This whitepaper describes a new – and important – way of looking at the greatest source of IT risk in your organization.
According to The 2015 Insider Threat Spotlight Report, 62 percent of security professionals say insider threats have become more frequent in that last 12 months (June, 2015). Insider threats are greater than ever before, and must be evaluated – and mitigated – by looking at the intersection of three business-critical elements found in every organization: people, activities and applications.
The People Threat
Users can make mistakes, be targeted by hackers and even deliberately cause harm. Because they are granted access to sensitive data and systems, people represent the greatest insider threat. It is critical to understand the various types of users within your organization and the risk profiles of each. Organizations should consider three categories of people:
- External vendors – Many of the high-profile breaches of the past year (including Home Depot and Target) were perpetrated using athird party’s stolen login credentials.
- Privileged users – The crippling cyber-attack at Sony has been traced to the stolen credentials of a systems administrator.
- Application users – A 30-year-old rookie financial advisor at Morgan Stanley abused his access privileges to steal data on 350,000 Morgan Stanley wealth management clients and post some of it to the Internet.
Perhaps surprisingly, regular business users, not administrators, pose the greatest data breach risk to most organizations. Recent research shows this empirically; for example, the 2014 IBM/Ponemon Cost of Data Breach report indicates that 84% of internal data breaches come from regular business user accounts with no administrator privileges.
The most important factor explaining this reality is that business users outnumber IT administrators by 20:1 in the average large organization (source: Gartner 2013 Key IT Metrics Report). The sheer number of business users, their volume of activity and their necessary access to critical/sensitive applications and data combine to form a far greater overall risk to the organization.
Clearly, it is vital to profile the risk presented by each category of user, and to implement solutions to mitigate these risks.
The Activity Threat
Human activity is the most common threat vector; whether by negligence, carelessness or malicious intent, employees and contractors alike can do things that threaten a company’s data and systems. It is extremely difficult to identify unauthorized activity among authorized users, given the large number of actions performed every day by all types of users. However, when organizations fail to notice abnormal activity patterns in the context of IT and business user actions, both hackers and internal malicious users are able to steal, leak or destroy valuable data.
Examples of IT administrator activities that can impact on the security of an organization include:
- Making changes to configuration files that can cause systems to fail
- Creating unauthorized local or remote access accounts (e.g. VPN or SSH)
- Escalating privileges on Unix/Linux machines using sudo
- Changing the administrator or root password
- Using admin credentials on one machine to “leapfrog” to a more restricted machine
- Installing “backdoors” to enable later penetration
- Running malicious code that causes denial of service (DOS) to critical services
- Tampering with data by intentionally modifying data or code
Examples of business-user activities that can lead to insider threats:
- Running a report in an application that exports a huge amount of sensitive data
- “Innocently” uploading sensitive data to a third-party cloud application, exposing it in various ways
- Deliberately sharing sensitive data with others via email, cloud application, thumb drive, etc.
- Installing a remote desktop application to work from home, thus opening a remote backdoor into the network
- Responding to a phishing email, thus granting network access to a hacker
- Visiting unauthorized websites that could install malware on the network
The Application Threat
The applications used by employees and contractors are, themselves, a great source of risk. While most applications are necessary for business functions, some have no place in the organization and can lead to insider threats. Examples of applications which may not be required include consumer cloud sharing, screen capture, desktop sharing, file transfer (FTP), and peer-to-peer file sharing (torrents).
However, many of the mission-critical business applications in use also present significant data breach risk. Examples of these include financial/billing, point-of-sale, patient records, CRM, call center, claims processing and portfolio management systems. While obviously necessary for conducting business, business users can potentially abuse these applications (accidentally or intentionally) to expose huge amounts of sensitive data.
Why Are Organizations So Vulnerable?
Organizations have spent years implementing systems designed to secure their back-end servers and databases, including firewalls, virtual private networks (VPN), intrusion detection system (IDS), identity and access management (IAM) and database activity monitoring (DAM). These solutions collect a vast quantity of system and infrastructure log data to monitor the systems and report on what is going on. In most cases, the data coming from all these systems is fed into a security information and event monitoring (SIEM) solution which correlates it all and tries to identify situations in which everything may not be safe and secure.
The big problem with this current state of affairs is that the users – IT administrators, external contractors and everyday business users alike – have direct access to the organization’s most valuable digital assets via the applications they use. Of course they do – they need to do their jobs! These users and applications are already inside the security perimeter, rendering firewalls, IDS and SIEM systems effectively useless if the authorized users (or unauthorized who have stolen account credentials) end up stealing data, vandalizing systems or even leaking data unintentionally.
In other words, while IT security teams spend most or all of their IT security budgets on securing their back-end servers and databases, they are ignoring the dangers inherent with what users are doing via the front ends of the applications to which they have access.
