If you have paid attention to the security landscape over the past decade, even in passing, you have likely picked up on the idea that the insider threat makes up at least some measurable percentage of concern within an organization's security framework. How much, of course, is anybody's guess; a recent article by CSO Magazine points to two different and recent reports, one from Cyber-Ark Software and Verizon's 2012 Data Breach Investigations Report, which seem to suggest differing opinions on the frequency of such threats.
IBM’s X-Force 2012 Mid-Year Trend & Risk Report also places emphasis on moving beyond signature-based detection and adopting host-based behavioral analysis, a move which by its very nature would place more of an organization’s security focus on internal threats.
Regardless of the frequency of insider threats, however, the potential for damage is astronomical. Even if only 4% of data breaches originated from insiders in 2011, as Verizon's report suggests, is that a reason to place less emphasis on their detection and mitigation? As CSO Online also recently pointed out, with privilege comes peril in terms of cybersecurity. According to the article, even if the amount of privileged users with 'keys to the kingdom' who intentionally target their own employer is small, the amount of potential damage they can do is not. What about privileged users who don't intentionally do anything, but were themselves compromised outside the fortified bounds of their company's security infrastructure?
As I've hinted at before, high-dollar IDS/IPS and firewalls at the edge of a network, while important, are negated completely if a well-intentioned user physically brings the threat in through open doors. Do you have the visibility to determine that a user's behavior today is different from its traditional paradigm? Is a user suddenly beaconing to an unknown host on the Internet, acting as a server, or attempting to transmit a large amount of data to an outbound host? Is a user downloading a large amount of information from internal hosts, where they traditionally do not perform this behavior? Has a user brought an infected personal device onto the network?
Lancope’s StealthWatch System brings all of this visibility under the same single pane of glass, and correlates anomalous host behavior with user and device information to help solve the insider threat headache. For more information, see how StealthWatch aides with BYOD and mobile security, and how flow-based monitoring is the missing link for behavioral detection.
Follow David Brooks on Google+.
TAGS netflow, network security, network visibility, insider threat, threat detection, threat context