Insider Risk Mitigation: Enhancing Detection Fidelity
by Netography Detection Engineering Team
The total average annual cost of an insider incident increased to $17.4 million in 2024, up from $16.2 million in 2023, largely driven by the resources required for containment and response. Reducing time to containment and response is a priority for insider risk management teams. Resilient operational security plans that anticipate insider threats can reduce the time needed for an investigation and the overall stress on frequently overtaxed teams.
Carnegie Mellon’s Common Sense Guide to Mitigating Insider Threats, now in its 7th edition, provides a blueprint for developing robust insider threat management programs. The guide emphasizes a 30-day window before and after someone leaves an organization as the critical period to monitor their network activity and the resources they use. As soon as an organization knows an insider with access to high-value resources is going to leave the company, there is a strong argument for enhanced security. Tightening detections on the resources that an individual uses and auditing network activity can proactively mitigate the risk of sabotage, theft of IP, and fraud.
Attacker dwell time appears to continue its downward trend, with Mandiant suggesting as little as 10 days. When there is advance notice of an employee leaving a company, enhanced monitoring and detection protocol for affected employees seems extremely prudent. Adding these precautions to your playbooks enables you to build a dossier of what happened if an incident occurs for use by your insider risk management program/team and law enforcement.
Insider Threat vs Default Security Posture
Time is the bane of all investigation and threat hunting – how deep one can go to understand what happened. This influences the tuning of detection systems, the development of canned SIEM searches, and the automation and execution of playbooks. The unique threat posed by insiders should be viewed as an inflection point for investigations, adjusting the risk-reward profile to balance false positives with increased opportunities to detect and prevent badness.
No insider risk management program is perfect, and a significantly motivated (and possibly disgruntled) employee may begin their activities well before they’re aware of an impending layoff. Nonetheless, whether there is advanced notice or not, having a predetermined set of additional security controls for potential insiders should be seen as a basic form of infosec preparedness.
The Ground Truth About Insider Threat Detection
Networks can’t operate without routing and switching traffic, thus traffic flows are an extremely flexible and authoritative source for what’s on the wire. Likewise, DNS makes it possible for systems to locate each other – networks cease to function without it (as they say it’s always DNS).
The Netography Fusion® platform is a system of record that helps organizations rapidly implement insider risk mitigation by leveraging powerful detection, visualization, and search capabilities across on-prem and cloud environments. Fusion ingests ground-truth data sources (flow and DNS), providing a detection system that operates on streaming data as well as search and visualization that operate on stored data. Our customers can use their data in several ways to address insider threats:
- Detections: Out of the box, Fusion provides hundreds of Network Detection Models (NDMs) that will fire an event when they see suspicious activity consistent with various threats. As part of an insider threat management program (or to simply test out an idea), customers can rapidly develop and deploy new or modified system detections that provide enhanced scrutiny of potential adversarial insider activities. This may include new detections or modified versions of existing detections that are more sensitive and applicable to specific resources. Here is one of the previously mentioned tradeoffs – more sensitive detections that might generate false positives in exchange for improved visibility. Increased surveillance of potential insiders doesn’t necessarily mean more false positives; it’s merely one of several possibilities.
Keeping these detections enabled after the employee leaves is important for a few reasons: the employee may have configured activity to trigger after their departure, they were not able to take malicious action swiftly enough before their departure and do so after the fact, or they only decide later, after their last day of employment, to launch a threat.
- Visualizations and searching: Beyond detection, Fusion’s powerful visualizations operate on historical data, enabling users to build dashboards that provide a “single pane of glass” view of data and events. Just as with detections, insider threat-specific dashboards are yet another tool towards enhanced scrutiny of potentially adversarial insiders.
Humans are skilled at pattern recognition, and some forms of detection require a person rather than a program to look at data. The “human detector” paradigm is thus powered by Fusion dashboards and search pivots, all of which support the detection of insider threat activity.
Your ability to store and leverage data from across your multi-cloud or hybrid environment for investigation and detection is directly tied to your ability to accelerate containment and response. For organizations interested in enhancing their insider risk management program, Fusion lets you tap into that data to achieve a higher level of scrutiny and mitigate the risks and costs of insider threats.
Interested in learning more? We are here to help. Contact us.