For a very long time, it was believed and proven that the most dangerous security threats or cyberattacks came from the outside of one’s IT infrastructure. Outside, meaning not an employee of an organisation or company, or just a hacker whose job is to infiltrate a security system to steal critical data or to just destroy them. As it turns out, malwares, DDoS, ransomware and the likes are not the most damaging security threats according to a recent study by Cybersecurity Insiders, an independent source of information on Information Technology and emerging Digital technologies. Trusted insiders – both malicious and negligent insiders – apparently are the ones regarded as the most damaging cybersecurity threats today.
According to the said study, 27% of organisations in the online community says insider attacks have become more frequent and 90% of them feels that they are vulnerable to insider attacks. Now, Managed IT Services Australia and other organisations are shifting focus on the detection and prevention of insider threats. But make no hasty judgement with insider threats, as people often associate them to only malicious employees that intend to harm the companies they work for. Negligent employees are at fault too, causing security breaches because of their carelessness. Even IT users or administrators that have privileges to their system are also considered a security risk.
Databases and corporate file servers are at high risk because of insider threats, and this is due to accidental exposure by employees. Phishing attempts, weak/reused passwords, unlocked devices, bad password sharing practice and unsecured Wi-Fi networks are named as the biggest enablers of accidental insider threats with phishing attempts as the leading threat. Phishing is mainly tricking employees into sharing sensitive company information by disguising as a legit-looking trusted contact that contains malware attachments or links to unsafe websites.
Back to the main question: how to detect insider attacks? IT Services Australia has come up with 4 effective controls to detect and at the same time, prevent insider attacks. Here they are:
Intrusion Detection and Prevention System (IDS/IPS)
IDS and IPS constantly watch over your network, detecting and preventing possible insider attacks. These two identify possible incidents within your network, and information about these incidents are logged at the same time, detailing what happened. After that, security administrators are informed with the IDS and IPS reporting it directly to them. Some even use IDS/IPS to deter individuals from violating security policies. IDS/IPS is a necessary addition to security infrastructures that want to detect and prevent insider threats from destroying and harming their IT infrastructures. With these two, it’s a great start to fend off insider attacks within the network.
The next step to insider attack detention is log management. Logs – automatically produced with time-stamps from virtually all software applications and systems – are monitored, documented and analyzed in log management. Every move or transaction within an information system is tracked, and this is essential to both security and compliance in a network. A log management software automates the processes mentioned, so that when a compliance audit for an organisation’s IT infrastructure is needed, changes are reflected in audit trails. This is an example function of an event log manager or ELM.
Security Information and Event Management (SIEM)
SIEM provides real-time analysis of security alerts generated by applications and network hardware. This basically has some functions the same as IDS/IPS and has a log management function also. SIEM is sold as software, appliances or as managed services. It is rules-based, employing a statistical correlation engine to establish relationships between event log entries.
Last but not the least, predictive analytics. This uses data, statistical algorithms and machine learning techniques to make predictions about unknown future events. These predictions are then used to identify or detect fraud and reduce risk. This method makes an organisation a step ahead of any insider attacks, anticipating outcomes and behaviors based on actual data. Not only that, but predictive analytics goes beyond from detecting unusual behavior in a network to giving the best assessment of what will happen in the future for an organisation or company.