The key point is this, once users log in to the business-critical applications that grant access to the company’s sensitive data, most organizations have no idea what users are actually doing. This is a massive gap in the security posture of most organizations.
The Solution: User Activity Monitoring
In order to fully protect their organizations, those responsible for IT security must immediately begin shifting a significant percentage of their budgets to securing the potentially toxic user-activity-application combination. The best way to do this is to monitor the front ends of the applications being used, and the user activity performed within them.
User Activity Monitoring is a comprehensive, user-focused security solution that provides the required insight into exactly what every user is doing on the organization’s network. This type of solution enables security administrators to immediately detect dangerous, unauthorized and out-of-policy user activity – and to stop it in its tracks. These solutions also give administrators the ability to quickly and accurately determine, after the fact, exactly who did what, when and how with sensitive data, systems and applications.
User Behavior Analytics
The most powerful way that User Activity Monitoring solutions help to secure a company’s data and systems is by automatically and continuously profiling the behavior of every user. After initially profiling the typical, expected behavior of each type of user (and even individual users), these systems are able to automatically detect behavioral anomalies that may indicate negligent or fraudulent activities. This is not unlike the financial fraud detection systems in place at most financial institutions.
For example, if a hacker gains access to a login account, his behavior will appear very differently than the real business or IT user who normally logs in with that account. Another example is a user who is suddenly accessing new resources for the first time, or running unusually large reports. There are numerous types of behavior anomalies that may trigger detection. Examples include:
- running unusual applications
- accessing unusual systems, files or others resources
- performing unusual types of operations or running rarely-used commands
- generating larger-than-usual reports
- executing a larger number of actions than usual within a given time frame
- accessing systems from unusual client machines
- logging in outside normal/expected hours of the day or days of the week
User Behavior Analytics detect these behavioral irregularities and alert IT security staff in real time. The security administrator can then observe the suspicious user session via a streaming video broadcast of the user’s desktop, or review the user activity logs generated by the current session (and past sessions). If deemed necessary, administrators can instant-message the user via the desktop or even shut down the session from within the same interface.
For lower-severity incidents, such as non-critical out-of-policy behaviors, administrators can later review session transcripts and/or videos to determine if irresponsible or dangerous activities had taken place.
Configurable Real-time Alerts
Additionally, security administrators can manually define any number of simple or complex “alert rules” to generate real-time alerts about particular user activities that they want to know about, whenever they occur. Examples of such alerts might include:
- any time a user connects remotely outside of regular business hours
- any time a remote contractor logs in to a sensitive server
- any time a user opens a particular file
- any time a user runs a particular application on a particular computer
- any time a business user manually modifies a Registry entry
- any time an IT administrator edits a critical configuration file
- any time an IT administrator changes a system password
- any time a user escalates permissions using sudo
- any time a user runs a particular SQL query against a production database
When user-based attacks occur, every second counts. The longer a threat goes undetected, the more damage a company will incur in terms of both financial costs and brand reputation. Without the ability to monitor user activity in real-time, companies will continue to suffer from undetected user-based breaches, significantly increasing the scope and costs of those breaches.
Bullet-proof IT Forensics
Another advantage enjoyed by IT administrators after deploying a User Activity Monitoring solution is fast, easy and incontrovertible IT forensics. Keyword-searchable user activity logs and session screen recordings are invaluable for IT troubleshooting, root cause analysis and incident investigations. If user actions are responsible for a system failure, data leak or any other incident, administrators will be able to quickly discover exactly who did what, where, when and how.
The Deterrence Factor
Finally, User Activity Monitoring has an effect similar to “speed cams” on the highway: because users are informed upon every login that their actions are being monitored and recorded, instances of unsanctioned and reckless activity fall dramatically. This is not theoretical; system and security administrators consistently report that, after deploying User Activity Monitoring, employees and contractors alike exhibit much more cautious behavior when accessing sensitive data and systems.
The intersection of people, activities and applications represent the greatest IT security risk to organizations today. While privileged IT users present a significant threat to every organization, the sheer number of business users, their volume of activity and their necessary access to critical/sensitive applications and data combine to form a far greater overall risk to the organization.
Most organizations do a satisfactory job of securing and monitoring their back-end servers and databases from external attacks. However, because the company’s employees, administrators and contractors are authorized to operate inside the security perimeter, traditional security mechanisms are nearly useless when it comes to user-based risk. It is the activities of authorized users (or outsiders who manage to gain access to authorized user accounts) within applications that pose the greatest IT security risk. Both industry research and the rapidly-growing list of incidents in the news confirm this unfortunate reality.
User Activity Monitoring specifically mitigates these risks by providing comprehensive monitoring, behavioral analytics, incident alerting, audit reporting, and IT forensics capabilities for the activities of users in the front ends of applications, User Activity Monitoring closes the largest security gap found in organizations today. This type of solution enables security administrators to immediately detect dangerous, unauthorized and out-of-policy user activity – and to stop it in its tracks.