Insider Threats: How the Utilization of SOAR Can Reinforce an Organization’s Defenses Against an Unpredictable Adversary
Insider threats are among the costliest and hardest to detect of all threats posed towards an organization and its assets. Since this type of threat is wholly dependent on human behavior, whether it be with malicious intent, carelessness, or a general lack of knowledge, it continues to be the single most consistent source of today’s data breaches.
When we hear about a new breach which involved an insider, we tend to think of the disgruntled employee whose mission was to take down the corporation they despise, and if your imagination is really colorful, this employee is being backed by some nation-state in a 007-style spy game. However, these types of insider threat scenarios are an exception to the rule.
The most common type, inadvertent negligence, in some ways is even more terrifying than the thought of a spy game being played within the bounds of your network. These threats are the single most expensive category of employee risk an organization may face. They are hard to predict and even harder to prevent, so how can organizations protect themselves when the odds are stacked against them?
Asset Identification and Management
One of the first steps to take in order to protect against any threat is to understand what you are protecting and why. In order to do this properly it is highly recommended that an organization have a dynamic asset management plan in place. However, asset inventory and management procedures are not for the faint of heart. They take a considerable amount of time to plan and execute, but attempting to secure your environment without it will feel a lot like playing a game of whack-a-mole.
There are many different approaches to take to begin to build an asset management plan. Some might follow the ISO 55000 series of standards to develop their plans, where others may take bits and pieces of other standards or deployment options to build a plan that is right for them. Regardless of the path you take to get there, the one thing that is for certain is that the plan you develop must operationally work for you.
One way to ensure that the asset management plan and the detail-rich data that it provides can be fully operationalized is to incorporate it into the organization’s security monitoring program through the use of strong correlation rulesets and to enrich those security events through the use of a Security Orchestration, Automation and Response (SOAR) platform. By adding the asset data to a SOAR solution, security teams can build workflows to gather this invaluable data during an active incident, and automatically elevate event priority or contain a specific user or system to prevent further damage until a security professional can completely evaluate and remediate the risk.
Behavioral Analytics Technologies
Along with operationalized asset data, behavioral analytics technologies can exponentially improve an organization’s ability to minimize threats to their operations from an insider. Behavioral analytics relies on packet detection, signature detection, log analysis, and advanced analytics – as well as artificial intelligence (AI) techniques – to detect and block attempts to breach an organization. With a benchmark for “normal” user actions or network traffic, it’s possible to identify when something falls outside of a regular pattern.
Armed with this level of internal intelligence, organizations are provided with a tremendous opportunity to get ahead of a potentially malicious threat by incorporating these advanced technologies into their security monitoring program. Integrating the findings from behavioral analytics technologies into Security Information and Event Management (SIEM) correlation rules and SOAR workflows, allow for greater enrichment and immediate containment to be taken on behalf of the organization’s security team. This provides the much-needed additional eyes on glass and rapid response necessary to protect the business and its assets from this ever-growing threat.
Stringent Monitoring Rules
Both asset identification and behavioral analytics technologies provide a vast wealth of internal intelligence to a security team. However, this crucial intelligence is only effective if it can be properly operationalized through the use of stringent monitoring and correlation rulesets.
These rulesets direct detection and remediation efforts and dictate company policy for handling these types of security incidents. By ensuring that high priority assets and high risk user profiles have strict monitoring rules in place, an organization can utilize a SOAR solution to act as an additional member of the security team to automate the evidence gathering process and issue containment activities instantly, to prevent a rogue user from doing irreparable damage. This not only provides additional support to the security team, but also ensures that any incident involving a company’s most valuable assets and its members are contained immediately before any damage can be done.
Stringent monitoring rules, asset identification, and advanced technologies such as behavioral analytics provide a much needed helping hand to organizations when attempting to detect and prevent an insider incident. An additional and very important piece of this solution is vulnerability identification and management.
Every security incident starts with some kind of exploited vulnerability. Whether it be a human vulnerability, or an unpatched/unknown vulnerability found in a piece of software, the exploitation of any weakness within an organization can be devastating. Many security teams struggle to stay on top of their vulnerability management program and are often inundated with hundreds if not thousands of new vulnerability alerts.
To assist security teams, SOAR solutions can be utilized to help in the prioritization process and intervene on behalf of the security team when a vulnerable asset is targeted. By incorporating automation and orchestration into a vulnerability management program, organizations can gather a clearer view of the highest prioritizes facing their operations, while not losing sight of lower priority issues which can be leveraged against them if left untreated.
As with all thing’s security related there is unfortunately no silver bullet, or one size fits all solution to keep us and our organizations safe. Thankfully there are many different layers of protection that can and must be deployed to help safeguard our operations against both malicious attackers and negligent team members. The use of these methodologies and the assistance of SOAR will ensure that your users remain a strategic part of bettering your businesses and not become a liability that could hinder the growth of your organization.