Protecting Your Sensitive Data from Insider Threats with User Behavior Analytics

Security and compliance professionals today have plenty to worry about. Fresh data breaches are reported in the press almost daily. The Ponemon Institute, a leading security research organization, reported that 47% of US adults had personal data exposed by hackers in 2014. That’s 110 million of us. And the numbers are rising. Just this week Bankinfo Security reported a large data breach at the FDIC. In this case, a departing employee took sensitive information on 44,000 individuals.  Regulators are becoming less and less tolerant of compliance and security violations as indicated by the increasingly large fines and stringent sanctions they are imposing on organizations who have suffered from data breaches and violated data privacy and security regulations.

Insider threat is a leading source of reported data breaches, and it is one of the most subtle and often dangerous forms of cyber threats we face. Organizations continue to invest in perimeter and network security solutions, but protecting sensitive data from authorized insiders is very challenging. How can you tell if an employee or consultant who has rights to sensitive data is misusing or stealing it?

Many organizations today are not well equipped to deal with insider threats. They often lack the formalized processes and procedures for tracking and controlling authorized or privileged users who have frequent access to sensitive data. A malicious and informed insider can deploy a range of techniques for operating “below the radar” to steal sensitive data and never be detected — until it is too late. With authorized and legitimate credentials, an insider up to no good most likely will not be detected by network penetration software. It requires user behavior analytics that track and analyzing users’ detailed data usage activity to detect and stop insider data breaches.

Here are five critical dimensions of user behavior that need to be monitored and analyzed carefully:

  1. Unusual Data Usage Patterns – A critical component of any user behavior analytics solution is creating a baseline profile of each authorized users’ behavior over time. Establishing a baseline of his or her data access is key to identifying when a user’s data consumption varies materially from their baseline and that of their peers. Exceptions can come in the form of abnormally large data downloads, suspicious data access activity after business hours, or increasing frequency and duration of connections to a database.
  2. Unauthorized Data Access Attempts – This seems like an obvious one, and it may be, but you would be surprised with how many organizations do not explicitly track unsuccessful attempts to log into applications and databases. Repeated attempts to log-in with unauthorized or expired credentials is often a sign of someone attempting to break into your data.
  3. Suspicious Employee Activity – As is often the case many data breaches could be headed off at the pass through better internal communications by keeping security and compliance staff aware of departing employees. Additional scrutiny of employees who are known to be leaving an organization can prevent data misuse and theft. A study by CERT, the cyber defense and security division of the Software Engineering Institute of Carnegie Mellon University, showed that most insiders steal data within 30 days of leaving an organization. So, when someone gives notice, it is critical to heighten the monitoring and analysis of his or her data activity to ensure your data is not compromised.
  4. Stolen or Compromised Credentials – Stealing user names and passwords is a very common means of gaining access to sensitive data. Through social engineering techniques, phishing, and even dumpster diving, once a malicious hacker has a legitimate credential to access critical data, they essentially have the keys to the kingdom. A widely publicized breach at Anthem Health occurred because a privileged user’s credential was stolen. It wasn’t revealed until that user was looking at the queries he ran against a sensitive database and found that there were many data accesses that he did not initiate. Another indicator of stolen credentials can be generated by tracking the IP address of users. I’ve seen cases where user queries are launched from two widely separated geographies (as indicated by their IP addresses) almost simultaneously, indicating two different users were employing the same credential. Again, here is a case where baseline comparisons can identify a user’s normal behavior and immediately highlight abnormal activity.
  5. Rogue Applications – Establishing baseline profiles of the authorized and commonly used applications by users is a critical component of any user behavior analysis process. It establishes a broader context for identifying exceptional activity. Applications can be categorized by functional area, such the Finance department, and by kind of application, transaction processing systems versus more powerful business intelligence or privileged user data access tools. Seeing a user deploying a more flexible and ubiquitous data access tool like Excel when they normally gain access via a more controlled application like Oracle E-Business Suite can be an indicator that they are attempting to download, analyze or misappropriate sensitive data.

Protecting sensitive data requires a range of security technologies as well as disciplined process and procedures. One thing is clear: insider threats are particularly challenging and dangerous. It is imperative that organizations apply the appropriate tools at the data level to identify, prevent and mitigate data theft and misuse by insiders. User behavior analytics delivers powerful insight and control over the increasingly subtle techniques that insiders can deploy today.


Recent Posts