(Updated on 02/17/2021)
Cybersecurity is going through a massive transformation. The majority of cybersecurity spend is driven by the fear of keeping external threats from stealing organizations’ most valuable assets. However, according to McKinsey, 50% of the data breaches in 2017 were caused by insiders. In its report, Gartner sees “the trend in buyer interest in insider threats with buyer inquiries for insider threats in 2019 on pace to double the inquiries on the topic since 2018.” In the report, Proofpoint is recognized as a “Vendor to Watch.”
Insider threat risks will continue to grow as the workforce diversifies to include contractors, third-party vendors, remote workers, and part-time employees. This trend, along with the new normal of nations engaging in cyber warfare to gain a competitive advantage, is resulting in more organizations than ever before focusing on and building insider threat programs.
Siloed Technologies Fall Short with Insider Threats
The field of technologies traditionally used to combat insider security threats is relatively siloed, and includes:
- User Entity Behavior Analytics (UEBA) which is focused on detecting threats by analyzing massive amounts of “log" information
- Data Loss Prevention (DLP) that approaches the problem from a "data" perspective by classifying and defining preventative controls based on content inspection
- User Activity Monitoring (UAM) that focuses on only analyzing "user activity" to identify threats.
CISOs guided by the “defense in depth” mindset have deployed these layered but siloed security solutions, each solving a piece of the overall puzzle. As a result, security analysts face too many alerts and not enough context to determine who did what from beginning to end. Security teams struggle to know the whole story. The user is the most important aspect of this puzzle, which often gets lost in this technology-centric view from vendors.
Instead, insider threats should be treated as a holistic problem that not only brings the user to the forefront of the discussion, but also requires a thoughtful, well-orchestrated, multidisciplinary approach that brings functions such as HR, legal, physical security, compliance and cybersecurity together.
Gartner Report Highlights Industry Shift for Insider Threats
In “Market Trends: UEBA Providers Must Embrace Specialization,” Eric Ahlm from Gartner highlights the shift that is happening in the industry. According to this report:
- Commercial Buyers Are Setting Up Formalized Insider Threat Detection Programs: “Formalizing an insider threat program is growing in interest for buyers and will involve both security and non-security stakeholders.” “Accept all stakeholders involved in an insider threat program, such as security, HR and legal teams, so that the solution value appeals to all involved.”
- Insider Threat Solutions May Appeal to Buyers of DLP: “An insider threat solution can also appeal to DLP buyers. DLP buyers aren’t seeking to formalize an insider threat program; however, they might find those solutions greatly enhance their DLP programs. Specifically, the ability of an insider threat solution to relate human behaviors to data exfiltration is the key value.”
- Agent-Based User Monitoring Gathers Richer, More Usable Data: “Getting information that leads to deeper analysis such as motive and intent often means moving the detection mechanism itself closer to the user.” “Gather and successfully use more data for creating in-depth profiles about user behavior, which is more important than the analytics method used to review that data.”
With the rise in insider threats, it’s time for organizations to become more vigilant about their trusted insiders. While not all insiders are malicious (according to insider threat statistics from Ponemon, two out of three insider threats are caused by user negligence), a dedicated insider threat program can help organizations detect and prevent incidents. The industry has advanced to help organizations tackle insider threats comprehensively, bringing people, process, and technology together. Resources such as the NIST framework’s Rev 4 update to NIST 8—053 and CERT security guidelines include detailed requirements for insider threat programs.