Connect with us

Hi, what are you looking for?


Risk Management

Insider Threats: Protecting Ourselves From Ourselves

Very Little is Being Done to Combat Insider Threats

Very Little is Being Done to Combat Insider Threats

As we defend our networks from sophisticated external threats, we sometimes overlook perhaps a greater threat lurking within. This threat has a badge into the building and a password onto the network. It works amongst us, setting up servers, configuring software, and sometimes even deciding upon policies to protect us. In my opinion, insider threat is under-scrutinized by the security community, leaving networks vulnerable to compromise by their own employees, especially those with privileged access. 

Identify: The Many Faces of Insider Threat   

Insider threat is not a new problem. Some of the most complex cyber security breaches we see start with an insider gone rogue. Yet very little is being done to combat the problem. In fact, it seems to be an afterthought with most teams I work with. Is this because insider threat is notoriously difficult to detect? Or are we simply too busy working on those pesky external threats?

Insider threat has many faces. The classic disgruntled employee, blackmail victim, and careless user are all easily recognizable. But there is a small group of users that perhaps pose an even greater threat to our corporations, while typically getting the least amount of scrutiny. I am talking about the privileged access users, who benefit from unencumbered access to the most sensitive data and systems on networks. Yet system administrators, network engineers, and even CISOs can pose the greatest threat to our organizations. Are we watching them?  How do we protect ourselves from ourselves?  

This type of threat can sometimes be the hardest to detect as privileged users operate under a cloak of legitimacy. They typically have the knowledge and ability to evade detection and are often presumed innocent until proven guilty. It might come as a surprise, then, that we discover incidents involving privileged access users almost every week. 

Take, for instance, the systems administrator who decides to send log files to his or her home machine to work after hours, or over the weekend. Or the data center administrator who makes a configuration change to numerous servers to mine cryptocurrency. And my favorite will always be the CISO using a commercial VPN -against corporate policy – to view inappropriate online content. The majority of the incidents we see are classic examples of non-malicious insider threat; users creating shortcuts to make their jobs easier, but ultimately opening their companies up to vulnerability.  

Detect: Where’s Waldo… 

Advertisement. Scroll to continue reading.

Regardless of motivation, all insider threats share one very common trait: the user’s device starts to exhibit patterns of anomalous behavior, which AI technology can instantly recognize as threatening. Sometimes these deviations from the device’s normal ‘pattern of life’ will be very notable. Yet other times these indicators of a compromise are so imperceptible as to go undetected by traditional tools, rigidly programmed to only catch known threats. However, regardless of just how subtle the indicators may be, there will always be tangible differences between the behavior of these and other similar devices on the network.

In this data-driven world we live in, finding the evasive needle in an ever-growing haystack can seem nearly impossible. Our networks are getting more complex and organic by the day. With a massive cyber security and IT skills shortage, employing new and more efficient ways to combat old problems is the only answer. This is where machine learning and AI excel, when used properly. 

Tools that employ genuine machine learning that learns from live data can drastically augment and improve current log analysis platforms. As many of us in the industry are aware, a good attacker will know how to avoid leaving incriminating breadcrumbs behind, often times modifying logs to hide their whereabouts. Log analytics is a powerful tool, but only as powerful and accurate as the data fed to it. A tool at the network level can ensure the accuracy of log analytics, quickly detecting any discrepancies between log analytics and network activity in real time. Network traffic does not lie.   

React: Practice What You Preach

It does not matter how fast or efficiently we detect these incidents and problems if we don’t properly enforce our own policies. Privileged users need to be held to a higher standard, as they can cause the most damage to a company. Failure to do so substantially increases the risks of a serious insider incident. Practice what you preach and if you preach poor security, expect breaches and attacks to follow. 

But even if we have the most advanced security policies and enforcement mechanisms in place, human error is a fact of life and insider threat – be it malicious or accidental – can never be fully eradicated. AI cyber defense technology offers the best chance to catch even the most subtle changes in behavior and to stop in-progress attacks before they have wreaked havoc. 

Related: It’s Time For Machine Learning to Prove Its Own Hype

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...