Although the insider threat is on the radar for most organizations, many are repeatedly failing to take the necessary steps to prevent an attack, according to a recent report sponsored by SpectorSoft and conducted by the SANS Institute.
The report, Insider Threats and the Need for a Fast and Directed Response, surveyed 772 IT security professionals in a broad range of industries—including government, technology, finance, education, and healthcare, among others—between December 2014 and January 2015.
The results revealed organizations are increasingly aware of the salient nature of the insider threat, but struggle to deal with it. While almost three-fourths of organizations acknowledge that the accidental and malicious insider poses a threat to their organization, most put themselves at severe risk for significant data loss by being unprepared to protect themselves against insider threats.
The survey results found 44 percent of respondents are unaware of how much they spend on solutions that mitigate insider threats, and 45 percent do not knowhow much they plan to spend on insider threat technology in the next 12 months. Moreover, 32 percent have no ability to prevent an insider attack.
“While it’s good to see that a strong majority of security professionals are concerned about the dangers posed by insider threats, I was struck by the fact that investment in solutions that can help does not appear to be keeping pace with that concern. I believe a key action item called out by the survey data is that increased focus on, and investment in, addressing the concerns is required,” said Mike Tierney, COO for SpectorSoft, in a statement.
Tierney told Homeland Security Today the massive leak of classified information by notorious former defense contractor Edward Snowden brought awareness of the insider threat to the forefront.
“It’s almost cliché to say at this point, but Snowden really opened some eyes," Tierney said. "I recognize that opinions vary widely as relates to Mr. Snowden, but no one can deny it was a dictionary definition insider incident. Couple that with some additional high profile insider threat news stories involving C level executives in recent months, as well as what are unfortunately becoming routine examples of insider drive breaches and theft, and awareness can’t help but be elevated.”
“I believe people now recognize that, while the volume of external attacks may be much higher than the volume of detected insider attacks, the damage that an insider attack can do can leave a bigger bruise,” Tierney added.
Although awareness of the insider threat is growing, the fact two-thirds of survey respondents claim they have never experienced an insider attack signifies an awareness gap over their own susceptibility to an attack. Only one-third of survey respondents admitted to experiencing an insider incident or attack.
“That leaves 66 percent who say they have not experienced such an attack; while that is possible, it is equally likely that these respondents believe they’ve escaped attack, but haven’t—they just don’t know the attack happened. If you have not detected an incident, you may not be looking in the right place; alter your game plan by looking in different places in your logs or adding tools that focus on insider threats,” the report stated.
With the report asserting most organizations will suffer an insider compromise, it is crucial for organizations to make insider threat defense a priority. Strikingly, 28 percent of respondents said that preventing or deterring insider threats was not a priority for their organization.
The respondents attributed lack of insider defenses to three major reasons: lack of budget, lack of internal staff and lack of training. Overall, the SANS Institute asserts that the biggest challenge with insider threats is that organizations have not focused resources on this problem or are failing to prioritize it.
“I think there are a number of reasons why investment is lagging,” Tierney said. “A big one is that change simply takes time. A topic that maybe wasn’t being discussed in organizations now needs to be digested, prioritized, and find its way into the budget. Security is not an area where robbing Peter to pay Paul makes a lot of sense, so it’s not as simple as saying, ‘we’ll reduce investment in perimeter security to invest in insider threat detection.’”
To better address the insider threat, the report provided a number of recommendations including performing damage assessments of threats, map past and current investments against threats, determine exposure to threats, identify root cause vulnerabilities, block and remove the vector of the attack, control flow of inbound delivery methods and monitor and look for anomalies in outbound traffic.
In addition, SpectorSoft, a leader in user activity monitoring and an innovator in user behavior analysis software, recently introduced Spector 360 Recon 8.3, which features user behavior analytics (UBA) to help enterprisesdetect insider threats and target attacks.
Spector 360 Recon 8.3 does this by looking at patterns of human behavior and then applying algorithms and statistical analysis to detect meaningful anomalies from those patterns. These anomalies can point to potential threats.
“The fact is that insiders are people, and solutions that focus on the activities and behaviors of people need to be brought in as a foundational part of a good insider threat detection and response program,” Tierney said.