their ability to detect and prevent attacks. But just 45% consider native cloud app functionality to be moderately or very helpful in detecting insider threats. These tools are clearly helpful, but overall it seems that security teams still lack a high-quality solution for preventing insider threats in the cloud. While I think the vendor ecosystem and defender’s cloud knowledge is improving steadily, these results suggest that this is an area where defenders are still lagging behind attackers.
Detection and Prevention Options
Stopping insider threats means detecting suspicious behaviors that indicate accounts have been compromised, privileged accounts are being misused, or data exfiltration is taking place. Unusual remote logins are another common indicator of an insider threat. From experience, I can tell you that doing this effectively (and not getting buried in alerts that turn out to be false positives) requires monitoring many types of data (security events, IAM data, account resets, and configuration changes just to name a few). It requires building baselines of normal user behavior and assessing the risk level of those behaviors. Unusual, risky activity is most likely to indicate a true insider threat.
The report found that organizations’ defensive efforts vary widely. Some use multiple types of analytics to assess insider threats including User and Entity Behavior Analytics (UEBA), predictive analytics, and behavioral analytics, but some do not use analytics at all. Most monitor user behavior to some degree, but again this varies from automated 24x7 monitoring to selective monitoring in suspicious situations or after an incident. It’s encouraging to see some organizations building robust insider risk programs, but others are not putting much effort into defense despite a high level of concern.
I hope that this information will help convince some teams that may have been deprioritizing or delaying their insider threat defenses to give this important risk the attention it deserves.
###