In the world of enterprise security, most teams are laser-focused on defending organizational IT assets from external actors: cybercriminals, digital fraudsters, state-backed hackers, and other external adversaries.
But data on the frequency and cost of insider attacks suggests that security teams should shift their focus toward threats that originate from inside their organizations. IBM reported that insider threats are responsible for 60% of data breaches, and the average cost of an insider attack was recently estimated at $16.2 million - more than triple the average cost of a data breach.
When it comes to protecting against insider threats, log analytics is an indispensable tool for IT security teams. With a log analytics approach, security teams can centralize user behavior and security logs from across the organization, analyze the data in near real-time against established baselines and security policies, and detect suspicious or anomalous user activity patterns that might indicate an insider threat.
In this blog, we’re taking a closer look at how security teams can use log analytics for insider threat detection. We’ll explore the different types of insider threats, the subtle user behavior changes that can indicate an insider threat, and how log analytics can enable security experts to monitor those behavior changes, identify suspicious activity, and protect their organizations against insider threats.
An insider threat is a cybersecurity threat that originates inside the targeted organization.
Insider threats involve an “insider”, such as an executive, employee, or contractor, whose legitimate access to company data and systems, organizational knowledge, and relationships of trust can be exploited - with or without their consent - to steal data or misappropriate financial resources from the targeted organization.
Malicious, compromised, and negligent insiders represent three different types of insider threats that can be detected through proactive security analysis using a log analytics approach.
Malicious insiders take willful actions to harm the targeted organization, often by abusing their legitimate access credentials and position of trust/authority to exfiltrate confidential information, steal valuable intellectual property, or divert funds. Examples of malicious insiders could include:
Malicious insiders may use sophisticated methods to hide their activities, but using log-powered user behavior monitoring for insider threat detection can help security teams identify the subtle behavior changes that often accompany malicious behavior or misuse of privileges.
Compromised insiders are users whose personal characteristics or circumstances are being exploited to initiate a cyber attack against the organization. Examples of compromised insiders might include:
While they may not be personally motivated to harm the organization, compromised insiders are susceptible to manipulation and can open the door to external threats.
Security teams should strive to identify compromised insiders within their organizations by tracking user access patterns and behavior using log analytics tools with anomaly detection capabilities to uncover suspicious activity that might indicate they are being exploited.
Negligent insiders expose the organization to cyber threats through negligent actions that reflect an attitude of carelessness or a lack of awareness about enterprise cybersecurity. Examples of negligent insiders might include:
Negligent insiders tend to flout established security protocols and take actions that expose the organization to security risks. IT security teams can use security logging to detect those risky actions and mitigate the risk before the negligent action results in an actual security breach.
Read: Top Security Data Types: Exploring the OCSF Framework.
When it comes to detecting insider threats, the major challenge for security teams is that attackers often use legitimate credentials, which can make it difficult to differentiate normal user behavior from malicious activity.
To effectively detect these threats, security teams must continuously monitor user behavior and security logs for any anomalous activity that deviates from established patterns, including things like suspicious login behaviors, application or file access patterns, privilege escalations, and more.
Let’s take a closer look at seven common indicators of an inside threat that security teams can monitor and detect using log analytics.
Suspicious login behavior that deviates from established access patterns for internal networks and systems is a common indicator for a variety of both malicious and unintentional insider threats:
Security teams can aggregate user authentication logs from internal systems in a security data lake, then analyze them to establish a baseline for normal login behavior. Comparing login times, locations, devices, and failed login attempts with an established baseline enables security teams to detect suspicious login activity or anomalous logins that could indicate an insider threat.
Read: Understanding Security Log Analytics vs. SIEM for Midsized Companies Targeted by Cybercriminals.
A malicious insider that wants to steal data from your organization may access or attempt to access secure applications that they are not authorized to use or do not normally use to perform their job duties.
Security teams can monitor application access logs to establish which applications each user needs to perform their normal job duties, track which users are accessing which applications, and identify unauthorized or anomalous application access patterns that could indicate an insider threat.
Malicious insiders can sometimes be discovered by searching through log data for instances of unauthorized access or modifications to sensitive files. A malicious insider might modify files for a variety of reasons, including things like:
To improve insider threat detection, information security teams can analyze file access logs to establish baselines for normal access patterns, then monitor newly generated log data to detect abnormal access patterns or unauthorized file modifications that could indicate an insider attack.
An insider threat will often attempt privilege escalations to increase their access to sensitive data and applications on your organization's network.
Security teams should ensure that users receive only the account privileges needed to perform their job duties. They should also use log analytics to monitor changes to user roles, account privileges, or permissions - especially changes that give one or more users elevated access to secure systems.
When a suspicious privilege escalation is identified, security teams can cross-reference the incident with authorization logs or follow up with management to determine whether the privilege escalation is legitimate.
While it may be normal for some of your employees to routinely download sensitive data from your network as part of their job duties, any uncharacteristic or excessive download of sensitive data should be scrutinized as a potential insider threat.
Security teams can use log analytics software to monitor which users are normally downloading data from the network and to establish a baseline for the size, frequency, and purpose of those downloads. From there, security teams can monitor event logs to discover anomalous data downloads and determine whether they might indicate an insider threat.
Rather than downloading a large volume of sensitive data from the company network to a local machine, a malicious insider might attempt to transfer or exfiltrate sensitive data over the Internet to an external server.
Examples of suspicious or anomalous data exfiltration might include behaviors like:
A malicious insider might attempt to exfiltrate sensitive data in hopes of selling it to the highest bidder, while a negligent insider might expose your organization to security risks by (either carelessly or by mistake) exfiltrating sensitive data to an unsecured server.
With a log analytics approach to insider threat detection, security teams can monitor data access, data transfer, and network traffic logs to detect suspicious or anomalous data exfiltration events that could indicate an internal security threat.
An insider threat may install or attempt to install unauthorized software on your network for a variety of purposes, such as:
A compromised insider within your organization might also be manipulated into installing unauthorized software on your network.
Security teams can use log analytics to monitor software installation events, detect malicious software on the network, and ensure that newly installed software programs are secure and authorized through the proper channels.
To enable fast and consistent insider threat detection, security teams must aggregate security and user behavior logs from a rich variety of data sources into a centralized database where it can be analyzed at scale to detect suspicious or anomalous activity.
Organizations who rely on log analytics solutions like open source ELK stack or Datadog to detect insider threats often face challenges like performance bottlenecks and/or high costs when analyzing user behavior and security log data at enterprise scale. To compensate, these organizations may reduce the amount of log data they collect or analyze, a common security logging and monitoring mistake that ultimately makes it more difficult to reliably detect insider threats.
A better option for organizations seeking to defend against insider threats is Chaos LakeDB, our data lake database solution that transforms your public cloud storage into a unified live data lake for security analytics with unlimited data retention, no time-consuming data pipelines or ETL process, and cost savings of 40-80% versus Datadog or an ELK Stack.
Download our exclusive Threat Hunter’s Handbook to learn more about detecting, identifying, and mitigating insider threats with ChaosSearch.