Managing threats emanating from the home turf

Security breaches that emerge from inside the organization, including users with privileged access, are rife. Enterprises have seen an alarming increase in data exfiltration attempts over the past several years—where several insiders’ users, compromised and malicious—steal data rather than outsiders breaking into an organization—referred to as an “insider threat.” According to Gartner, nearly 75% of data breaches happen due to risky insider behavior or as a result of compromised access.

Privileged User Threat in Nation-scale Projects

While insider threats are driven by many kinds of users, privileged users are emerging to be a critical one. Privileged credential abuse is a common threat. Privileged users are those who have a higher-level access than a standard employee has, and could include not only senior-level employees but also database administrators, network engineers, IT security practitioners and cloud custodians. Sometimes the abuse of these privileged credentials is inadvertent – people are granted access they do not need, to data they should not see. Sometimes, it can be more sinister. The issue is that the “Least Privileged” access rule has not been followed.

Cybersecurity threat by privileged users is more acute and critical in large nation-scale projects run by the government as part of e-governance and citizen services. In a study (Ponemon Institute-Forcepoint) of 895 government departments in the US and UK, 65 percent of respondents say the IT department responsible for the insider threat program but, as shown in the research, organizations are not using advanced technologies to detect privileged user abuse.

In the case of India, many nation-scale project organizations such as Aadhar, GST Network, Tax Information Network (TIN), amongst others, are structured very hierarchically. These have many external partners, such as GST Suvidha partners in GST, which might lend itself easily to access privileges given liberally to officials with high levels of administrative power. Through unintended credential abuse, these privileged users could become a new source of threats.

The Modern Approach to Handling Insider Threats

Traditional insider threat solutions were designed for traditional infrastructure-centric security, and required complex integrations and specialist skills to build, operate and manage. Modern enterprise networks that have evolved into highly distributed environments make this challenge even greater, with traditional systems struggling to integrate with various networks, applications and systems. With the working from home explosion, this problem has been amplified even further.

While the new landscape brings challenges, it also offers us opportunities to improve our overall security posture, by adopting the very same concepts that have created the challenges. Insider threat technologies need input signals from user activity, from all sources, network activity, application activity and endpoint activity, to understand the user’s baseline and build risk profiles.

In our view, modern cybersecurity technologies are an integration and orchestration of new capabilities such as SASE (secure access service edge), Zero Trust, and UAM (user activity monitoring) coupled with advanced analytic capabilities.

Harnessing Key Cybersecurity Capabilities in the Cloud-driven World

SASE or Secure Access Service Edge, was born out of the need to bring together various network security technologies and cloud security models into a single, cloud-delivered service model. With an increase in remote users and software-as-a-service (SaaS) applications, data moving from the data center to cloud services, and more traffic going to public cloud services and branch offices than back to the data center, the need for a new approach like SASE is the way forward.

SASE brings visibility into the network and application usage, that can feed the insider threat analytics. But it is not enough. This is where Zero Trust comes in. In simple terms, it means “trust nothing, assume nothing, assess everything.”  It is a security paradigm that replaces implicit trust with continuously assessed explicit risk/trust levels based on context, where each individual operation and interaction is assessed and real-time mitigations, controls and interventions can be applied.

Another piece of technology that adds sophistication is the UAM. Data on user activity used to be codified under “indicators of compromise” (IOC), a term for artifacts that indicate potentially malicious activity. It indicates a threat-centric view of protection and has been the staple of cybersecurity protection for decades, and IOCalways yields after the fact information. In the new approach, data collected through UAM is modeled into “indicators of behavior” (IOB). IOBs are focused on the behavior of users and how users interact with data.  Specifically, the focus is on indicators of bad or risky behavior which leads to build abaseline and risk profile for the users over a period of time. For example, downloading large files repeatedly from unsanctioned file-sharing sites and saving it on personal devices. The solution collects user behavior and data loss incidents and then computes the user’s risk using IOB analytic models. This is furthered scored to create risk profiles. We call this approach as “dynamic user protection” (DUP).  A DUP solution is designed to alert organizations of risky behavior, so they can protect critical data and reduce the risk associated with insiders.

Mitigating Risk, Optimizing Outcomes in Managing Insider Threats

For the first time in cybersecurity, these advanced capabilities are within the reach of all organizations, as they have also been digitally transformed into a cloud service with expert guidance, further extending the convergence in the cloud. This provides organizations of any size the ability to gain meaningful visibility and immediate action into risky user behavior – whether those users have extended, privileged access or not - significantly reducing risk exposure by bringing forward both detection and response to the earliest points in the chain.

SASE, with its convergent architecture and single-layer security system platform, is proving to be a viable solution to all the cybersecurity needs of a remote-working-enabled future. By combining SASE with Zero-Trust and comprehensive user and behavior analytics, this new security model not only simplifies security but significantly reduces risk exposure by protecting the most valuable of modern assets: Data.

By Surendra Singh, senior director and country manager (India), Forcepoint