If the boundaries are ever-changing, what does that mean when it comes to the endpoint and user behaviour?
According to Haystax Technology, 90% of organisations reported feeling vulnerable to insider attacks in 2017 -- up from 64% in 2015. This looked set to rise to 99% in 2018, thanks partly to the rise in risk from regular employees. These stats tell us that a cyber strategy focused on protecting the perimeter is now futile -- employees themselves have become the perimeter and they're always on the move, morphing the perimeter by logging onto the network from different devices and locations.
When contemplating the various headline-grabbing cyber incidents from the past few months -- of which there’s certainly been no shortage -- the truly jaw-dropping ones have tended to involve internal actors or employees, with motivations ranging from ideology to revenge and cold hard cash.
2018 saw Apple crowned as the first trillion-dollar company, closely followed by Amazon -- but that’s not all these technology giants have in common. In July 2018, news broke that Apple suffered an insider attack after a former employee stole data relating to its autonomous driving project before attempting to flee to China and eventually being arrested by the FBI. September saw Amazon catch staff selling customer data to third-parties in the US and China.
Evidently, trillion-dollar valuations mean not only a lot of customer data, but also a large organisation - and in turn, large network infrastructure - to hide illicit activity within. Both of Apple and Amazon’s insider threats came after Tesla’s, whereby a past employee tampered with Tesla’s code for autonomous driving software and exported highly sensitive data to unknown third-parties. It transpired that the prime motivation behind the incident was an act of vengeance after being denied a promotion.
Of course, insider threats abound in businesses of all sizes, not just technology behemoths. In 2019 a report from Cybersecurity Insiders revealed that two-thirds of US companies now believe that insider threats are more likely than external attacks. This is because, thanks to the ubiquity of shadow IT -- a term which describes the use of IT systems within an organisation without the approval, or even the knowledge, of the IT team -- employees at all levels can now access huge swathes of sensitive and business critical data.
But why is this happening? Without a doubt, organisations of all shapes and sizes have never been more vulnerable to attack, thanks to a dramatic increase in entry points. In addition to the countless connected devices that employees carry around every day -- to and from work -- the Internet of Things (IoT) is swiftly expanding the scope for an attack. Consequently, the modern business has no perimeter -- or, rather, its staff serve as the perimeter. This happens because companies all over the world still haven’t got appropriate protection in place that flags insider threats or risky users before they cause serious damage.
Of course, despite the recent headlines, insider threats are not always malicious and purposeful. The term might conjure cloak and dagger espionage, but 'insider threats' covers myriad internal vulnerabilities. These can range from accidental errors and compromised credentials stemming from a socially-engineered data breach, courtesy of a lack of basic cyber security hygiene, all the way through to malevolent insiders. In fact, a McAfee report found that nearly half of the data breaches studied were caused by employees, contractors, or suppliers, whether through negligent or malicious behaviour.
For contemporary organisations, with ever-changing boundaries, this must lead to an overhauled approach to endpoint security and user behaviour analytics. Traditionally, cyber security companies strived to prevent outside attackers from penetrating a company’s network, in line with the mantra of the past that prevention is better than cure. Now, however, it’s not a case of if an organisation will get breached but when. As such, cyber security firms are now focusing their attention inwards, rather than towards a company’s boundary -- representing a seismic shift in the way IT departments and the C-suite alike approach the integrity of their organisations.
For IT leaders, the temptation can be to double down on strict security policies, introducing increasingly obtrusive measures in a bid to combat cyber crime. However, there’s no use implementing processes that ultimately make it harder for employees to work efficiently. Undoubtedly, the business will suffer as a result, thanks to stifled innovation and experimentation. Instead, rather than seeking to completely eliminate breaches, it’s just as important to rapidly identify breaches and stop them turning into full-blown disasters.
This is where the power of user and entity behaviour analytics (UEBA) and machine-learning becomes most apparent. These technologies rapidly get to know a business and identify security risks from the inside, so that they can spot suspicious behaviour such as unusual out-of-hours access -- think files transferred to atypical locations, from anomalous countries. Should anything suspicious arise – for example, an intern accessing the CFO’s files at 3am from an IP outside the office -- the company in question will be alerted to the relevant risky or noncompliant behaviour.
Download our whitepaper, “The Modern Business Has No Perimeter” to find out how human security teams empowered by machine-learning technology are proving to be a formidable threat hunting force.