How to Use Log Analytics for Insider Threat Detection
In the world of enterprise security, most teams are laser-focused on defending organizational IT assets from external actors: cybercriminals, digital fraudsters, state-backed hackers, and other external adversaries.
But data on the frequency and cost of insider attacks suggests that security teams should shift their focus toward threats that originate from inside their organizations. IBM reported that insider threats are responsible for 60% of data breaches, and the average cost of an insider attack was recently estimated at $16.2 million - more than triple the average cost of a data breach.
When it comes to protecting against insider threats, log analytics is an indispensable tool for IT security teams. With a log analytics approach, security teams can centralize user behavior and security logs from across the organization, analyze the data in near real-time against established baselines and security policies, and detect suspicious or anomalous user activity patterns that might indicate an insider threat.
In this blog, we’re taking a closer look at how security teams can use log analytics for insider threat detection. We’ll explore the different types of insider threats, the subtle user behavior changes that can indicate an insider threat, and how log analytics can enable security experts to monitor those behavior changes, identify suspicious activity, and protect their organizations against insider threats.
What is an Insider Threat?
An insider threat is a cybersecurity threat that originates inside the targeted organization.
Insider threats involve an “insider”, such as an executive, employee, or contractor, whose legitimate access to company data and systems, organizational knowledge, and relationships of trust can be exploited - with or without their consent - to steal data or misappropriate financial resources from the targeted organization.
3 Types of Insider Threats You Should Know
Malicious, compromised, and negligent insiders represent three different types of insider threats that can be detected through proactive security analysis using a log analytics approach.
1. Malicious Insiders
Malicious insiders take willful actions to harm the targeted organization, often by abusing their legitimate access credentials and position of trust/authority to exfiltrate confidential information, steal valuable intellectual property, or divert funds. Examples of malicious insiders could include:
- A disgruntled former employee who steals sensitive data and leaks it publicly as retaliation for losing their job.
- A contractor who is paid by a foreign nation to steal confidential documents or IP from an organization that hired them.
Malicious insiders may use sophisticated methods to hide their activities, but using log-powered user behavior monitoring for insider threat detection can help security teams identify the subtle behavior changes that often accompany malicious behavior or misuse of privileges.
2. Compromised Insiders
Compromised insiders are users whose personal characteristics or circumstances are being exploited to initiate a cyber attack against the organization. Examples of compromised insiders might include:
- A naive employee who falls for a phishing scam.
- An employee with debt problems who is bribed by hackers to steal data or enable a data theft attack by deactivating security measures.
While they may not be personally motivated to harm the organization, compromised insiders are susceptible to manipulation and can open the door to external threats.
Security teams should strive to identify compromised insiders within their organizations by tracking user access patterns and behavior using log analytics tools with anomaly detection capabilities to uncover suspicious activity that might indicate they are being exploited.
3. Negligent Insiders
Negligent insiders expose the organization to cyber threats through negligent actions that reflect an attitude of carelessness or a lack of awareness about enterprise cybersecurity. Examples of negligent insiders might include:
- An IT employee who misconfigures a cloud server or database, inadvertently exposing sensitive company data to the public.
- An employee who ignores warnings from security systems and opens a malware file or visits a malicious domain.
Negligent insiders tend to flout established security protocols and take actions that expose the organization to security risks. IT security teams can use security logging to detect those risky actions and mitigate the risk before the negligent action results in an actual security breach.
7 Insider Threat Indicators to Monitor with Log Analytics
When it comes to detecting insider threats, the major challenge for security teams is that attackers often use legitimate credentials, which can make it difficult to differentiate normal user behavior from malicious activity.
To effectively detect these threats, security teams must continuously monitor user behavior and security logs for any anomalous activity that deviates from established patterns, including things like suspicious login behaviors, application or file access patterns, privilege escalations, and more.
Let’s take a closer look at seven common indicators of an inside threat that security teams can monitor and detect using log analytics.
1. Suspicious Login Behavior
Suspicious login behavior that deviates from established access patterns for internal networks and systems is a common indicator for a variety of both malicious and unintentional insider threats:
- A series of failed login attempts may indicate that an unauthorized person is attempting to gain access to a user’s account.
- A successful login at an unusual time may indicate that a user is trying to avoid scrutiny by conducting suspicious activities after business hours.
- A successful login from an unusual device may indicate that a user is improperly accessing their account in a way that endangers sensitive data and systems.
- A successful login from an unusual IP address may indicate that a user’s account has been compromised and is being accessed by an unauthorized person.
Security teams can aggregate user authentication logs from internal systems in a security data lake, then analyze them to establish a baseline for normal login behavior. Comparing login times, locations, devices, and failed login attempts with an established baseline enables security teams to detect suspicious login activity or anomalous logins that could indicate an insider threat.
