Ophir Bleiberg, vice president of emerging products and research for Imperva states that in the popular imagination, the idea of a compromised network involves a computer genius, sitting nowhere near the businesses physical location, who takes down a network in one fell swoop, plunging the organisation into chaos. While this scenario might work in a Hollywood movie, the reality is often far less dramatic. In reality, networks are often compromised by insiders – especially as business shifts online and the associated data presents a growing opportunity for malicious actors to monetise the data.
What is an insider threat, and what types of them are there?
Insider threats come in three main groupings; malicious, compromised, or careless. A malicious insider is arguably the type of insider threat that organisations think about the least; very few board members or security professionals would like to think about their trusted employees as potential threats, so they are often overlooked, especially when considering their enormous potential for causing organisation havoc- perhaps best illustrated by Edward Snowden.
A careless actor is one who may not have any ill will or desire to hurt the company, but accidentally puts data at risk. This kind of threat has become increasingly common as the line between work and home blurs ever-further, and people take more work home with them. If someone is accessing a network from a personal smart phone or laptop for example, they may not have the same protection on their device as they do in the office environment. Finally, a compromised actor is a member of staff who has unwillingly allowed his machine or network account to be compromised. This can happen via a phishing email that installs malware on a device, for example.
What is to be done?
Even if these security professionals were available, the amount and variety of data flowing through any given organisation’s system means that not all the threats discussed earlier would not get identified. So to fill this gap, security professionals are turning to a solution that can be programmed to do the work of 100 security analysts, in a fraction of the time. Machine learning – based solutions can analyse vast data sets, and utilise the patterns evident within them to establish a ‘good’ actor from a ‘bad’ actor. They can then categorise anomalous activity, which in turn may be passed onto a security analyst who can work to further analyse these few incidents.
Insider threats and various other forms of cyberattacks often go unnoticed within the organisation, potentially for months, particularly when people are doing things they had permission to do. While it is easy enough to identify a user acting outside of his jurisdiction, it is not as easy to recognise the signs of automation in a system. If a users’ device has been infected with malware, for example, the malicious software may be automated to scan data sets. By reviewing the patterns, it has already established in the data sets, a well programmed piece of machine learning software could identify this automation before the careless user has allowed the network to be seriously compromised.
A security analyst can only work as fast as he is capable of, but a well programmed machine learning programme can do the leg-work that would be too time-consuming for even the most talented security researcher.
Brookcourt and our partner Imperva can identify machine learning-based solutions that detect threats at a much greater speed than human agents and can help to prevent potentially devastating consequences.