Today, one of the most challenging cyber predicaments organizations are faced with is that of the insider threat and how to protect against it. Whether it’s an employee financially motivated and intent on stealing company data, or a disgruntled ex-employee with an ax to grind, businesses must stay on top of how to prevent ‘privileged’ users – those with unrestricted access to the corporate network – from causing harm to the business and its customers.
The reality for many companies is that a growing number of security incidents can – and do – start inside the business, often as a result of privileged misuse. This could be a result of activities conducted by malicious insiders, or it could also be caused by external hackers who are intent on accessing sensitive information. In this case, hackers target privileged users with the objective of gaining access to the network via their username and password – in many cases, a root password. This is often because it can be far more lucrative for an external hacker to obtain the credentials of the most privileged ‘super users.’
A Digital Fingerprint
There are many layers of protection that security professionals have put in place to safeguard against breaches, including log management, firewalls, and SIEM, but while these are effective against the general user population, they are powerless to stop a privileged user who has legitimately gained access to servers. Password management solutions can make it difficult for a hacker attempting to hi-jack a privileged account, but it’s not a foolproof method, especially if an insider is in collusion with the hacker.
What these systems are missing is the key ‘blind spot’ in detecting breaches – the context of human behavior. Whereas machines are uniform and predictable, humans are not. Every privileged user has a unique pattern of behavior; everything from the time of day each person accesses which servers and what commands they use when they are there, through to their idiosyncratic typing patterns and mouse movements. If we can monitor ‘typical’ behavior in this way, and create a baseline profile for each individual, we can then pinpoint deviations in real time and avert breaches before they happen.
Removing the Security Blind Spot
By analyzing all user activity across the IT system, including malicious events, enterprises can have a better understanding of what is really happening on the network. They have the intelligence to close security gaps without adding additional layers of security.
As this approach demonstrates, protecting an organization from insider threats doesn’t need to be difficult. Analyzing user behavior adds a substantial layer of protection, increasing security and business efficiency while reducing the number of internal attacks.
This article was written by Balázs Scheidler, co-founder and CTO at Balabit, and was published in English to theCsuite.co.uk. Balázs Scheidler was speaking at Infosec 2016 Conference in London about “Passwords are dead: behavior is the new authentication,” please click the video link to watch.