Articles C2 Fall 2022

The Insider Threat Problem: Your biggest threat may already be inside!

With insider threats it’s not a matter of if, but rather a question of when your organization will be hit. Just last week HackerOne, a security company, dealt with a rogue employee stealing data reported through the company’s bug bounty system. According to the article, the insider threat actor was turning around and using the privileged data to claim bounties directly from the affected companies, making a tidy profit. The now-former employee accessed and attempted to sell his company’s data over a half dozen times, only getting caught after a customer noticed and reported unusual behavior to HackerOne.

Stories like this are becoming all too common. Consider asking yourself:

  • Can my organization confidently detect insider threats?
  • Does my security team have the resources needed to handle insider threats?
  • Does my organization have a process in place to stop insider threats before damage is done?
  • Is there a plan to handle insider threat incidents after the damage has been done? Who is involved?

If you don’t have great answers or the thought exercise worries you, you’re not alone! According to the GURUCUL Insider Threat Report 2021, 98% of organizations feel vulnerable to insider threats and about half can’t detect an insider threat until after the damage has been done.

Insider Threat is Growing

Insider threats are increasing at an alarming rate and companies need to be prepared. According to the “2022 Cost of Insider Threats Global Report” released by the Ponemon Institute, 67% of companies reported more than 20 insider threat incidents requiring an average of 85 days per event to fully contain. These threats aren’t cheap either with an average total cost to the organization of $15.4M. To make matters worse insider threats are notoriously difficult to detect.

Today you may be fending off a malicious threat actor moving laterally through your system, tomorrow an employee collecting privileged company data to exfiltrate. And you will always be searching for the negligent users falling for phishing emails, navigating to suspicious websites, or using weak passwords. Whatever the case insider threats often blend in, going unnoticed until it is too late and damage is done. With advances in modern security analytics tools, you may be asking why insider threat hunting is so difficult.

Difficulties in Detection

Most monitoring tools take a rule-based approach to security, sending out alerts when an action is taken or a threshold reached. However, these contextless rules tend to throw false positives flooding already busy analysts with false leads that must be followed up on. Too many false flags and your security team will ignore noisy alerts opting to focus their precious time elsewhere. The same goes for analysts using hypothesis-based searches to find insider threats. If day in and day out a query returns no leads, the analyst will pivot to other tasks.

When looking for the insider threat “needle in a haystack” it is easy to get discouraged! Without a proper program in place, insider threat hunting slides down the list of priorities leaving the organization at risk of data breaches, IP theft, and more. This is why we are here to help!

Where to Start

To get started detecting, containing, and remediating insider threats, check out our new Insider Threat knowledge hub From CyberRes! Learn more about what insider threats are, their risk to your business, and how to protect against them by building your own insider threat program. Build your team, establish best practices, and ensure you have the right tools in place (such as ArcSight Intelligence) to give your organization a fighting chance against insider threats.