Why Early Insider Threat Indicators Are So Valuable—And Which Ones to Use

Share with your network!

Threats that originate from inside an organisation often don't show up until it's too late. After all, insiders don't need to exercise caution in persisting on a network. They rarely take steps to evade defenses, and they don’t need to hack systems to get credentials. By working within the organisation, they already have access to sensitive data and critical systems every day.

Organisations must invest in security solutions that provide early warnings when insiders engage in risky or out of policy behaviour to combat the threat before the damage is done.

Privacy by Design

Every smart security team today realises that privacy must be woven into their plans for responding to and detecting insider threats. Because while it’s important to be alerted when early insider threat indicators or warning signs occur, it’s not okay to violate the privacy of your users—especially if your business is one of the many that is beholden to privacy laws like GDPR.

It’s important to discuss how an organisation can maintain user privacy while still alerting on using these early indicators of insider threat risk. In our view, the best way to accomplish the security/privacy balance is to anonymise user identities. Risky activity should trigger alerts such as those displayed in the screenshot below, but user privacy should not be violated unless there is a clear and present danger (and, even when this is the case, strict privacy protocols around who can access what data and when should be part of any organisation’s insider threat management plan).

Alerts for Detecting Insider Threat Early Activity

ObserveIT’s platform provides a great degree of policy flexibility for organisations and many administrators choose to exclude certain personal data from visibility like banking, healthcare and social media websites. Every organisation is different, but today’s regulatory and media climate requires that businesses take privacy seriously, even as they work to secure their organisations. This is why ObserveIT employs “privacy by design” and empowers customers to do the same.

Now, let’s take a look at examples of some common early indications related to insider threat and how organisations can use them to reduce overall risk.

Early Indicators: Developing a New Insider Threat Vocabulary

Here are the top indicators of insider threat risk (prior to the current pandemic situation), according to our research on usage patterns within our 1,200+ strong customer base. (These are known as “alerts” in the ObserveIT platform.)

Top Insider Threat Risk Indicators

NTop Insider Threat Indicators of Risk

These alerts are an ideal place to start when it comes to building a more robust insider threat management program, because they enable an organisation to move beyond reactive security into proactive insider threat risk reduction.

Now, let’s discuss how organisations have used some of these early indicators. These risks fall into four broad categories:

  • Identifying users with heightened risk factors
  • Identifying technical opportunities for misuse and exfiltration
  • Detecting signs of intentional misbehaviour
  • Detecting accidental misbehaviour and/or negligence

Identifying Users with Heightened Risk Factors 

Many people-driven early indicators are found through conversations. Effective insider threat management requires close collaboration with HR, IT and legal teams. HR teams generally have the best understanding of what is happening on a human level within the workforce, including both work and personal issues. For example, HR is likely to be aware of an individual who has been put on a performance plan and may not be at the company much longer. They are also often the first to know when an employee is leaving to join a competitive organisation and may have an interest in taking company secrets with them. Similarly, HR and IT work together to handle the digital identities and permissions of users when they join the organisation, leave it, or move between departments.

Using information gleaned from conversations with HR, IT, legal, and other stakeholders at the organisation, security teams can tailor risk profiles for individuals and groups.

Additionally, we often find organisations who have been through recent mergers and acquisitions or significant hiring sprees usually setup additional early indicators for new users, who may require education on the corporate security policies. One area that’s often forgotten is when existing employees and contractors switch roles within the organisation. Security teams should be more careful if these employees and contractors continue to accumulate their access privileges from the previous roles or the practice of decommissioning access privileges is less mature.

ObserveIT customers rely on many of the alerts listed in the Top Insider Threat Risk Indicators chart above. Customers can also combine these alerts with our Lists feature, as shown in the screenshot below.

Early Indicators of Insider Threat Risk - User Group Lists

Customers can differentiate the risk severity of alerts based on the list that the user falls under. For example, it makes sense for the alert role of “exfiltrating files to unlisted USB devices” to be set at “critical” for departing users.

Identifying Technical Opportunities for Misuse and Exfiltration

Many organisations lack visibility on user movement of sensitive data and on user activity within critical applications. Often, insider threat risk can increase when exceptions to security policy are issued to users to give them needed technical control. The risk compounds when these exceptions are allowed to go on without a time limitation, or when more and more users across the organisation rack up exceptions.

The most popular example of security exceptions we see is allowing the usage of removable media. It never ceases to amaze us the number of users that have been granted an exception to use USB devices at an organisation, even when most USB usage across the company is severely restricted (for good reason). The various risky security scenarios related to USB device usage almost always figure in the top five most common issues for our customers.

Of course, these risks go well beyond USB devices though, to include legacy applications still in use with poor logging and using unauthorised messaging and data-sharing applications.

