Detecting Insider Threats: The Importance of Context
Detecting Insider Threats: The Importance of Context

The SANS Institute released a report earlier this year on Insider Threats and the Need for Fast and Directed Response. The report talks about the importance of recognizing insider threats, whether accidental or intentional, why they occur and their implications, which often are more dire than external attacks alone.

Earlier this year, the Verizon DBIR tied 90% of all security incidents back to “people,” whether mistakes, phishing, bad behaviour, or lost stuff. As the SANS report indicates, many insider threats go undetected. Insider threats are listed as high on IT’s radar, yet organizations have struggled to implement solutions to deal with these issues. In particular, organizations seem most unprepared to deal with negligent employees or contractors, who do not intentionally place data at risk.

Much attention is placed on external threats, which affects security spending. Since insider threats often go undetected, many “external” threats that could be tied back to accidental or intentional insider activities are overlooked. As we talked about recently, the lack of information about true risks combined with fear-based planning (as opposed to a data-driven defense plan based on risk assessments) leads to skewed security spending and preparedness.

As the SANS Institute report notes, “that your organization currently has an insider threat of some sort is a near certainty,” so you must approach security with the focus on detecting these risks and remediating them. The SANS report approaches this “people” problem with the same approach we advocate here at Absolute, with a combination of Education, Policies and Layered Technology solutions (read more about this in our whitepaper on the Enemy Within). The SANS report notes that administrative controls, without technology support, is partially ineffective at preventing data breaches. Technology solutions that prevent, detect and deter can significantly reduce the number of insider threats organizations face.

The report indicates that 40% of organizations lack technology solutions to mitigate insider threats, and others believe they have gaps in the solutions they use, or are not using their current solutions optimally – insider attacks are still happening. We’ve seen this, in talking with our clients. Most endpoint protection solutions look for external threats (known malware, viruses, etc), and data loss prevention tools must be fine-tuned to discover insiders leaking data, often overlooking data at risk. We also see that organizations are being inundated with alerts, from external and internal threats, and many alerts get lost as irrelevant, when they shouldn’t be. Detection may be there, but there’s not enough context to allow IT to prioritize the alert and take preemptive action.

With our own endpoint protection solution, Absolute DDS, customers can chose the criteria that is important to them in the form of alerts and build a suspicious devices report based on that. With Absolute DDS, you have more tools at your disposal to quantify an alert as relevant, using historical data for context. Learn more about how we can help detect and remediate insider threats at Absolute.com