Insider Threats Are The ‘Next Big Wave Of Attacks’: Securonix CEO & CTO
The April 30 episode of “Task Force 7 Radio” on the VoiceAmerica Business Channel found host George Rettas discussing the anatomy of an insider threat with Securonix CEO Sachin Nayyar, and its CTO, Tanuj Gulati.
Securonix has a sharp focus in risk management, identity management, regulatory compliance and other aspects of cyber security. Nayyar is described as a renowned thought leader in the areas of risk and GRC. Gulati, too, is a pioneer in analytical techniques and discussed User and Entity Behavior Analytics (UEBA) on the show.
Rettas took the opportunity to expand upon the concept of an insider threat in the show’s opening segment. Some current definitions, Rettas said, include malicious activity as well as unintentional harm to the organization. The broad definition, he explained, allows for forward capability and ensures that the scope of potential impacts is understood. However, Rettas didn’t buy it.
“It introduces a complexity into any conceptual insider threat operational model that is unnecessary and most importantly, unfocused,” Rettas said.
The “TF7 Radio” host said that the inclusion of “unintentional” acts skews the facts. He said that previously released figures on insider threats in the enterprise are inflated. Many figures take into account human error – failing to apply a patch, not rotating passwords, leaving physical devices in an unsafe area, etc. Rettas called the inclusion simply “misleading,” saying malicious activity carries a different root cause than human error.
Rettas then segued to the latter half of his show, with Securonix’s Nayyar and Gulati. Nayyar said that insiders are undoubtedly hard to detect. “It’s all behavior based,” he said. “Different factors contribute to this.” He also cited the growth in state-sponsored activity within the enterprise. This could be trained operatives who are planted there to remove data. The process is becoming sophisticated.
“These people have employment agreements with nation states that clearly state they’ll be paid X amount of dollars to exfiltrate data,” Nayyar said. “That’s not the regular disgruntled employee. They have tools, techniques and sophisticated cyber units behind them. They’re bigger and more dangerous (than they ever were).”
Explaining some nuances of the insider threat kill-chain, Gulati said that these users have already bypassed most places on the chain. So, indicators come in the non-digital domain and are difficult to gather. The insider kill-chain, then, focuses on inherent risk that insiders pose. Much of that has to do with a behavior-based model that can detect anomalies.
Nayyar added: “We’ve come a long with (with insider threat detection). But I preface that by saying we still have a long way to go.” He said that more insider threat teams must become aligned with the core SOC. In terms of technology, Nayyar said that detection capabilities have progressed. However, data must be collected on users, customers, contractors, service accounts, etc., to come up with a predictive analysis (which is compared against peer information). Nevertheless, the CEO said there’s still a long way to go before these capabilities are streamlined within an organization.
Gulati underscored the distinction of “human error” in the insider realm. He said that some of these threats are caused by phishing campaigns, malware, etc., which have grown more sophisticated and can dupe employees.
Nayyar also added that traditional tools will not get the job done when it comes to threat detection. One must bring in non-IP-related data – location, time, entry, expense reports, user data, employee ratings, etc. Then associations can be made and behavior models can be formed to sniff out true “insiders” over time.
Asked about holding historical data beyond 90 days, Gulati said that “from an architectural standpoint, systems are put in place to capture breadcrumbs from data.” He said that you “stitch together” this data to find an attack pattern. The system must find breadcrumbs in real time and address them over the long term.
Gulati added: “It’s important to understand that to detect insider threats, you must have sensors on a lot of the exfiltration channels that the organization doesn’t typically monitor.”
Nayyar opined that on surveillance tools in threat detection, he’s still seeing “organizations with silos between anti-money-laundering (efforts) and insider threats.” He advised teams to look at it holistically, and to share data, creating a useful telemetry. Organizations, then, must think of a single platform for insider threats and anti-money-laundering controls.
What’s more, Nayyar added that insiders are using social engineering campaigns to tamper with internal data. They’re even asking colleagues for easy access, which becomes a gateway to critical data. As mentioned, he said external nation states have even begun planting individuals to retrieve data. He called it a “bad fantasy” but one that could be a part of the “next big wave of attacks.”
The Securonix CEO also touched upon the balance between privacy and security in threat detection. Nayyar said that some nations (and the EU with its GDPR) have very strict data privacy regulations. However, optimal insider threat detection follows the proper protocols to reach predictive solutions – and that means identifying the purpose of data collection, distinguishing how much is personally identifiable information (PII) and relaying that it is not being used for human resources (HR) purposes, etc. Data is augmented with info that’s non-IT, but it is carefully encrypted until such a point where unmasking or decrypting it becomes required.
Altogether, Nayyar called for companies to roll out programs with anonymous email addresses or hotlines, for employees to report suspicious activity. He also said executives should be continually educated on related matters. Lastly, he called for organizations to appoint insider threat leader(s) on the cyber security team, and for companies to move toward behavioral analytics as more and more enterprises evolve to the cloud.