Author: Mayank Choudhary, SVP Strategy at ObserveIT
Insider Threats are more common today than ever before, and whether they are intentional or accidental, they often require investigation. Yet, according to this year’s Verizon Data Breach Investigations Report, 56 percent of breaches take months or longer to discover. Unfortunately, the longer an insider threat goes undetected, the more expensive it gets.
Because employees and third-party contractors are regularly given access to critical systems, files, and data just to get their jobs done, Insider Threat incidents have a tendency to go unnoticed for far too long. This means investigations do not kickstart when they should and, as a result, take a long time to complete because of the difficulty of finding and correlating the necessary information.
One of the basic reasons incidents go undetected is because, oftentimes, these breaches are as a result of employees simply misusing, copying, or downloading data without malicious intent.
Insider Threats are not always intentional – indeed, according to the Ponemon Institute, two out of three incidents are caused by employee or contractor negligence. Another key reason that they go undiscovered is that companies do not have the right type of monitoring and alerting systems in place, nor the ability to examine incidents to work out the cause of the breach and the motivation behind it.
Most organizations are typically focused on managing cybersecurity risk from the outside – building layered defenses against viruses, malware and ransomware. But, according to Forrester’s May 2019 report, Best Practices: Mitigating Insider Threats, 53% of data breaches are coming from insiders, whether it be an employee, third party vendor or contractor.
With the cost of an average Insider Threat incident totaling about $8 million, according to the Ponemon Institute, it’s key to know what your digital forensics capabilities look like in order to mitigate the potential risks that Insider Threats pose to your business.
By having the means and resources in place to thoroughly investigate and establish the full context behind each and every incident, as and when it takes place, a company can respond to the incident properly and make sure it never happens again. Equally, by proactively monitoring all activity around data, which can be done without compromising privacy, companies can detect changes in behavior or suspicious patterns that could indicate a breach in motion.
Many of today’s organizations only track data movement, which gives a partial picture surrounding potential data exfiltration events. Since people are the ones moving the data, the crucial addition of user activity monitoring to support digital forensics helps security leaders discover and report insider breaches much faster.
Start with planning
As with all data security efforts, the key to managing and dealing with an Insider Threat is to plan ahead. It’s essential to know what the procedures will look like long before an actual incident takes place. How you will handle digital forensic activities in the event of an Insider Threat incident should be laid out clearly in any data breach incident response plan.
While digital forensics teams are often brought in after the fact, you should know in advance what that team looks like and have a budget in place for their activities. Given many businesses are unlikely to have sufficient in-house capabilities or need to outsource in some way, it’s worthwhile exploring technological alternatives.
There are tools on the market that provide digital forensics capabilities, enabling companies to analyze the data sources across their network and, if required, help produce the necessary evidence in the event that the incident must be prosecuted.
It’s worthwhile noting here that, in the event of a confirmed incident, legal and compliance teams will often dictate the timing and the amount of information disclosed to regulators, customers, and the general public.
Regardless of what this window of time is, in the majority of the cases, one thing is true: organizations need to be fast at identifying and reporting data breaches and establishing the cause so that they can take immediate action to repair the damage and ensure it doesn’t happen again.
Not only is swift action the right thing to do from a data privacy perspective, we also know that it can help minimize the damage – both financial and reputational — resulting from a breach. As such, if an Insider Threat-related incident takes place, all companies must be readily equipped with the ability to conduct a thorough investigation to understand what happened, how, why, and who was behind it.
Given that the pace of high-profile Insider Threat incidents doesn’t show any signs of slowing down – particularly with the disclosure requirements for GDPR and other regulations – your company needs to be able to understand if a breach is accidental or deliberate.
Indeed, investigations are often used to collect data in order for it to be used to support legal proceedings – without being able to properly tell the reasoning behind a breach, a company’s case may not be as strong as it should be.
Getting the right tools in place
In the early days of a potential incident, there’s always a possibility that an organization could be caught off-guard and notified by an employee or the media. Ideally, systems would already be in place to proactively detect and alert security teams to potential Insider Threat incidents before they become public knowledge.
When it comes to getting the facts of an incident in order, up until recently, Insider Threat investigations relied on using a patchwork of existing security tools to deliver this forensic information.
Unfortunately, using traditional security defenses – such as SIEMs or DLPs – means gathering context and evidence can turn into a wild goose chase. This is because these solutions aren’t designed to establish intent or context behind an incident. They involve sifting through endless logs to determine the root cause of an issue after an alert is triggered.
While an alert usually tells you something suspicious has happened, it doesn’t tell the whole story. What’s worse, the right information might be spread out across several security tools, and hundreds of logs may be generated during the course of a day.
Moreover, once you’ve dug up the appropriate logs in traditional security tools, you’ll need to find out why the user was engaged in suspicious activity. Perhaps they made a simple mistake. Or maybe they’re a disgruntled employee headed for the exit, and exfiltrating as much sensitive data as they can. Regardless, log files provide little context into Insider Threat motives, causing security analysts to do a lot of reading between the lines.
This doesn’t have to be the way. Investing in technology solutions that deliver full visibility into all user and data activity, coupled with sophisticated and specific insider threat investigations capabilities, is the way forward.
Organizations simply can no longer afford to leave their treasure troves of data exposed.They must learn how to stop the most common data exfiltration threats, implement the right policies and training to curb accidental threats, and embrace a dedicated insider threat management solution to attain the appropriate level of context into a potential incident.
In doing so, security teams will not only be able to quickly understand the who, what, when, and where of a data breach, but also the why. Ultimately, it’s this critical intelligence that will safeguard an organization’s most valuable assets and people, now and in the future.