Combating insider threats that hide 'in the noise'
In the ever-changing era of cyber threats against payment and personal data, it is dangerous for companies or financial institutions to spend a lot of time or money establishing defenses only against external threats.
At least half of the time in breach incidents, sensitive data was endangered because someone on the inside either slipped up or deliberately gave access to the bad guys, according to the risk management firm Bay Dynamics.
Because of those possibilities, deployment of user and entity behavior analytics is on the rise, with many companies seeing the benefit in monitoring what is happening within their own networks.
"Behavior analytics were easy in the early days of e-commerce when companies wanted to know what shoppers were buying and they were trying to steer them toward certain channels," said Ryan Stolte, co-founder and chief technology officer of Bay Dynamics. "But we've got a lot of history from over the last several years and now we can tell whether someone is a bad guy — or someone who didn't intend to be bad, but was just doing bad things."
Bay Dynamics partnered with Symantec last year to enhance behavior analytics to address specific insider threats. This type of focus allows corporations and other entities that store or transmit personal or payment data to keep it safe from insider threats, despite such threats being hard to spot.
"Take the example of credit card numbers, which would seem obvious if someone was stealing or moving those, but simple systems put in place might miss it or not detect if it is a credit card number, or Social Security number or just something that looks like those," Stolte said.
Malicious insiders might conduct "slow and low attacks," meaning they are moving small amounts of data over a long period of time, hoping to stay under the radar, Stolte said. The more powerful behavioral analytics would notice the movement of data taking place by those who normally don't carry out that task, and would trigger security teams to investigate, he said.
A similar insider threat called "hiding in the noise" occurs when a large corporation or bank has numerous employees who handle documents with a small amount of personal information, such as Social Security numbers or account numbers. If hundreds of employees handle this sort of task, the bank could have a hard time noticing if suddenly there was one who shouldn't be.
"Trying to find out through a spreadsheet, they wouldn't be able to figure it out," Stotle said. "Through behavior analytics, you would isolate a single user, see 20 things they did, and would see that there was a problem. This is a very common problem we see."
While the use cases for user and entity behavior analytics are all practical, only certain businesses would consider themselves at a higher risk for insider threats, said Al Pascual, research director and head of fraud and security for Javelin Strategy & Research.
"I can see value in this type of protection for places that do a lot of research and development, or have client or customer data it would want to keep from a competitor," Pascual said. "But as far as efficacy, it is tough to say what the return on investment would be for companies. It is hard to gauge the real cost of these types of threats, so a security person going to their boss is not going to be able to show a true dollar value on what could be saved."
Still, any process that monitors insider threats can be effective in stopping poor employee behavior, or those who don't pay attention to company security policies and open links and files that ultimately allow a fraudster to plant malware, Pascual said.
"That's a very real risk, because phishing is a preferred means to getting access to a lot of an enterprise's data," Pascual said. "This is an area where it makes sense to have analytics because an employee can just be careless."
While payment data might not always be in danger because of other security controls like tokenization or cloud-based storage off of a network, insider threats could also come into play when someone gets into a network to change the limits on withdrawals or credit card accounts, Pascual said.
"If you saw that sort of thing occurring under the credentials of one of your employees, that is the kind of thing that could be detected," he added.
User and entity analytics can also piece together any type of collusion among employees who work together to spread out the theft of data, or those who are preparing to leave the company, or even planning to start their own company with some company or customer data that would be beneficial.
"There are regulations in place for people who accept payments, that they have to do certain things to protect that data," Bay's Stolte said. "So the analytics would find people who start taking stuff that they normally wouldn't."
Many companies are finding that it is difficult to monitor all of the potential threats, and they are turning to experts who can help them, he added.
"Rather than a Fortune 500 company trying to do this on their own, I think they will be working with the security community to help them figure this out," Stolte said. "I think the future will look more like that."