Detecting insider threats requires distinguishing between acceptable activities and those that either put the organization at risk or are outright malicious. Doing so is easier said than done. Many organizations simply don’t have the systems and solutions in place to identify such threats in a timely manner. The layered security stack present in most organizations is important for maintaining a strong posture against external threats, but the tactics, techniques, and procedures (TTPs) and indicators of compromise (IoCs) that traditional solutions are built to recognize generally don’t apply to insider threats.
Instead, catching malicious and compromised insiders requires using predictive security analytics to connect dots that, collectively, show malicious behavior – without generating false positives that waste resources and lead to alert fatigue. This task is complicated by the enormous volume and infinite variety of completely benign behaviors corresponding to everyday activities.
In this article, I’ll discuss three fundamental capabilities that a modern insider threat solution must have to achieve these outcomes.
#1: Ingest threat signals from the identity plane
Not long ago, identity infrastructure was regarded as merely a utility for managing credentials and access permissions — it let members of the workforce and other entities (e.g., devices, systems) access necessary resources. But as digital transformation reshaped how organizations operate, identity infrastructure grew, extending into practically every corner of the IT environment.
Now this infrastructure should be regarded as a vast threat surface — and one that’s difficult to harden, for a few reasons:
Identity is complex:
Any individual digital identity within the modern workplace typically has multiple authorizations and entitlements, which vary from application to application and resource to resource.
Identity is fractured:
Any individual human user may have multiple digital identities corresponding to the many systems they use (for context, Okta’s Businesses at Work 2023 report revealed that large companies use an average of more than 200 software applications). Even organizations with centralized directories (e.g., Active Directory) often have many other identity repositories, which may or may not be tightly integrated with the central source of truth.
Identity is hard to manage:
Digital identities are incredibly dynamic; combined with the inherent complexity of the domain, this dynamism makes identity extraordinarily difficult to manage. Access privileges must account not only for the classic joiner/mover/leaver (JML) scenarios, but also common occurrences like the introduction of new applications or systems, and rarer —but massive— changes like company reorganizations or acquisitions. Even today, identity management often involves tedious, manual processes that are prone to human error; over time, little errors add up, resulting in users (and orphaned accounts) with legacy access privileges that vastly exceed what their current role requires.
With all this in mind, ingesting threat signals from the identity plane remains an important step in creating a hardened line of defense against attacks. Identity is a complex, fractured, and hard-to-manage component of security. If the SIEM cannot ingest identity data, the SOC will be blind to the considerable security risks that identity poses.
#2: Generate dynamic behavioral baselines that incorporate observations
Sifting through massive volumes of user activity can help to spot anomalous behavior. But it can generate an overload of false positive alerts, even when aided by machine learning algorithms to help understand appropriate user behavior patterns. Accurate baselines that define “normal” use behavioral reduce these false positives.
Unfortunately, building baselines solely upon the user information provided by an organization’s user directory is insufficient, for at least three reasons. First, to facilitate easier provisioning, the directory services (e.g., Active Directory and similar products) organizations use tend to put people into static groups based upon
one or more factors like Organizational/structural hierarchy and users’ primary physical locations. This information is somewhat useful for analyzing identities, privileges, and activities; however, as noted previously, these groupings usually become outdated over time.
Second, the sheer number of distinct groups that exist in many organizations —particularly larger and older ones— presents an additional challenge. In some cases, an organization’s identity directory may even include more groups than individual user identities.
And third, behaviors change over time — sometimes very gradually (e.g., as a user becomes more proficient, takes on new responsibilities, etc.) and sometimes very suddenly (e.g., a user fills in for a colleague on leave or is assigned to a new project that requires them to access different systems and data).
Consequently, an insider threat solution must be able to account for both the ever-changing nature of many roles within the modern workforce, as well as the reality that identity directories — for a variety of reasons — are unable to accurately capture or represent the nuances of each role.
#3: Predict and detect malicious activity
With accurate, dynamic baselines in place, predicting and detecting malicious activity is conceptually straightforward:
- Ingest identity signals
- Synthesize those signals into behaviors
- Compare observed behaviors against the baselines to generate a risk score and, if applicable, an alert
In practice, an insider threat solution’s efficacy depends upon its ability to ingest, process, and analyze data at scale, including applying clustering and outlier algorithms.
Once an insider threat solution has moved beyond baselines and is operating in its steady state, there should be very few alerts. Traditional cybersecurity tools were built to fend off external adversaries; as such, their capabilities are tailored for defending the perimeter and looking for indicators of compromise associated with initial access and intrusion actions. However, the reality is that internal threats behave much differently than external ones — which calls for a different defensive strategy.
The most effective way to pinpoint the presence of insider threats —without creating a lot of false positive alerts— is to overlay user activities with user identity intelligence, cluster identities into dynamic peer groups, create time-based behavioral baselines, and continuously learn what is acceptable behavior in order to spot the unacceptable behavior. Doing so takes a combination of the right data sources, the ability to create meaningful and dynamic behavioral baselines, and time-tested data science to pinpoint deviations that indicate malicious activity.
Craig Cooper, COO @ Gurucul
Craig Cooper has served in several information security and risk management roles including CISO for a Fortune 500 Financial Services organization. While in this role, Craig defined and implemented an ISO standards-based Information Security program. Craig has led, developed, and delivered multiple Identity and Access Management Strategies and Roadmaps for several organizations. Craig has written for several trade magazines and has been a speaker with Burton Catalyst, Gartner, and ISSA. Visit: gurucul.com
Visit: gurucul.com
See more articles on: Gurucul
Source: gurucul.com