Shortcuts: Solution Evaluation Criteria | Insider Threat Solution Vendors
Attacks launched by hackers, malware authors, cyber criminals, and other bad actors account for a lot of the cyber security-related headlines we see today. And when most people think of cyber incidents, they imagine them coming from external sources.
That doesn’t mean all significant security incidents come from outside the organization, however. Plenty of intrusions and incidents are the responsibility of disgruntled employees who have both the motive and the opportunity to break into their organizations networks and systems, or from inadvertent or accidental actions by workers.
Insider threats have long been a concern of security executives, and industry research has shown that attacks launched from inside the enterprise have been on the rise.
Detecting insider threats can be challenging. For example, it’s difficult to know if a trusted employee with high-level access privileges has decided to engage in activities with malicious intent. There’s a fine line between someone accessing customer data as part of day-to-day job responsibilities v. using that data for personal financial gain.
Aside from those with malicious intent, insider threats can also stem from negligence, such as not following security policy, visiting risky cites, or other actions that put companies at risk. Industry research has shown that threats based on negligent actions or “human error” are actually the most common types of insider threats.
Adding to the complexity of managing insider threats is the fact that so many enterprises have multiple, dispersed operations—in many cases all over the world. They also have increasingly complex IT environments, with a growing number of cloud services and endpoint devices.
Among the signs of potential insider security threats are the downloading of large volumes of data, employees accessing sensitive information that is not related to their job responsibilities, multiple requests for access to IT resources not associated with a worker’s job function, the use of unauthorized devices, and attempts to bypass security mechanisms.
There are plenty of security tools on the market that can potentially address insider security threats. These include security information and event management (SIEM) systems that collect and aggregate log data from other systems; endpoint data loss prevention (DLP) tools that control access to certain files and file sharing; user behavior intelligence, which provides endpoint visibility with contextual understanding through advanced analytics; user behavior analytics tools, which apply behavioral analytics to IT infrastructure data; and employee or user activity monitoring software to track employee behavior.
The key is knowing which ones are the best fit for your organization and its cyber security needs. This guide is designed to help organizations with their evaluation process, by examining a number of key attributes.
Solution Evaluation Criteria
Visibility into threats
What does the solution actually provide in the way of visibility? That includes visibility into network activity, servers, the use of applications and Web sites, cloud access, etc. And this visibility needs to be comprehensive—spanning systems and networks throughout the enterprise—continuous, and in real time.
If security teams lack visibility into how systems and data are being accessed and used, what chance do they have of detecting and investigating suspicious insider activity?
Among the actions security teams need to see are which users accessed which systems and files, and when; whether critical files been changed, deleted, or moved outside the organization, and whether the user who took such actions has authority; whether unauthorized users have tried to access the accounts of systems administrators, or whether authorized users are doing so in an unusual manner.
Part of the visibility function includes knowing from which sources the security product is gathering data. It might be from endpoint devices, data center systems, log file repositories, Web applications, the cloud, or any number of other sources.
Another key consideration is whether the tools support visibility outside the traditional walls of the enterprise, to include remote offices, mobile devices, edge devices, Internet of Things (IoT) objects, etc.
Intelligence
Emerging capabilities powered by artificial intelligence (AI), machine learning (ML), and advanced analytics are making it possible for security tools to detect patterns that indicate a possible cyber security incident.
With an intelligence-focused approach to insider threat management, security teams can make decisions based on actionable insights rather than just relying on large amounts of data such as log events that don’t have context or are time consuming to evaluate using manual methods.
Analytics can help managers better understand and predict things such as human behavior, which can be a major factor in many insider threats. For example, analyzing usage data using behavioral analytics can help teams detect anomalies in events and the behavior of users. If something is out of the ordinary, it might indicate suspicious behavior that needs to be explored further.
A key component of systems using intelligence is their ability to send alerts when unusual behavior is detected. This can help avoid the ponderous task of examining seemingly endless reports of user activity, the vast majority of which is legitimate.
At the same time, these alerts can’t be a series of false positives that end up wasting the security team’s time and lead to “alert fatigue.” That can add to security risk because the team might end up missing actual security incidents.
