December 16, 2021
Combat the Insider Threat with Advanced Analytics
Identifying malicious insiders is a major challenge, but advanced analytics can help spot early warning signs and limit the damage.
The insider threat is one of the most significant challenges facing modern cybersecurity programs. It’s very difficult to identify malicious insiders before damage is done, presenting a significant risk to organizations of all sizes and across all industries. If you have sensitive information, you’re vulnerable to the risk that an employee may misuse that information.
One of my clients recently fell victim to an insider threat when one of the organization’s star regional sales directors announced that he was departing to join a competitor. That was a significant personnel loss, but it became even worse when four of the director’s team members announced that they were also leaving to follow the director to the competitor. Unfortunately, that wasn’t the end of the story. After a few months passed, the organization realized that it was losing many of its top clients in that region. The organization hired an investigator to do a little digging and learned that the five departing employees had emailed thousands of customer files to their personal email accounts on their way out the door. The company estimated the total damage caused by this incident at $50 million in lost revenue.
Today, many organizations have built insider threat management programs that use a variety of tools to detect and counter insider threats. These include standard security controls, such as data loss prevention systems, network monitoring, firewalls and intrusion prevention systems. Teams monitor these security tools regularly to help identify signs of suspicious insider activity, but they’re often overwhelmed by the sheer volume of information coming at them, and it’s still quite difficult to pick out the important details that might be early indicators of an attack.
Fortunately, emerging cybersecurity technologies allow organizations to take a different look at this threat. By leveraging advanced analytics techniques, cybersecurity teams can use machine learning and artificial intelligence to identify early warning signs of insider activity and intervene before too much damage is done. Let’s look at three things organizations can do to improve their analytics capabilities around the insider threat.
1. Integrate Advanced Analytics Tools into the Security Program
Many modern security technologies can handle the heavy lifting when it comes to security analytics. User and entity behavior analytics, user activity monitoring, and insider threat management tools all bring focused AI/ML technology to bear on the challenge.
2. Build a Data Mining Environment Focused on the Insider Threat
If you’re going to use analytics to combat the insider threat, you’re going to need a solid data set of insider activity to analyze. Organizations should consider building out a data lake environment that contains information collected from social media, text messages, emails and other written communications.
3. Use Text Analysis to Identify Individuals of Concern
Once the organization has a data lake in place, it can turn to natural language processing technology to help make sense of that data and identify potential threats. By using a combination of linguistic, sentiment and affect analysis, NLP solutions can identify individuals who may be disgruntled or engaged in suspicious behavior.
We’re still in the early days of leveraging the power of AI in cybersecurity, but organizations that follow these three steps will find themselves at the forefront of this powerful new technology.
Story by Walt Powell, an accomplished cybersecurity expert and executive coach who specializes in providing executive guidance around risk, governance, compliance and IT security strategies. He is the executive security strategist at CDW and prior to that served as a senior security adviser at Optiv and a virtual CISO at Left Brain Security. Through these roles, he has had the opportunity to learn from and contribute to hundreds of CISOs and their programs. Powell holds dozens of professional certifications including CISSP, CISM, Carnegie Mellon – Heinz CISO, and the Stanford Advanced Cybersecurity Certificate, along with countless technical and presales certifications from top security vendors. Powell is also an accomplished musician and father who loves to spend time with his kids.