It’s easy for businesses to overestimate the risk posed by external threats and underrate the insider threat hazard. After all, incidents involving organized hackers who leverage well-publicized attack vectors to compromise systems and data tend to garner the very news headlines that prompt queries from your senior executives and board members.
But priorities are shifting as organizations awaken to the fact that insider threats can often inflict even greater harm than externally sourced events because they are more difficult to detect and prevent. Putting aside the fact that there is some semantic murkiness around the two terms – external threats technically become insider events when the adversary acquires trusted privileges – awareness to the true insider threat, which can take on many forms, is becoming more pronounced.
Verizon, which publishes the security industry’s landmark annual study on data breaches, classifies the five insider threat personalities as:
- The Careless Worker
- The Inside Agent
- The Disgruntled Employee
- The Malicious Insider
- The Feckless Third-Party
These personas represent most of the ways by which workers can increase their organization’s level of risk through carelessness or deceit. Employees and contractors become a threat to organizations when they are not actively contributing to their company’s safe data management practices.
How can organizations’ cybersecurity teams prepare for and prevent such incidents?
Where Technology Enters
Security Orchestration, Automation and Response (SOAR) helps enable organizations to combat insider threats quickly and efficiently while allowing them to plan for these types events before they happen.
These technologies provide security automation processes to streamline incident response management and prevent delays based on limited person power. Under this threat management method, security professionals can create processes to automatically go into effect once an event is detected.
Here are some of the fundamental capabilities of a SOAR platform that’s been properly implemented:
1) Provides security specialists with real-time alerts consolidated into a single console.
Security analysts can use built-in tools to see the timestamps and types of alerts, information which helps them prioritize the most urgent threats as soon as they’re detected without needing to access their organization’s various security tools separately.
At the same time, machine learning can help recognize threat types and determine what’s “normal” in behavior, traffic patterns and usage across an organization’s environment. Being able to see the type of threats at play, as well as how dangerous they may become, can help determine whether they are emanating from inside or outside the organization. Security analysts can then use this information to deal with each threat accordingly.
2) Illuminates the path of a security event from beginning to end.
Security analysts can use the SOAR platform’s intelligence to determine where an issue originated. If it came from within the organization, they can plan on how best to prevent these types of missteps in the future.
3) Speeds up the process of creating playbooks.
In the case of common alert types, security analysts can execute tool-generated (or their own personalized) response playbooks to automate responses to best handle insider incidents. Many of these playbooks can be triggered by an event and run automatically to quickly tackle a threat upon alert, without bottlenecks in the approval and decision-making processes.
In the case of malicious insider threats, where employees or contractors are taking advantage of their internal access to cause damage to or steal information from the organization, these playbooks can help specialists quickly shut down abused access points. And if an insider threat is caused by negligence on the part of employees or contractors, security orchestration and automation tools will be able to see exactly what is happening and address the issue. For example, if an employee’s credentials have been stolen, these tools will help show both the source and destination of the misused information.
In the case of an insider-caused incident, availability of information and speed of response are key to ensuring that threats are identified and shut down quickly, as well as finding the individuals responsible and determining a course of action to prevent future risk. Once you’ve found the right vendor to help set up your SOAR, you’ll be able to experience those benefits in your own organization.