Detection
How the security tool detects insider threats is a big consideration. For instance, does it provide rule- or signature-based detection, by looking for specific patterns in network traffic or known malicious instruction sequences? That could indicate a malware attack that might have been triggered by an employee’s actions.
Signature-based methods are good for detecting known attacks, but not as effective in identifying new attacks because of the lack of available patterns to use as a reference.
Another approach is detection based on behavior, which looks at the results of a particular activity or what the activity is attempting to accomplish, rather than looking for unique the characteristics of a threat. This method can be used to identify previously unknown threats.
Something else to consider is how accurately a tool detects actual malicious activity by insiders, rather than generating false positives that can lead to “alarm fatigue.” When an activity happens that’s outside an acceptable range, that might indicate some sort of security breach, or it might be detecting a spike in network traffic.
Response and Remediation
How an insider threat security tool responds to and remediates an incident is another key factor. Something to examine here is what type of alerting mechanisms are included with the product. If security teams are not quickly alerted to suspicious behavior or activity, the incident can quickly escalate into real damage including lost or stolen data.
Alerting features should indicate events such as the existence of malware, when users have disabled security features on one or more systems, when ownership of a device or a user group has been changed, or when some sort of high-risk behavior is taking place.
How quickly a tool responds after it detects suspicious behavior is also important for preventing or limiting the damage from insider attacks, so be sure to evaluate whether remediation is manual or automated. For example, does the product automatically respond to incidents and take action to remediate in real-time?
Some of the available security platforms automatically isolate and remediate user devices that have been infected with malware, as way to stop the malware from spreading to other devices and systems. They detect infected devices and isolate them from the corporate network, then remediate them.
A lot of insider threats come from users visiting restricted Web sites. As such, having the ability to detect and block these sites from employee access is vital for security. Among the sites to block are those that run JavaScript code to conduct cryptomining or harvest user authentication credentials.
Ease of Deployment and Impact on User Experience
Security tools need to be easy to deploy and manage, or they can become more of a hindrance than a help. They also should have a minimal impact on end-users’ experience and productivity.
Questions to ask include whether the product has requirements for policies, rules, and calibration; whether it has automatic, continuous updates to reduce the need for manual adjustments; if it is cloud-based or on-premises; and what the impact will be on CPU, memory, and device performance.
If security solutions have no policies, rules, and tuning needed, there is less of a management burden. With automatic updates, security teams do not need to be doing costly, manual interventions. Cloud-based management provides easier control. Minimal impact on CPU, memory, and performance results in low or no impact on user experience, which also means users will be less inclined to disable security features.
The insider threat solution should be simple to implement and maintain, without a need for custom services that can drive up costs. Ideally the solution should not require ongoing administrator action.
Scalability and agility of the solution
Because in theory anyone in an organization can potentially be an inside threat, security solutions need to be scalable to the extent that they can be deployed and used effectively throughout the enterprise, including remote sites around the world.
They also must be able to scale up as the organization grows in terms of number of employees, systems, locations, etc.
Also important to consider is the impact a solution will have on infrastructure such as the corporate network as it expands. A solution that is scalable should not affect the performance of networks, systems, and end-user devices.
Where problems can arise is when security tools generate huge volumes of data and the existing infrastructure is not designed to handle this volume.
Related to scalability, a good insider threat security solution should be adaptable to a cloud environment. With many organizations increasing moving applications to the cloud, including some security functionality, the ability to integrate with cloud services is important.
In addition to being scalable, an insider security tool needs to be agile. Today’s security environment is constantly changing, and technology needs to be able to adapt to shifting conditions in order to be effective.
Considerations with agility include whether the solution is capable of learning or self-tuning, or relies mainly on manual tuning; and how often data is uploaded and processed.
Data privacy features
Although the idea of using these tools is to thwart insider threats, companies also have to be aware of the need for employee privacy, and ensure that the data they are gathering is not running counter to compliance with privacy regulations.
The emergence of regulations such as the General Data Protection Regulation (GDPR) in the European Union has made data privacy top of mind for organizations.
Security and IT executives should be up to speed on the rules and determine whether they are gathering allowable data and using, storing, and sharing it correctly. Privacy considerations with tools include whether the solution has privacy features such as data anonymization, and is compliant with all the major regulations.
Insider Threat Solution Vendors
<insert>