Privileged user abuse and the insider threat
Although insider leaks and attacks continue to multiply, a Ponemon Institute study found that 58 percent of IT operations and security managers believe their organizations are unnecessarily granting access to individuals beyond their roles or responsibilities with 91 percent predicting the risk of insider threats will continue to grow or stay the same.
“Insider threat will always be an issue, because how can you ever guarantee that your staff will all take the right course of action, every time? Anyone with legitimate access can potentially jeopardise their organisation, mostly without meaning to. The increase does suggest that many organisations still lack the internal visibility required to catch insider threat in its early stages. Using machine learning to understand what constitutes ‘normal’ and ‘abnormal’ behaviour, like the human immune system, is the most effective way to stay one step ahead irrespective of insider threats, whatever its motivation,” Dave Palmer, Director of Technology at Darktrace, told Help Net Security.
With more than 40 percent of respondents agreeing that malicious insiders would use social engineering to obtain privileged user access rights – up 20 percent from 2011 data – it’s no surprise then that the majority of those surveyed expect insider threats to remain an issue. More than 600 commercial and 142 federal IT operations and security managers participated in the study.
Approximately 70 percent of both groups surveyed think it is “very likely” or “likely” that privileged users believe they are empowered to access all the information they can view. Nearly 70 percent also believe that privileged users access sensitive or confidential data simply out of curiosity.
With these large percentages in mind, only 43 percent of commercial and 51 percent of federal organizations today said they have the capability to effectively monitor their privileged user activities. A majority said that only 10 percent or less of their budget is dedicated to addressing this significant challenge.
While budget and the human element are factors in addressing the insider threat challenge, technology deficiencies are also playing a role. The survey found that a significant number of respondents use existing cybersecurity tools to combat insider threats, rather than more targeted technologies (e.g. 48 percent of commercial and 52 percent of federal organizations use a SIEM to determine if an action is an insider threat).
As a result, more than 60 percent indicated that these tools yield too many false positives. What’s more, a majority of both audiences surveyed (63 percent commercial and 75 percent of federal organizations) lack the necessary contextual information required to prevent insider threats from happening.