While organizations are increasing security layers for a solid defense in depth program, most of the focus is on preventing direct threats that come from outside, and detecting threats from within remains neglected.
What more companies are learning is insider threats are a problem for all organizations, often going completely under detected by in-place security measures.
New research from security company Imperva found insider threats were found in 100 percent of the environments, confirming suspicions they go routinely undetected.
Insiders, such as employees, contractors, business associates or partners, pose the biggest risk to enterprise data since they have trusted access to sensitive data.
In most cases, insiders took advantage of granted, trusted access to data, rather than trying to directly hack in to databases and file shares, and they weren’t caught by any existing in-place security infrastructure.
The research found while all customers involved in the study had the “right” security layers in place, they were not able to identify many types of compromising, negligent, or malicious behavior.
Often their security tools produced alerts, making it impossible to capture actual incidents. This can mean the security team investigates only incidents that are “louder” than other incidents.
Inside incidents only ended up found by using multi-layered detection mechanisms of machine learning-based behavioral analysis and deception technology to live production data and networks.
Machine learning ended up used to analyze detailed activity logs of the data accessed by insiders, and deception technology added context to the analysis by identifying anomalies indicative of compromised end-points and user credentials.
Data breaches usually take place over a relatively long period of time spanning weeks to months and even years, with attackers gaining small bits of sensitive information over time, the research said. But this process needs to stop before damage is done, researchers said.
“One of the goals of any security program should be to have early detection capabilities for breaches,” the report said. “For example, detect the behavior patterns of reconnaissance stage activity, before any specific damage can take place. Using early detection, a security breach discovery and investigation operation will typically span hours or days.”