Insider Threat Management

Observations on the “State of Insider Threats”

Share with your network!

Guest Blogger: Dave DeWalt, NightDragon Security

When people think of the history of cybersecurity threats, they normally think of external threats, ranging from state-sponsored hacks to spyware to malware to ransomware and the ever-present hacker community.

The story of the insider threats, on the other hand, has long been neglected, but that is rapidly changing as a result of the ever-increasing frequency and coverage of insider threat incidents and the realisation that these insider threat incidents are occurring across all industries and sectors. (And not all are of malicious intent!)

In fact, thanks to a recent independent study performed by The Ponemon Institute, we know that more than half (64%) of all insider threat incidents are caused by negligent users, for an average cost of $3 million per year for just one organisation.

Where We’re At

Over the past few years, cybersecurity teams have become increasingly familiar with the concept that not all threats to their data and systems come from outside their organisation’s walls. All it takes is a malicious or neglectful insider, such as an employee or third-party contractor, to use their access to organisational systems and vital intellectual property in the wrong way and their company could be out millions of dollars or become front page news.

It is the simplicity and ease of access that make insider threats challenging for security teams. No organisation wants to expose themselves to costly threats, particularly when said threats could be avoided. Organisations need to have visibility into what their users are doing and the ability to act upon detected threats before they become major incidents or breaches.

3 Reasons for the Shift in Focus

Like any cybersecurity challenge, the reasoning behind the shift to focusing on insider threats is multifaceted. Here are three of the main reasons I believe we’re seeing this shift:

The Race to a Zero Trust World

How well do you know your people? If recent insider threat incidents and breaches in certain financial, healthcare, classified government systems, and other sectors are any indication, it is very common to misunderstand the intentions of your users. Add to this the decrease in average employee tenure at companies and the fact that 40 percent of all workers are expected to be contractors or project workers by 2020 and it becomes very difficult to trust everyone on your network.

The influx in employees who are new to an organisation, and the challenge to understand what they are doing, is leading to an overall erosion of trust in the people who have privileged access to vital systems and data. The challenge is that the more barriers placed between your users and their work, the more workarounds they will find, increasing the likelihood of an incident. Security teams are looking for new ways to obtain visibility into user activity in a world where it is becoming more difficult to trust everyone within their organisation.

Limited Trust in PAM and MFA Solutions

Multifactor authentication (MFA) is a big-ticket item these days, with most digital services utilising them to protect valuable systems and data. But how secure are these vendors?

MFA tools require additional devices (such as a USB key or smartphone) for accessing data and systems, but they don’t typically track or collect information about their own use. This can be a problem if the individual using the devices is doing so illegitimately without proper authentication or authorisation.

To combat the limited trust that most organisations have for MFA, visibility and access limitations are needed for proprietary data.

The challenge with privileged access management (PAM) solutions is that they, as their name states, typically only cover privileged users. In today’s world in which more people have access to more information in differing ways, organisations need visibility and insider threat detection capabilities for all employees and contractors. Security teams simply can’t assume access to systems or data isn’t being shared without prior knowledge or authorisation or that a workaround hasn’t been discovered.

Increased Espionage

There have been a number of international state-sponsored insider threat incidents breaching data and systems in a variety of places recently. The intentions of these individuals can vary, from financial greed, anger or revenge, ideology, or flat out patriotism.

How might a government agency, or private contractor be able to safeguard national secrets from prying eyes? How might they be able to determine a true insider threat from just regular activity? (Hint: with insider threat management tools.)

The Cost of Insider Threats

Earlier this year,  Larry Ponemon of The Ponemon Institute conducted a study on the “True Cost of Insider Threats.” The findings were truly astonishing.

After more than 700 conversations with IT and IT security practitioners at nearly 160 organisations, The Ponemon Institute report determined that the average cost of an insider threat incident for one organisation over a twelve-month period was $8.76 million.

The report has been a wakeup call for a lot of folks.

They had long heard about the potential for insider threats, but it was always on the outskirts of the greater cybersecurity conversation. It never felt tangible or real, unless an insider-caused incident had occurred at their organisation.

Now the stakes are real. Visibility into user activity to detect, investigate, and prevent insider threats is a necessity.

The Road Ahead

By now, you’ve no doubt heard that Proofpoint has closed a $33 million round of Series B funding with participation from my company, NightDragon Security. This is a big deal, because it solidifies the need for a premier insider threat management solution in the cybersecurity marketplace. But what does it mean for Proofpoint’s holistic approach to insider threats, product, and the company at-large?

As a company, Proofpoint has been focused on helping its more than 1,700 customers detect, investigate, and prevent insider threat incidents for over a decade. This funding round will help double down on that mission, allowing for further expansion of the overall team and continued investment in product enhancements. More specifically: Proofpoint will continue to have the broadest insider threat management platform that gives organisations comprehensive visibility on all user activity, early warning signs when security policies are being violated and the ability to quickly investigate alerts and ultimately prevent data exfiltration.