The chronicles of history are filled with accounts of the mighty and powerful brought to their knees by internal threats. As humans, it is too easy to be ensnared by the allure of external dangers, while ignoring the perils that lurk closer to home. From historic coups to contemporary heists, countless victories have been secured through the actions of insiders. The most effective intelligence agencies in the world all rely on actionable information garnered from within. 

In the realm of cybersecurity, we face a similar challenge. In recent years, insider threats have continued to rise, not always due to malicious intent but often as a result of careless behavior by employees, contractors, and third-party vendors. An insider threat is a growing concern in today's businesses and Ponemon Institute’s 2022 Cost of Insider Threat study reveals that insider threat incidents have risen 44% in past two years & the global average cost of an insider threat is USD 15.38 million. This trend has led to a rethinking of traditional security operations and the emergence of "Intelligent SecOps," which takes a comprehensive and practical approach to addressing both external and internal threats and more. 

The handling of insider threats has given rise to the popularity of User Entity and Behavioral Analytics (UEBA) security solutions, as the needs of modern enterprises have evolved. UEBA goes beyond analyzing users' behavior and includes the analysis of devices such as routers, servers, and endpoints. These solutions are even more powerful as they can detect complex and novel attacks across multiple users, IT devices, and IP addresses.

Decoding Insider Threats

An insider threat is a type of security risk that comes from within a company and at times from outside by an infiltrator who has gained access to credentials of a user. It can happen when someone who is or was employed by the company, works as a contractor, or has some other connection to the company, uses their access to cause harm to the company's computer systems and data. This harm can be caused on purpose or by accident, but either way, it results in the company's confidential information, systems, and data being put at risk. 

These attacks not only compromise the confidentiality, availability, and integrity of an organization's systems and data, but can also result in significant financial losses and harm to the organization's reputation. It is crucial for organizations to stay updated on the latest trends and advancements in security measures to proactively mitigate the risk of insider threats. 

It becomes imperative to understand the types of insider threats and the indicators that help uncover and respond to them. Insider threats can be categorized in two categories: malicious and careless.

The principal goals of malicious insider threats include espionage, fraud, intellectual property theft and sabotage. They intentionally abuse their privileged access to steal information or degrade systems for financial, personal and/or malicious reasons.	Careless insider security threats occur inadvertently. They are often the result of human error, poor judgement, unintentional aiding and abetting, convenience, phishing (and other social engineering tactics), malware and  stolen credentials.

Fig 1: Types of Insider Threats

While insider threats may not trigger traditional rule-based alerts it does not mean they can’t be detected. The best way to catch insider threats is to look at both behavioral and the digital indicators to help establish the actual objective, intent and contain it, before the real damage is done. 

The ideal approach to handle insider threats in an enterprise - one must have a comprehensive program in place. We have built a 7 steps program into an ‘Insider Threat Survival Guide’ containing some of the best practices for one to understand and implement.

Fig 2: 7 steps for an Insider Threat Prevention Program

Summarizing, deployment of an UEBA solution is an important step on one’s insider threat prevention journey but it is necessary to have a corresponding program enforced across the enterprise.

ArcSight Intelligence – Helps You Conquer the Battle From Within

ArcSight Intelligence allows you to distill billions of log events into thousands of instances of unusual behavior and surface the riskiest actors in your organization, be it users, machines, servers, domains, websites, or other entities. In other words, ArcSight Intelligence provides a handful of high-quality threat leads from which you can begin your investigations. 

ArcSight Intelligence's employs unsupervised machine learning to automatically establish unique normal or baselines for each entity, allowing it to detect and highlight unusual activity that deviates from these norms. This helps in identifying potential threats, without relying on pre-defined rules or thresholds, making the security operations more adaptive and effective.

Figure 3: Aggregating Behavior/s for Entity Risk

As the diagram shows, this aggregates behavioral risk for an entity. It then creates alerts for each instance of entity behavior that deviates significantly from the “unique normal” or the “baseline” established. These alerts are called “anomalies”. Anomaly risk is a function of the probability of a specific behavior occurring and factors the weighted average of the risks associated with the entity, the asset with which they interacted and the method of interaction. 

The solution then assesses these anomalies and assigns a unique risk score to each entity, providing security teams with a clear and concise view of the potential threats. This enables them to focus their efforts on the most critical and impactful issues, rather than being consumed by an overwhelming volume of data. Ultimately, ArcSight Intelligence helps organizations move towards a proactive, “intelligence-driven security posture."

We understand that not all businesses or functions are alike, hence entity risk scores are calculated by considering the entity’s importance, which may be adjusted by risk engine tuning parameters, and the overall behaviors observed for the entity over time. The impact of individual anomalies on entity risk may also be adjusted by adjusting risk engine tuning parameters. 

In summary, ArcSight Intelligence enables organizations to detect and proactively handle insider threats before the damage is done. Some of its key features are:

• 100% unsupervised, online, machine learning UEBA solution
• Highly adaptive and minimal human intervention to help establish and update “unique normal”
• Numerous threat detection algorithms to help uncover complex insider threats
• Analysis of a variety of data sources that surface unusual behaviors to help uncover insider threats
• Detailed descriptions of each anomaly that empower your threat hunting team
• Easy collaboration with team members through anomaly comments and tags
• Seamless working solution with industry recognized EDR solution providers 

ArcSight by OpenText continues to evolve in line with the changing dynamics of today's attack vectors and provides complete suite of solution to help “Outmaneuver your adversary with intelligent automation from threat intelligence through holistic security analytics to response.” See for yourself how ArcSight Intelligence can help uncover insider threats within your organization by requesting your free demo.  

Join our Community | What is an Insider Threat? | What are Behavioral Analytics? | What is Machine Learning? | What is Threat Hunting?