Insider Threat Detection: 10 Techniques for Top-to-Bottom Defense

In a recent post, How to Mitigate the Risk of Employee Data Theft, we looked at employee data theft as one of the top insider threats that can jeopardize your organization’s cyber and information security. We talked about how you can minimize this risk by implementing best practices, such as Gartner’s CARTA approach and data discovery, and how monitoring and management tools can help with data loss prevention.

In this post, let’s explore the broader topic of insider threat detection. Since my discussions with IT pros from many diverse organizations suggests a general reluctance to invest in complex, pricey technologies like SIEM and UEBA, I’ll walk you through 10 techniques that you can implement using the tools, data and security team you already have to minimize the risk of insider threats.

Getting ready

Before you can effectively detect insider attacks, you need to assess your current systems and needs. Here are the 5 steps to take:

Step #1. Inventory all the IT assets residing in your IT infrastructure, including:

  • Installed security systems — so you can evaluate which of them might be helpful with threat detection in the future
  • Data storages — so you know what critical assets need to be protected
  • Access control systems, such as routers, switches, VPN
  • Users, including contractors, suppliers and partners — so you know all the potential points of compromise a threat can come from
  • Effective permissions — so you know who has access to what and whether each user’s access aligns with their job responsibilities

Step #2. Identify the insider threats that could happen in your organization and prioritize them. Make the list as comprehensive as possible, being sure to consider everything from data theft by compromised accounts to mistakes or privilege abuse by insiders. Recognize that you can’t address all of them at once, because if you focus on detection of all the potential threats simultaneously, there is a chance that your insider threat detection plan will fail. Your task is to identify all possible use cases and prioritize them by likelihood and impact, so you can focus on the most important ones first.

Step #3. Collect all logs from all available data sources, including file servers, SharePoint, Office 365, Exchange, databases, etc. If you already have a DLP or EDR solution in place, ensure your insider threat detection solution can leverage the alerts it generates.

Step #4. Follow the “garbage in, garbage out” principle. Don’t try to feed everything you have to your insider threat detection solution right away. Start with one data source and test to see if it meets your expectations: Simulate malicious insider activity and see whether your solution is able to catch it, how long it takes it to do it, and how it presents the details of this suspicious activity for your review. When you try this process on one data source, then use the same process to add other data sources, one at a time.

Step #5. Keep in mind that sometimes a simple rule-based approach can be more efficient than any artificial intelligence. When you work at an organization for some time, you acquire knowledge that is very valuable to your cybersecurity For instance, you might know that there are no offices in other countries, so VPN connections from other locations are inherently suspicious. Similarly, you might know there’s no way a user can open more than a dozen files within a minute. Creating rules based on this knowledge is more exact in spotting anomalies than any artificial intelligence.

10 insider threat detection techniques

Once you have a more or less clear idea of your needs and expectations are, review the following insider threat detection techniques and implement those that make sense for your organization:

1. Identify a specific insider threat to train your detection on. This can be a malicious insider activity that already happened in your organization or it an abnormal activity that you know you want to detect. Ensure your detection model can catch and alert on this threat with an acceptable level of false positives.

2. Detect spikes in activity. The easiest abnormal activity to spot is a spike in activity, such as a high number of login attempts by a particular account or a large number of file modifications. When you identify an anomalous spike, you can further investigate this activity for more detail, and if the investigation reveals it was not actually a threat, adjust your baseline to reduce false alerts in the future.

3. Detect anomalous access attempts. Keep an eye on frequency and volume of logins, both successful and failed, within a short period of time. Focus on activity after business hours and other deviations from normal user behavior, such as access to archived company data.

4. Keep an eye on anomalies in VPN access to your corporate network. Detect abnormal speed, volume or geographical location of access. For instance, if a user logged from New York and a few minutes later the same user logged in from Sydney, Australia, you need to respond immediately because no one could travel so far so quickly.

5. Stay on top of unusual access to sensitive company data. Identify access patterns that are abnormal for the user, such as attempts to read critical data that they have never accessed before. Here are the top three things you need to stay abreast of:

  • A high number of access events — The more events within a short period of time, the more suspicious the activity is. For instance, a massive number of file reads can be a sign of malicious behavior, for example, by a user who is about to leave the company or has been recently terminated. (Read more about how departing employees can turn into your worst security nightmare.)
  • Access to different files — A user’s attempts (successful or not) to read files and folders that they haven’t accessed before can also be malicious behavior; the user might looking for valuable data that can be sold, used against the employer, published on the web, etc.

6. Measure users against their peers. One common pitfall in threat detection is comparing the activity of an HR specialist, for instance, with the activity of an IT administrator, who has a vastly different set of responsibilities. Instead, be sure to assess each user against others in their own peer group. For example, logons from other cities might be routine for salespeople but unusual for building maintenance staff.

7. Identify shared accounts in your organization. Closely monitoring shared accounts is vital for a strong cybersecurity posture. Track logins by these accounts and analyze risk using factors such as login time and the machine’s geographical location. Multiple logins from different machines by the same shared account can be a sign that the account has been compromised.

8. Monitor service accounts and privileged accounts separately from user accounts. Best practices require that highly privileged accounts be used rarely and both, privileged accounts and service accounts be used only for specific tasks that other accounts have no authorization to perform. Keep your inventory of these accounts up to date and monitor their activity more closely. Look for signs of security policy violations or privilege abuse such as use of the account to perform suspicious tasks or unusually long sessions.

9. Correlate data from multiple sources. Spotting some security threats requires taking advantage of multiple data sources. For example, an anomalous VPN login might not alarm you, but if you see that the same user starts accessing folders with sensitive data they never accessed before, you might want to investigate so you can remediate the threat before it’s too late.

10. Keep an eye on your infrastructure resources. In addition to monitoring user activity, be sure to stay on top of activity around your file shares, databases, servers, and so on. You want to spot any suspicious activity there and know who performed it. For example, multiple logons to one server by different accounts could indicate an attack in progress.

It’s critical to be able to detect insider threats, including intruders with stolen credentials and trusted employees who go rogue. These 10 techniques will help you starting building an insider threat detection program that works for your organization.

Learn more about how you can minimize the risk of insider threats by following these insider threat prevention best practices.

Product Evangelist at Netwrix Corporation, writer, and presenter. Ryan specializes in evangelizing cybersecurity and promoting the importance of visibility into IT changes and data access. As an author, Ryan focuses on IT security trends, surveys, and industry insights.