Like it or not, your greatest risk is already on the payroll. When internal users with trusted access to data are careless, become compromised or have malicious intent, enterprise data is exposed. Just ask the CIA.
Detecting insider threats, however, is challenging for organizations due to the combination of increased personal digital activities (think web, mobile and cloud-based applications) and more access to enterprise data than ever before. Since internal users have legitimate access to valuable information, it’s difficult for organizations to discern between appropriate data access and a true insider threat incident.
Use these seven steps as a guide to help detect and contain insider threats:
#1 – Discover and classify sensitive data
Consistent discovery and classification of sensitive data is mandatory. You can’t rely on data owners to do consistent data classification using a manual process, and it’s simply not scalable. Ideally, you need to establish a large number of predefined data types and support the definition of custom data types. Data classification tools allow you to automatically and repeatedly identify business critical information that’s exposed to insider risk. You also want to prioritize certain sensitive data types based on the risk exposure to your organization.
Classification tools can automatically scan the database for sensitive information.
#2 – Monitor all user access to data
Successful monitoring should track all users (not just privileged users) who access databases and network ﬁles. By monitoring the who, what, where, and when, and identifying and isolating abnormal behavior, you can evaluate risk tolerance and respond appropriately. Leveraging built-in native auditing tools is costly and won’t ensure that you’re capturing all of the important details about how users are interacting with your sensitive data.
Granular data access monitoring shows all the details about user access to files or databases.
#3 – Define and enforce organizational policies
Policy enforcement allows you to immediately prevent unwanted data access behavior and enforce separation of duties. Policies should cover both security and compliance requirements with the flexibility and scalability that matches your needs. With an easy-to-use policy management system, you can process rule sets across data repositories.
Defined policies look for specific behavior. For example, users may not retrieve more than 10 credit card numbers.
#4 – Leverage advances in artificial intelligence detect unknown threats against enterprise data
Machine learning can accurately uncover unknown threats against your data by sifting through massive amounts of detailed data access logs. This technology allows security teams to establish a behavioral baseline of user access to data and quickly identify inappropriate or abusive data access. This allows you to filter through the sea of noise generated by alerts and proactively identify the truly worrisome data access incidents. Malicious users, who have valid access to enterprise data and have the intent to deliberately steal classified, confidential, or sensitive data with the intent to cause damage, can be identified early. Machine learning also helps identify compromised or careless user behaviors that have the potential to expose the business to massive data losses.
Imperva CounterBreach uses machine learning to identify suspicious data access. When an incident is detected, security teams can see what occurred and what influenced the severity of the incident.
Users can drill down into the specific operations that caused the incident to occur.
CounterBreach also displays the typical behavior, so that SOC teams have full content into the incident.
#5 – Use interactive analytics tools to investigate security incidents
Your security teams should be able to quickly drill down and understand all data access activities of individual users in order to investigate incidents that are identified using machine learning. With the right solution, you should be able to analyze, correlate, and view database activity from virtually any angle with just a few mouse clicks. This allows you to easily identify trends and piece together patterns that may conceal security risks or compliance problems. Audit tools should make it simple to analyze failed logins, identify attack sources, investigate unauthorized operations, and track privileged operations.
#6 – Quarantine risky users
Once you identify suspicious data access incidents, you want to drill down into the audit trail to perform forensics then decide whether or not to quarantine a user from accessing data repositories until the investigation is complete. Granular policies allow you to block access to speciﬁc data and proactively prevent or contain data breaches.
#7 – Generate reports to document security events
Accurate reporting on all insider-related security incidents provide an understanding of your overall security posture and allow you to provide detailed information to management. In addition to graphical dashboards, pre-defined reports should be available in the solution as and offer the flexibility to create custom reports.
Run PDF reports to document incidents.
To learn more about effective insider threat mitigation and Imperva’s unique approach to threat management, see our complete library of threat protection resources.