Employee activities that every security team should monitor

Next time you are at a cocktail party with a group of IT security professionals, try this icebreaker – “Which of the following user activities could open the door to a data breach?”

1. An employee’s casual email exchange.
2. An employee downloading a free note-taking application promising instant organization.
3. A third-party contractor who has been entrusted with access uploading sensitive financial information at 3 a.m.

If anyone chooses number three, they’re right – but they are also not wrong for pointing to the other two. Indeed, “all of the above” is a correct answer. At this point, your audience is probably ready for another cocktail. Welcome to the newest IT security front: understanding, managing and influencing the cyber behavior of your employees.

Let’s talk a closer look at these user behaviors and the threats that stem from them, insider threats.
As innocuous as a casual email exchange may seem, the person on the other end might actually be trying to lure employee to share credentials. And even if many work-oriented applications seem to pose no threat to IT, many apps, in fact, are infamous for collecting all kinds of data without an average user’s knowledge. Compounding these risks, IT security professionals typically have no visibility into what users are actually doing once logged in, but instead are drowning in log data that tells them just about everything else about their environments.

Organizations are rightly concerned about this lack of oversight. A recent study by the Ponemon Institute and ObserveIT found that 71 percent of more than 600 security practitioners discovered major deficiencies in their monitoring of users and their application usage.

Unauthorized applications are cause for apprehension
The survey also uncovered three types of business applications that are the top sources of risk for insider threat:

CRM: Businesses user CRMs to centralize massive amounts of customer information. A CRM makes serving customers easier than having employees rely on siloed systems. However, centralization means the data is accessible to all levels of employees and third parties – and prone to risk.

Ecommerce: While ecommerce applications simplify customer transactions, it’s not only a target for outside attacks but perhaps more so for employees and privileged users who have almost unfettered access to account information. An ecommerce app is a direct route to customers’ personal identifiable information (PII) and financial account details.

Financial: Some finance apps consolidate business actions, allowing many of your employees to access data they probably shouldn’t. Most employees usually need only small portions of data to do their jobs rather than having authorized access to view large amounts. These apps also open the door to administrative access abuse, as accounts can be modified or deleted. Not to mention, an administrator can create a new account and use it to steal information – an application backdoor.

The trouble with apps doesn’t end there. Applications for claims processing, patient administration, wealth management and many other tasks also expose massive amounts of company data. Despite their promise for improving worker efficiency and productivity, most enterprise cloud applications present an enormous security gap; they are even harder to monitor than on-premise applications.

Significant security staff time is needed to correlate and review the access and usage logs of applications, but that’s only if those records are even available. Apps track user actions differently, and some applications don’t produce logs at all.

While email is certainly easier for IT to track, employees and privileged users nonetheless forget – or they purposely forget – that they shouldn’t send sensitive and confidential information in messages. They also shouldn’t upload critical data onto thumb drives, but they do. Obviously, IT staff can’t hover over every desk ready to stop employees from hitting the “send” button or improperly using a thumb drive.

Like it or not, employees are a threat
Many organizations keep their full focus on the threats beyond their walls. And it’s for good reason: hackers on the outside can cripple a business with the theft of data and the installation of malware and viruses.

Unfortunately, they’re missing the far bigger cause of data breaches: their own employees, privileged users and third parties who have unrestricted file and server access. If you don’t think it’s possible, consider the fact that a 2015 Verizon report on data breaches found that 90 percent of all security incidents start with a company’s people – business users, privileged users and third parties.

It makes sense. Business users outnumber IT administrators by 20:1 in most large organizations. The number of users, their volume of activity and their necessary access to critical and sensitive applications and data combine to form a far greater overall risk to an organization.

Whether they’re malicious or make a mistake, the people who have access to your data are the ones who make breaches possible – and these are the people you need to keep a closer eye on. Historically, the industry has been solely focused on building tools and solutions for perimeter and network security. To date, security teams have not been able to actually understand, manage and influence the behavior of their users, but user behavior analytics is a new field that is changing this.

A full view of user behavior and intent to detect and deter
We as security professionals have become so attached to logs files, we expect them to solve every security problem. When it comes to insider threat, however, you might as well use those logs to start a nice fire. Logs simply don’t provide the insight into user behavior and intent that’s required to detect and prevent insider threats.

Insider threat solutions, however, capture user activity at the source: a user’s actual interaction with applications and data. You can see and analyze what users are doing within applications, what data they are viewing and changing, and what they are doing within your critical systems. You can then apply user behavior analytics to identity risky users and prioritize which ones are putting your company at risk. And because these solutions sit at the endpoint, they are able to block risky user behavior, in real-time, and deter negligent behavior by proactively informing users when they are violating security policies.

It is time for security organizations to look past the perimeter, past log files and to their users – the insiders – the biggest unaddressed security risk.