By The Integrity360 Team on July 30, 2018

Can your company spot an insider threat before it’s too late?

Breaches, Alerts & Advisories

If you were to look at a stock image of a hacker, it would show a hooded figure hunched over the desk who’s lost in the sea of green text and numbers that flash across the screen.

If you were to look at an actual picture of a threat actor, it might resemble Daniel from human resources – that same person who was denied a promotion after being the longest tenured member of the department.

Although the most sensational headlines focus on ransomware, malware and fileless attacks, it’s the quieter infiltrations that wreak havoc in even the most secure companies. These are known as insider threat campaigns, and every business should know how to detect and respond to them.

The data breach enterprises never see coming

Insider threats are rogue employees with one of two goals: Disrupt operations by any means possible, or steal sensitive information from databases. They can also represent negligent end users.

It’s likely that these team members have an intimate knowledge of the organisation’s digital infrastructure. This includes the software being used on a daily basis, how to access closely monitored databases and what security measures are in place to defend against tampering.

Insider threats are outpacing externally driven cyber-attacks throughout the past few years. Over half of all attacks start with employees – through either malicious intent or negligence – and this number is only creeping up, according to multiple IBM X-Force Threat Intelligence Index reports. Yet, just 39 percent of companies maintain a close eye on users with higher authorisation than the average employee, according to a UBM report.

Cyber-attacks conducted by employees carry an average cost of roughly $8.76 million per incident, according to the Ponemon Institute’s 2018 Global Cost of Insider Threats report. It’s a concerning discovery considering that 9 out of every 10 companies feel that their defence mechanisms in place to stop insider threats aren’t adequate enough, the CA Technologies 2018 Insider Threat report found.

Behaviour is an insider threat tell-all 

Detecting and responding to insider threats relies on a combination of modern cyber security tools and improved general awareness of the entire staff. Spotting rogue behaviour early is critical in stopping the campaign before any long-lasting damage is done.

There are a number of telltale signs an employee is either planning a hacking attempt, or currently in the midst of it:

1. Denied a promotion or wage raise.

2. Exhibits anti-social behaviour.

3. Under financial duress.

4. Leaving to go to another company.

5. Gaining privileges that don’t pertain to their department or have multiple attempts to gain access to unauthorised areas of the digital infrastructure.

6. In the office or connected to the network at odd hours.

7. Efforts to disguise activity.

8. Missing documents, blueprints or internal assets.

But malicious intent isn’t the only insider threat – negligent staff make the company just as vulnerable. There are a number of key characteristics that can be used to identify employees who pose a risk to the business through negligence:

1. Dishevelled work space.

2. Careless with sensitive corporate information.

3. Downloads risky third-party programs.

4. Doesn’t follow cyber security policies in regards to multi-factor authentication and other account protections.

5. Interacts with potential phishing campaigns from unknown external sources.

Using database activity monitoring to your advantage

Insider threats are difficult to spot, even when you know all the signs to look for. Missing one cue could lead to highly sensitive information ending up in the wrong hands – and IBM Guardium intends to stop that from happening.

IBM Guardium’s key feature includes database activity monitoring (DAM), which helps IT teams manage user access logs through software agents that track traffic in real-time. It’s an effective alternative to relying on built-in log management tools, which only provide informational artifacts for analysis once a breach has occurred. 

Beyond the ability to connect to all major databases and develop reports for key stakeholders, Guardium offers a number of functionalities that make it a fundamental component in any insider threat protection strategy:

  • Quarantine: Can actively block access to specific users depending on the information being stored until authorised by an administrator. 
  • Access control: Disconnects users with unauthorised access, showing a generic message and alerting administrators. 
  • Data discovery: Provides ongoing data mining to find sensitive data that might otherwise be overlooked. 
  • Vulnerability management: Continuous vulnerability scanning spots misconfigurations, missing updates and other potential liabilities. 

IBM Guardium offers the real-time database activity monitoring necessary for all sizes of companies to gain visibility into increasingly sprawling digital infrastructures. When paired with expertise in spotting potentially malicious behaviour, it offers an unparalleled peace of mind that a business won’t fall vulnerable to a data breach.

Contact Integrity360 today to learn more about how IBM Guardium can help your business avoid becoming a victim of an insider threat.

Sign up to receive the latest insights

Join our cyber security community to stay up to date with the latest news, insights, threat intel and more right in your inbox.  All you have to do is choose how often.