Preempt Blog

The latest insights and advice to keep your company protected from insider threats and breaches

Evolving Employee Security Measures from “Weak Link” to “Front Line Defense”

It’s easy to think that attackers have gained an unfair advantage over security professionals. The network perimeter has virtually dissolved, compelling enterprises to simultaneously work to keep the bad guys out while tackling multiple insider threats – naive employees, malicious insiders, careless third parties, and undetected malware or intruders that have already breached network defenses.
Employee Security
The challenge for security teams today? Legitimate users and activities should not be impeded, but determining what activity to block and what to allow is not always easy.

Cybercriminals increasingly rely on social engineering campaigns and unsuspecting insiders, weak passwords, and poor cyber hygiene to provide a conduit for their attacks. The most suspicious network behavior shouldn’t be sent into a queue to be reviewed by an analyst when they get to it, it needs to be addressed in real-time.  

And to make things more complicated, in our increasingly digital world, binary decisions – black or white, allow or block – do not work.  Enterprises need to shift their approach to information security to be more continuously adaptive and think about how to enable transactions when all the information isn’t available or there is a known level of risk.

In a recent survey of employees around their own security habits, findings revealed that employees have more access than they should and a large majority of them have poor security habits even when they think they don’t. One startling finding was that 25 percent of employees have tried to access data at work that they weren’t supposed to. And of those 25 percent, close to 60 percent were successful at accessing that data. This combination is dangerous to organizations because it leaves their business exposed. It’s a recipe for a breach.

A copy of that report can be found here.

Research reports from Verizon and Cisco corroborate what IT teams are claiming: insider threats are increasing and common interventions like security awareness training and basic access controls are not effective. According to Verizon’s 2017 DBIR, 25 percent of breaches involved internal actors, 81 percent of hacking-related breaches were aided by stolen or weak passwords, and 66 percent of malware was installed via email attachments.

However, there are several more alarming trends related to incident response. Cisco’s 2017 Annual Security Report highlights some of them: an increase in spam traffic, of which a growing percentage contains malicious attachments; high percentages of security alerts not investigated (44 percent) and legitimate alerts not remediated (54 percent). These trends are a result of some of the persistent constraints security teams experience today (budget, talent, compatibility issues, executive support) and this erodes confidence and undermines the effectiveness of security technologies in place.

Building a culture of security and accountability is key to evolving your employee-driven security measures from “weak link” to “front line defense.”

Providing frequent security training that keeps pace with relevant threats is another essential element. Linking specific training exercises to employee errors or habitual non-compliance can drive a more sustained focus on avoiding potentially malicious emails and web sites.

Relying solely on culture, leadership, training, and policy documents to protect the complex systems and valuable data that fuel digital business and infrastructure is not going to work. We need to lean on technology and processes; emerging solutions that combine both are a powerful antidote to internal threats. With security teams being overwhelmed finding a way to better leverage existing technologies and make them more adaptive and automated is going to be a key requirement.

The ultimate goal is to provide security that is not disruptive to real business and can preempt the real threats before they create impact. To do this, being able to better identify the identity, behavior, and risk of activities along with real-time adaptive response mechanisms can help achieve this.

The starting point to achieve this is User and Entity Behavior Analytics(UEBA). UEBA that incorporates traffic analysis, behavior analysis, and real-time user feedback can continuously learn and identify suspicious behavior,  unexpected use patterns, risk, and the shades of gray.

Combine this with real-time threat prevention that can adaptively respond to threats (or a shift in behavior) based on risk, identity, role, the asset being targeted, and context and security teams now have an accurate way to automate threat response and reduce incident response burden.  Such adaptive responses to threats could include multi-factor authentication, allow, block, notify, endpoint isolation, and others — all of which are designed to match the behavior, the type of user, application, and the asset being targeted, and be applied through flexible policies. Real-time engagement with users now adds advanced supervised machine learning into behavioral analytics, rendering it even more accurate and effective over time.

Let’s look at a practical use case.

An organization has a privileged user that accesses multiple servers he doesn’t normally access. Traditionally, an alert is generated and manually reviewed by security professionals. With the adaptive real-time response, the user would be prompted to validate their identity using multifactor authentication. If unsuccessful, they can be automatically blocked, potentially stopping an attacker who stole someone’s credentials.

This entire process is completed without a security analyst ever needing to get involved. If the user was an outside consultant or an executive, the response could be completely different based on context, risk and policy.

When behavioral insights are combined with an adaptive response and enforcement, organizations can improve their ability to proactively defend against sophisticated attacks and insider threats as well as being able to more easily control access to data and systems. This can provide a significant reduction of time spent on incident response allowing the teams to be more efficient and effective.

People behaving badly on the network is a given; adversaries know this and they are targeting your organization by taking advantage of your users, looking for weak links, patterns of carelessness, and virtual doors left ajar. Turn the tables by monitoring for risky activities, and slamming those open doors right in the menacing face of cybercrime.


Topics: Adaptive Response, Credential Compromise, Informaton Security, Insider Threats, User Behavior,

Posted by Ajit Sancheti on December 1, 2017 8:09 AM


Brute Force Attacks: Denying the Attacker, Not the User

According, close to 8 billion accounts have been compromised...

Read More


What State-Sponsored Attacks Can Teach Us About Conditional Access

People often think that state-sponsored attacks from groups like Lazarus...

Read More


A Simplified Approach to Network Segmentation

Network segmentation has long been one of the most valuable tools for protecting ...

Read More


10 Things You Need to Know About Kerberos

As our research team continues to find vulnerabilities in Microsoft that bypass all major

Read More


Brute Force Attacks: Denying the Attacker, Not the User

According, close to 8 billion accounts have been compromised...

Read More