2. Unauthorized or Unnecessary Application Usage
A malicious insider that wants to steal data from your organization may access or attempt to access secure applications that they are not authorized to use or do not normally use to perform their job duties.
- A malicious insider in IT might try to access your organization’s sales CRM to steal sensitive customer data.
- A malicious insider in Sales might try to access your organization’s payment processing system to steal credit card information.
- A malicious insider in Accounting might try to access your organization’s code repository to steal the source code for your products.
Security teams can monitor application access logs to establish which applications each user needs to perform their normal job duties, track which users are accessing which applications, and identify unauthorized or anomalous application access patterns that could indicate an insider threat.
3. Unauthorized File Access/Modification
Malicious insiders can sometimes be discovered by searching through log data for instances of unauthorized access or modifications to sensitive files. A malicious insider might modify files for a variety of reasons, including things like:
- Hiding evidence of their unauthorized activities.
- Sabotaging the organization by modifying or corrupting important databases or configuration files.
- Changing security policies or configurations to enable future attacks.
- Planting malicious code.
To improve insider threat detection, information security teams can analyze file access logs to establish baselines for normal access patterns, then monitor newly generated log data to detect abnormal access patterns or unauthorized file modifications that could indicate an insider attack.
4. Privilege Escalation
An insider threat will often attempt privilege escalations to increase their access to sensitive data and applications on your organization's network.
Security teams should ensure that users receive only the account privileges needed to perform their job duties. They should also use log analytics to monitor changes to user roles, account privileges, or permissions - especially changes that give one or more users elevated access to secure systems.
When a suspicious privilege escalation is identified, security teams can cross-reference the incident with authorization logs or follow up with management to determine whether the privilege escalation is legitimate.
5. Excessive Downloads
While it may be normal for some of your employees to routinely download sensitive data from your network as part of their job duties, any uncharacteristic or excessive download of sensitive data should be scrutinized as a potential insider threat.
Security teams can use log analytics software to monitor which users are normally downloading data from the network and to establish a baseline for the size, frequency, and purpose of those downloads. From there, security teams can monitor event logs to discover anomalous data downloads and determine whether they might indicate an insider threat.
6. Inappropriate Data Exfiltration
Rather than downloading a large volume of sensitive data from the company network to a local machine, a malicious insider might attempt to transfer or exfiltrate sensitive data over the Internet to an external server.
Examples of suspicious or anomalous data exfiltration might include behaviors like:
- Transferring a large number of files to an unknown external server.
- Transferring one or more large files (above a certain size) to an unknown external server.
- Transferring files to an unknown or unauthorized storage device attached to a local machine.
A malicious insider might attempt to exfiltrate sensitive data in hopes of selling it to the highest bidder, while a negligent insider might expose your organization to security risks by (either carelessly or by mistake) exfiltrating sensitive data to an unsecured server.
With a log analytics approach to insider threat detection, security teams can monitor data access, data transfer, and network traffic logs to detect suspicious or anomalous data exfiltration events that could indicate an internal security threat.
7. Anomalous Software Installation
An insider threat may install or attempt to install unauthorized software on your network for a variety of purposes, such as:
- Installing a ransomware program to extort financial resources from your organization.
- Installing a keystroke logger program to steal sensitive data or user access credentials from other users.
- Installing remote access tools that allow the malicious insider to remotely access the network for illicit purposes.
A compromised insider within your organization might also be manipulated into installing unauthorized software on your network.
Security teams can use log analytics to monitor software installation events, detect malicious software on the network, and ensure that newly installed software programs are secure and authorized through the proper channels.
Detect Insider Threats with User Behavior Analytics Powered by ChaosSearch
To enable fast and consistent insider threat detection, security teams must aggregate security and user behavior logs from a rich variety of data sources into a centralized database where it can be analyzed at scale to detect suspicious or anomalous activity.
Organizations who rely on log analytics solutions like open source ELK stack or Datadog to detect insider threats often face challenges like performance bottlenecks and/or high costs when analyzing user behavior and security log data at enterprise scale. To compensate, these organizations may reduce the amount of log data they collect or analyze, a common security logging and monitoring mistake that ultimately makes it more difficult to reliably detect insider threats.
A better option for organizations seeking to defend against insider threats is Chaos LakeDB, our data lake database solution that transforms your public cloud storage into a unified live data lake for security analytics with unlimited data retention, no time-consuming data pipelines or ETL process, and cost savings of 40-80% versus Datadog or an ELK Stack.
With ChaosSearch, security teams can centralize security and user behavior logs at scale, analyze those logs to uncover patterns and establish baselines for normal user behavior, then monitor incoming log data in near real-time to detect suspicious or anomalous user activity that might indicate an insider threat.
Ready to learn more?
Download our exclusive Threat Hunter’s Handbook to learn more about detecting, identifying, and mitigating insider threats with ChaosSearch.