Supercharging Insider Threat Detection in the SOC

Recent insider threat incidents show the value of a carefully designed insider threat program.


Insider threats are all too common today, and they also happen to be one of the more complicated types of threats to detect. Having a focused, intentional insider threat program can make a huge difference in a company’s preparedness to detect, investigate, and respond to these kinds of incidents. 

It should come as no surprise to our readers that insiders play a significant role in data breaches and security incidents. Just this year, the newest Data Breach Investigations Report by Verizon found that 34% of data breaches involved internal actors. Further to that, 15% of data breaches were caused by misuse of authorized users. The report also found that 56% of breaches took months or longer to discover—a troubling fact given that the time-to-compromise of a data breach can often be measured in minutes. And, unfortunately, these statistics are reinforced by the security incidents we see in the news. Insider threats are all around, and no one is immune—not even cybersecurity companies.

A cybersecurity publication recently revealed that global computer security company McAfee has filed a lawsuit against three former sales employees, claiming that they stole trade secrets before joining Tanium, a competitor in endpoint security. The three employees resigned from McAfee late last year and earlier this year, and, according to reports, their successive exits raised a red flag within the company. McAfee investigated the employees’ computers and discovered a “pattern” of accessing and swiping company information before and after exiting the company, including emailing information to personal email addresses and transferring files to personal file shares and USBs. The company also found that one of the employees accessed a database with customer order information. 

McAfee was able to generally identify that sales and financial documents were compromised and now are in the process of trying to determine the exact files through a court order. It appears McAfee is seeking damages for loss due to the misuse of the stolen trade secrets. 

McAfee isn’t alone in its insider threat woes. Last month, Canadian credit union Desjardins—one of the world’s biggest banks—announced a massive data breach impacting 2.9 million members. The culprit was one of its own employees.

According to Desjardins, an “ill-intentioned employee” collected member data from a database and shared the information with a third party without authorization. The data included personally identifiable of home users and business customers. The breach impacted more than 40% of the company’s member base, and Desjardins is introducing new security measures to protect its members’ data. The employee responsible for the breach has been fired.

Both incidents show the potential damage that can be done by malicious employees. With authorized credentials, an employee can wreak havoc by legitimately accessing confidential data for illegitimate purposes. In cases like these, it’s critical to be able to understand how employees are engaging with your business systems and assets in order to identify if there is a real security risk. In McAfee’s case, the company has been able to identify many clues about the actions taken by these mischievous employees, and they’re now in a much better position to be able to identify any facts that they’re still missing and pursue reparation.

Of course, in an ideal world, a security team will catch these types of actions very quickly—before significant damage is done. But the difficulty with detecting an insider threat is that the behaviors that indicate that something is amiss can be very subtle and may not seem unusual unless seen in the context of previous behaviors or peer behaviors. An insider threat program needs to take into account the complex nature of insider threats and strategically utilize the right tools for detection and investigation. When starting or evaluating an insider threat program, there are five things a SOC team should keep in mind:  

  1. Inside(r) threats come in many shapes and sizes. Not all insider threats are malicious employees. Negligent employees are even more frequently responsible for data breaches. And often, targeted outside attacks can infiltrate your company and exhibit “insider” characteristics.
  2. Machine learning can help detect insider threats, but not all ML is created equal. Machine learning is frequently touted by vendors as a powerful tool for detecting security threats, including insider threats. But different types of machine learning are better suited for different use cases. Unsupervised machine learning—a type of machine learning that looks for patterns within unlabeled datasets—is most practical for seeking out threats that don’t have neatly labeled datasets, such as insider threats or advanced persistent threats (APTs). On the contrary, the more popular supervised machine learning requires labeled datasets and can fall short on detecting more these sophisticated threats.
  3. Pair powerful behavioral analytics with a powerful SIEM. When implemented correctly, user and entity behavioral analytics (UEBA) can be your “secret weapon” for identifying the actions that malicious insiders like those at McAfee and Desjardins undertake. In this way, a UEBA can supercharge your security information and event management (SIEM) by applying a new lens to your existing security data so that you have a comprehensive and cohesive framework for detecting, investigating, and responding to threats quickly.
  4. Don’t dismiss event correlation. There’s a common “myth” today that event correlation is no longer effective or necessary—that rules don’t have a place in the SOC anymore. But that’s not necessarily the case. When done in real-time, correlation gives you important context about the relationship between events and remains an effective way to quickly identify and respond to known threats. 
  5. Broad detection is key. Some security teams are forgoing a SIEM altogether in favor of collecting logs in a data lake and letting incident responders to “search and hunt” to find threats. No preset use cases needed. But the truth is that threat detection capabilities that allow pre-set use cases continue to be useful for known threats, and make it faster to detect and faster to respond. 

Ultimately, the best approach to a comprehensive insider threat program is one that covers many bases. Insider threats are complex, but catching them doesn’t need to deplete your SOC team’s resources. 

Contact us to learn more about how Micro Focus Interset can help your organization jumpstart an insider threat program.