The other day I was speaking to a good friend of mine. He’s an executive consultant working for a large Fortune 1000 organization. As we are talking I realize that he has access to a lot of highly sensitive information that if exposed could be rather damaging to the company. He was lamenting to me how he needed to get access to some data on one of the servers but IT blocked him from accessing it until he completed a mandatory online “IT Security Awareness” training.
Frustrated by this because he was under a tight deadline, he decided to do a quick search of some of the internal systems he did have access to in order to see if he could find the answers to get through the training faster. He never imagined he’d actually find it.
But he did. And he got through the security training in record time selecting one wrong answer so it didn’t look like he was completely cheating. 10 minutes later, he’s into the server and downloading data so he can get his job done. He ends by saying, “I punk’d the system.” He was proud and enjoyed bragging to me about how he got around it. Turns out he had access into systems he shouldn’t have. What else did he have access to?
Being in IT Security, my heart went out to the IT security team because one of the main purposes of the training is to reduce insider threats. But in a recent research study we did with Dimensional Research on The Growing Security Threat from Insiders [you can download the full report here], it seems this one company is not alone. Of the 300+ security professionals surveyed, while 95% provide end user security training, only 10% believe the training is very effective. Well heck, after all that effort, that can’t feel very rewarding.
And to make matters worse, the report also highlighted that 9 out of 10 insiders have access to systems they shouldn’t, just as my friend did. And as we know, when insiders have access to things they shouldn’t it leaves the company at greater risk, especially if their credentials are compromised.
Bending the rules to get things done is pretty common place. Clever people will find ways around things. I will even admit that I have done this on occasion in the past as I am sure you have too. Smart humans like to take the easy way out. It’s part of our human nature.
The study also asked security professionals what type of individuals are they most concerned about causing an internal security breach. Almost half (49%) said they are most concerned about insiders who bend the rules to get things done. 38% were more concerned about naive individuals and just 12% were more concerned about malicious insiders.
So, what are some of the ways that IT security teams can use User and Entity Behavior Analytics(UEBA) solutions to reduce the challenges associated “human nature?” There are two key areas.
First, understanding and gaining more insight into user behavior. With IT security professionals now seeing internal threats equally as concerning as external threats, we are seeing a lot of investment and budgeting in this area. They need to know what users do and don’t do, what they normally access, where they log in from, what computers they use, what systems they access and more. UEBA solutions can help IT Security professionals in a variety of ways including:
- Understanding normal and risky user behavior
- Keeping better track of privileged accounts
- Ability to more easily see users with unnecessary privileges that can be downgraded
- Gaining visibility and insights that allows them to proactively reduce their attack surface (such as removing stale accounts, identifying weak passwords, and more)
- Quicker detection of risky behavior and potential threats
- Ability to use automated response to verify identity and prevent threats as they’re happening
The second area is finding ways to make users part of the security process itself. As identified earlier, human nature often drives us to make shortcuts to get things done and in the process can put a company at risk. Some UEBA solutions, like behavioral firewalls, do this better than others. If a user does something that is risky, tries to access something they don’t normally, or they have a weak password, they can be prompted to validate that they are who they say they are and made aware that they are doing something risky and their activity is being monitored and in some cases blocked from trying to do something deemed too risky. As users become made aware of risky behavior as they are doing it, they have context and are more likely to learn what they should and shouldn’t do.
So, in the original scenario, if this Fortune 1000 organization had an advanced UEBA solution in place, they may have been able to have prevented that user from accessing systems they shouldn’t have had access to. They could have reduced his privileges to only the systems he needed to have access to. Or based on policy they could have forced him to validate his identity before accessing the content. If he knew he was being monitored and tracked when accessing the information, he would have been less likely to proceed with his covert mission to find a way to get the training done faster.
Over time, as perimeters continue to dissolve, organizations will need to continue transform. Understanding user behavior and using behavior-based identity for enforcement will become critical to staying ahead of insider threats that can put a company at risk whether they are malicious insiders, naive users or those that are bending the rules to get things done. UEBA and behavioral firewalls can help enable the transformation.