Survey reveals insider threat detection challenges
The history of insider threats is replete with warning signs that, for one reason or another, often go unnoticed by co-workers and IT security personnel. But why do organizations miss these warning signals and fail to detect insider abuses before it is too late?
According to a new survey released today by the Ponemon Institute, the answers to those questions point to a wide array of policy, process and technology shortcomings throughout the public and private sectors, all of which contribute to a lack of insight into who has access to sensitive data and what they are doing with it.
Ponemon surveyed 693 privileged users, including database administrators, network engineers, IT security practitioners and cloud custodians in the United States. And while the threat posed by insiders with authorized and privileged access to sensitive information has become a central security concern in the aftermath of the historic Edward Snowden leak, nearly half of those surveyed described their organization’s policies for managing privileged users as “ad hoc.”
In fact, 73 percent of respondents said privileged users “believe they are empowered to access all the information they can view.” Additionally, 65 percent said privileged users access sensitive or confidential data because of curiosity, and 54 percent said their organization assigns privileged access rights that go beyond the individual’s role or responsibility.
But while the establishment of clearly-defined policies for managing privileged user access lags, the survey does reveal that organizations are taking proactive steps to deploy automated tools to help manage and grant privileged access requests. In fact, the number of organizations reporting use of automated tools jumped from 35 percent in 2001 to 57 percent in 2014, according to the survey.
The biggest challenge facing organizations remains keeping pace with the volume of access change requests that must be managed and certified. But two particular problems have increased significantly — the lack of consistent approval processes for access change requests and the amount of time it takes to certify and grant privileged access.
The survey also uncovered problems with the automated insider threat detection tools on the market. Sixty-nine percent of respondents said the tools do not provide enough context to help them determine if a particular activity is actually a threat. In addition, 56 percent said the current crop of security tools produce too many false positives. Forty-five percent of respondents said the tools simply produce too much information that cannot be reviewed in a timely manner.
“To determine if a malicious insider is involved in the incident, companies are most likely to monitor and review log files (63 percent of respondents), conduct manual oversight by supervisors and managers (51 percent of respondents) and deploy [security information and event management technologies] and other network intelligence tools (40 percent of respondents),” the survey stated. “More sophisticated tools such as endpoint monitoring and big data analytics are not as widely used.”
Most of those surveyed said they are most concerned about general business and customer data due to the lack of access controls. But fears about intellectual property loss increased dramatically, jumping from just 12 percent in 2011 to 33 percent in 2014.
Data-loss prevention and insider threat detection tools have been in development commercially for more than a decade. And in the aftermath of the Snowden leaks, the Defense Department and intelligence agencies have invested millions of dollars in automated threat detection tools and also embarked upon a major overhaul of the policies and procedures governing how security clearances are issued and renewed. It is this history that makes the dissatisfaction with the current market of automated tools stand out in the survey.
Michael Crouse, Director of Insider Threat Strategies at Raytheon, which sponsored the survey, said in the past, many organizations have relied on traditional information assurance tools that were unable to provide the necessary context for an organization to determine an insider’s intent.
“Technologies at the end-point that have been developed and fine-tuned [over] many years are just now seeing enterprisewide deployment with the growing awareness of the threat of an insider breech,” Crouse said in an email to FedScoop. “The tools of yesterday should not be ignored, but organizations need to complement these products with new technologies as part of their layered defense.”