In many healthcare, energy and financial services firms, sensitive customer data and intellectual property lives in legacy mainframes and desktop applications, as well as cutting-edge microservices hosted in the cloud. Unfortunately, these businesses are often stuck relying on certain legacy applications because the cost of ripping and replacing is too high. The security challenge here is that these applications weren’t built with today’s security risks in mind, so there is little hope of detecting insider threats early. Poor audit trails of user activity within those applications leave security teams guessing about what happened and which users were involved if an incident takes place.

In such situations, ObserveIT’s alerts around downloading or copying large numbers of files from those specific legacy applications can be very helpful to decrease insider threat risk.

Detecting Early Indicators of Intentional Misbehaviour 

User misbehaviour, defined as intentional misuse of corporate resources, is relatively rare compared to accidental misuse. Criminal insiders account for just 14% of all insider-caused incidents, according to the Ponemon 2020 Cost of Insider Threats Global Report. However, they also cost organisations more than twice as much per incident as negligent insiders.

Additionally, for organisations facing turbulent times and for individuals facing significant personal or work-related issues, misbehaviour with corporate assets can grow quite a bit more common.

This is another area where HR can be a very helpful resource to identify users who may pose a higher risk of intentional misbehaviour, for example:

  • Those who have been passed up for promotions
  • Those who are dealing with financial troubles.

In some cases, these frustrations can boil over in the workplace and result in brand damage for the organisation as well.

What does this look like in practice? User misbehaviour may start with using corporate endpoints for out-of-policy activities, such as gaming or browsing copyright-violating websites. These insider threat behavioural indicators may be categorised with low-severity alerts and triaged in batches. IT security may want to set up higher-severity alerts in the case that a user moves onto more critical misbehaviour, such as installing hacking or spoofing tools on corporate endpoints. 

In the recent past, we’ve also seen a rise of nation-state inspired or sponsored insider threats. In these cases, users with ties to certain nation-states are monetarily or otherwise incentivised to exfiltrate highly sensitive or secretive intellectual property data from their organisations. Often these are non-technical business users working on secretive projects or developers working on sensitive intellectual property.

Again, collaboration with other departments (such as HR, threat-hunting and legal teams) can provide a heads up around rising nation-state involvement in certain locations. ObserveIT customers often combine these internal early warnings with increasing alert severity levels on users who may have a higher insider threat risk profile.

Customers can also use our workplace harassment and violence keyword lists to notify security teams and provide real-time education to the user(s) involved when inappropriate and/or harassing language is used on an organisation’s messaging platforms.

Early Indicators of Insider Threat Risk - Workplace Violence Words

Detecting Early Indications of Accidents and/or Negligence

The last category refers to the most common type of insider threat: accidental errors and/or negligent behaviour. In fact, 62% of all insider threats are caused by negligence, as the previously mentioned Ponemon report found. We are all using more applications, collaborating with more people and working under tight deadlines in an increasingly competitive work world.

It’s not surprising, then, that users make more mistakes, forget the details of  acceptable use policies, or take shortcuts that circumvent security controls.

The best way to manage this type of insider threat risk is to set up alerts that identify accidents and negligence early. For example, good alerts to set up include:

  • usage of unapproved USB devices
  • downloading of files with potentially malicious extensions
  • storage of  passwords in plain-text files.

The most common mistakes are related to social engineering attacks on employees and contractors, including credential theft, which accounts for 23% of insider-caused incidents, according to Ponemon.

In addition to detecting signs of social engineering scams and malware proliferation, ObserveIT customers use our contextual intelligence to better understand indicators of insider threat behaviour before and after alerts fire. This enables organisations to determine whether the user was indeed manipulated or phished, or if they acted with malicious intent to harm the organisation.

Our customers recognise there are important differences between accidental and malicious insider threats, and that they must be treated differently. That’s why real-time user education is one of our top-used security actions in response to alerts on accidental or negligent behaviour. The following screenshot displays the various real-time response actions to triggered alerts that are available to security teams within the platform. Proactive, early education is a much better response to accidental misuse than punitive measures that can lead to even worse consequences for the employee and the organisation.

Real-Time Response Actions to Trigger Insider Threat Indicator Alerts

Highlighted in orange above is the warning notification option. This will pop up on the offending user’s endpoint if they attempt to complete an action deemed risky by the security team, such as downloading files with potentially malicious extensions.

Indicators of Risk: A Proactive Approach to Insider Threat Management

ObserveIT’s top indicators of risk can provide a broad view into how mature insider threat programs operate successfully. As we’ve shared in this blog post, these early indicators or warning signs are uniquely pertinent to users with deep familiarity with and access to your sensitive data and critical systems. They enable organisations to become more proactive, to intelligently separate intentional vs. accidental threats, and to broadly decrease organisational risk.

Learn More

Learn more about these early indicators of insider threats in action from Dawn Capelli, CISO at Rockwell Automation and Josh Epstein, VP at Proofpoint Insider Threat Management, in the SecureWorld eSummit ITM webinar.

Click here to replay the webinar