How to Detect and React to Insider Threats Without a SIEM

Mike Smith by   07.22.2019   Data Security

Insider threats are one of the biggest threats to the security of your data. Recent statistics suggest that insiders are responsible for 28% of all data breaches. Whilst this may not seem like a huge number compared to the external threats, it is significant.

External attacks, such as phishing attacks, are a hit and hope method where attackers send out millions of emails in the hope of compromising a few records. They are not targeted in any way and therefore it is more luck than skill if they are able to compromise sensitive data. In contrast, insiders already know what data within your organization is the most valuable and where it is, meaning that malicious insiders can cause significantly more damage.

An Example of an Insider Threat

Let’s look at a specific use case of an insider threat in action. For full disclosure, this happened to one of our customers and we have changed the names to protect their confidentiality.

The HR department at company X were using a shared excel spreadsheet to make a note of commissions for the sales team. Michael, a Senior Account Manager at Company X, found out (by accident) that he was able to access and modify this spreadsheet. Over the course of 6 months, he routinely edited and inflated his own commissions, effectively stealing from the company. He was caught when an accounting error meant that the spreadsheet was scrutinized closely, and they found that the numbers didn’t add up.

Being able to identify this insider threat could have saved the organization tens of thousands of dollars. Not only that but being able to quickly detect and react to insider threats can also help defend against many external attacks that often leverage credentials to access the network.

The Indicators of Insider Threats

If insider threats occur when users have access to things they shouldn’t have, or they do things they shouldn’t do, then the way to defend against this is to make sure you are able to spot when this happens.

It’s at this point that you may be thinking that you’ll need a Security Information and Event Management (SIEM) platform. I’m not surprised that this if often the first place people look to when they want to get a better understanding of user behavior. The CERT Insider Threat Center themselves recommend SIEM solutions as an effective measure of detecting insider threats.

What Are SIEM Solutions?

A SIEM solution is a platform that collects, consolidates, analyzes, reports and alerts on raw log data. It consolidates this data from a multitude of sources. In fact, a common complaint about SIEM solutions, as strange as it sounds, is that they simply offer too much information to be able to assign context to it.

Why You Don’t Need a SIEM Solution

Consider what organizations need to be able to detect in order to spot an insider threat. You do not need to look through all of the data in order to spot threats. All you need to be able to do is detect anomalous user behavior and users that have excessive permissions.

You don’t need a SIEM solution for that, you need a Data Security Platform.

Data Security Platforms can report on which of your users have access to files containing your most sensitive data. Knowing this will enable you to ensure that you take steps to enforce a policy of least privilege.

Such platforms also use a mixture of automation and machine learning to “learn” what looks like normal behavior for a user, and then can alert you whenever anomalies are detected in this behavior. The really clever solutions will be able to even spot single point anomalies and filter our false positives.

If you would like to look at a Data Security Platform that does all this (and more), schedule a demo of the Lepide Data Security Platform today.

If you liked this, you might also like...