By Sanjay Raja, VP of Product Marketing and Solutions
Insider threats are more dangerous and more top of mind for security pros in 2022 than they’ve ever been. That’s one of the major findings from the 2023 Insider Threat Report from Cybersecurity Insiders. This report (sponsored by Gurucul) surveyed hundreds of cybersecurity professionals to reveal the latest trends and challenges facing organizations related to insider threats and how they are preparing to protect their data and infrastructure.
Let’s break down the top findings from the report.
A Rising Threat
Overall, security professionals are not confident they can reliably detect and block insider attacks. 74% reported their organization was moderately to extremely vulnerable to an insider attack. 74% also say insider threat attacks have been getting more frequent, a 6% increase over 2021. 60% of respondents reported that they experienced an insider attack in 2022, while 8% experienced more than 20. 48% agree that insider attacks are more difficult to detect and prevent than external attacks. Since insider threats use legitimate accounts and credentials and abuse IT tools, it’s challenging for defenders to tell them apart from normal user activity. These results suggest that security teams should dedicate considerable resources to defending against them in 2023.
Insider Threats Under the Hood
This report dug deep into the motivations, types of attacks, and targets that security professionals are most concerned about. Monetary gain was the top malicious motivation for an insider threat at 59%, but many other drivers were close behind. Reputation damage was at 50%, theft of intellectual property was at 48%, and fraud was at 46%. Since no one factor was the clear winner, insider risk programs must take all of these factors into account.
71% of security pros are most concerned about compromised accounts/machines. This is followed by inadvertent data breaches/leaks (66%), negligent data breaches (64%), and malicious data breaches (54%). This is a good reminder that accidents, mistakes, and confusion among employees can create insider risks just as easily as a malicious insider. Among insiders, security pros are understandably most concerned about IT users and admins with elevated access privileges. If these accounts are compromised, attackers will have a great deal of access to sensitive data and important systems. Third-party contractors and service providers come in a close second in priority, followed by regular users and then privileged business users like CEOs. All of these groups present a significant risk (albeit in different ways) and security professionals are taking all of them very seriously.
Insider Risk Program Adoption
With so many security professionals worried about insider threats, one might expect that defensive efforts to detect and prevent them are a high priority. The report found that this was largely true; thirty-nine percent of organizations already have an insider threat program in place. Another 46% are planning to add insider threat programs in the future – a rise of 5 percentage points since the 2021 survey. 13% are fired up and ready to add a program in the next six months. I expect there will be greater demand for products, tools and expertise in this area in the next few years. Some insider risk programs have executive buy-in, but the exact chain of command varies from company to company. 25% report to the CISO, 24% report to an IT security manager, 14% report to the director of security and 13% report to an Information Security Officer.
What is driving the creation of corporate insider threat programs? Again, it varies. Nearly half of respondents reported their insider threat program is part of the overall information security governance program. 44% reported their insider threat program is driven by proactive security team initiatives, and 40% said it came from regulatory compliance mandates. It’s encouraging to see many teams taking the initiative to tackle insider threats without being forced by regulation.
All in all, insider threats are a growing threat and a top priority for security teams in 2023. They include a wide range of motives, types, and targets and defenders are actively working to build programs to detect and prevent them. For the full results, you can access the report here: https://gurucul.com/2023-insider-threat-report
Detecting and Stopping Insider Threats Using Gurucul Behavioral Analytics
For organizations building or updating an insider threat program, Gurucul User and Entity Behavior Analytics (UEBA) can detect suspicious behavior immediately and identify high-risk profiles and threats to manage and monitor insider risk. The Gurucul platform monitors an organization’s environment, natively ingests data across multiple data sources including applications, and analyzes this data using advanced behavioral and insider threat machine learning (ML) models and data science. Then it creates time-based behavioral baselines and continuously learns what is acceptable behavior to identify anomalous behavior and zero in on actual threats. By unifying collection and analysis of telemetry across the entire security stack and applying the largest library of pre-packaged ML models in the industry (over 1500), Gurucul can pinpoint unintended and malicious privilege access abuse, unexpected lateral movement and external communications, and data exfiltration quickly and accurately. Overall, Gurucul UEBA provides unprecedented context, behavioral indicators, and timeline views for automating threat assessment, mitigation, and response.