When we talk about behavior-based threat detection, what we are essentially pointing to are the threats posed by insiders, and how to mitigate them. In other words, our own employees, whether through negligence or malice, represent the greatest threat to an organization’s assets.
What Behaviors Do We Need to Monitor?
To address this issue, below are some examples of the types of behaviors that we need to look out for:
- An employee emailing sensitive data to a personal account.
- An employee accessing sensitive data, or requesting access to resources that are not relevant to their role.
- A former employee accessing confidential information after their contract has been terminated.
- An employee trying to bypass security controls.
- An employee copies large amounts of information to an external drive or cloud-based storage container.
- An employee connecting to the network using an unrecognized device, from an unrecognized location.
- An employee accessing company data outside of normal working hours.
In addition to the above, if, for whatever reason, a company was required to lay off a large number of employees during a short period of time, the likelihood that an employee or former employee decides to steal sensitive data, increases. In some cases, a soon-to-be-departing employee will create a new account with new credentials before their access is revoked.
As you can see, there are many ways that negligent or malicious insiders can jeopardize the security of your network. As such, we must have safeguards in place, which include being proactive in monitoring and responding to insider threats.
How to Prevent Insider Threats
When dealing with insider threats, the problem that we have is that all security threats could be seen as the result of negligent or malicious insiders. As such, to explain how to prevent insider threats is essentially the same as saying “How to prevent security threats”, which is ultimately beyond the scope of this article. For example, we could talk about acceptable use policies, Desktop security, network Segmentation, and the use of multi-factor authentication to prevent unauthorized access.
We could also talk about the importance of physical security, which includes locks, alarms, badges, CCTV, biometric authentication, etc. To keep things simple, we could say that preventing insider threats essentially boils down to two things: Training and monitoring.
Security Awareness Training
Since employees are your first line of defense, it is crucial that you conduct regular security awareness training to help them;
- Recognize, respond and report suspicious emails.
- Use strong and unique passwords, and never share credentials.
- Understand data security best practices, including physical security procedures.
- Understand the relevant data privacy laws, how to comply with them, and the consequences of failing to comply.
User Behavior Monitoring
As mentioned above, you must have visibility into all user behavior, such as when and how employees access, edit, copy, delete and share sensitive data. You will need visibility and control over how employees request access to sensitive data, when and how they connect to the network, whether they are bypassing any security controls, and so on. To gain this visibility, organizations must leverage the right tools. They will need a real-time auditing solution that uses machine learning techniques to establish typical usage patterns for each user. When a user deviates too far from their typical role, an alert will be sent to the administrator, who will launch an investigation. Most sophisticated real-time auditing solutions are also able to detect and manage inactive user accounts, and some are able to detect and respond to events that match a pre-defined threshold condition. Read more about insider threat detection and prevention.