What is an insider threat?

The term “insider threat” is typically depicted as a rogue employee performing malicious actions, like Elliot Alderson from Mr. Robot. But the reality is, 95% of security breaches are caused by human error and usually the result of poor security practices, such as falling for a phishing email or unknowingly clicking on a bad link laced with malware. This type of inadvertent, non-malicious data breach is the most common type of insider threat. The Cyber and Infrastructure Security Agency (CISA) defines insider threat as an insider who uses their authorized access to knowingly or unknowingly cause harm to company resources through espionage, terrorism, corruption, sabotage, unauthorized sharing, or unintentionally leaking data. However, there are also cases where an employee is trying to steal company data for personal gains or to sabotage the company. 

Did you know that Director-level employees are the most likely to take data with them to a new job? A staggering 68% of these directors intentionally broke company policy by stealing data when they changed jobs, compared to 46% of non-director employees. Why is this important? Because no one in an organization should be overlooked, regardless of their title or seniority. Although the most common insider threats are unintentional and purely accidental, security teams should never let their guard down.

Whether an insider threat stems from poor security hygiene, a malicious employee, or perhaps a third-party contractor who negligently or purposefully exposed company data, all insider threats should be treated with the same level of urgency and attention. Let’s talk about how security teams today are (or are not) detecting and responding to insider threats.

How are security teams currently tackling insider threats? 

Depending on your company size, maturity, industry, and budget for security tools, insider threat detection and mitigation can vary greatly between organizations. But one thing holds true, data is everywhere. As companies adopt more and more technologies to run their operations, through digital transformation and harnessing the cloud, data is the lifeblood. In fact, companies on average are using 80 separate SaaS applications to support business functions and store sensitive data. These applications potentially hold treasure chests of data that, if not monitored effectively, can inadvertently or intentionally be leaked through insider threat activity. 

There are a few scenarios of how security teams are tackling insider threats:

• Security Team A has all of the tools, budget, and resources to monitor insider threats. They can afford the most expensive shiny new things, hire the most technical people, and have a dedicated SOC running 24 hours a day, every day, all year long. 
• Security Team B has some monitoring tools, a much smaller budget, and runs a lean, much lower-staffed security team.
• Security Team C is a small team, maybe even an army of one. They may not have the budget for any monitoring tools so they use the native security tools from applications and take a minimal approach to protect their infrastructure. 

No matter which scenario your security team relates to the most, all teams are facing the same issues:

• There is too much data.
• There is not enough time in the day to understand this data.
• Normalizing and correlating this data across different applications is no easy feat.
• The insights available don’t offer enough context or valuable information to connect the dots.
• “I don’t know what I don’t know.” 

Security teams are simply outgunned, outmanned, and outnumbered. To make matters worse, monitoring tools on the market today don’t offer much reprieve.

What are the problems with traditional insider threat detection tools?

Traditional platforms that monitor insider threats and UBA are expensive. 

Expensive to purchase, expensive to set up, and expensive to maintain. Buying this type of tool may be an option for some security teams. Still, the amount of technical expertise, time, and professional-services hours, can amount to 6 months before getting any real value and realistically isn’t a viable option for most teams. But that’s not all; these traditional tools require constant maintenance and upkeep, which means more money.

Traditional platforms that monitor Insider threats and UBA tools fall short of tracking abnormal behaviors across multiple applications. 

One of the biggest challenges that traditional insider threat monitoring platforms have, sometimes referred to as user behavior analytics (UBA), is their ability to identify abnormal behaviors as they happen across different applications. It’s common for organizations to utilize more than one productivity suite (think MS 365 or Google Workspace); they may use one or three major clouds (such as AWS, GCP, and Microsoft Azure) and perhaps a CRM, such as Salesforce. Traditional tools can get you basic visibility into what’s happening within your productivity suites. However, the correlation and normalization across different applications and connecting the dots to effectively make sense of what is going on across your environment is tedious and time-consuming to set up. It’s also costly and usually results in security teams being bombarded with a lot of false-positive alerts.

Traditional platforms that monitor insider threats and UBA cause alert fatigue and aren’t transparent.

Traditional platforms that monitor insider threats and UBA take a black-box approach, which essentially means there are machine-learning algorithms creating alerts behind the scenes that the end-user has no visibility into. These algorithms can take months to understand normal behavior before they begin filtering out false-positive alerts, also known as “noise.” But how do end-users know if the data produced from these tools is true and accurate? It’s difficult to trust these approaches when there is no transparency into how insights are populated. False positives and alert fatigue aren’t just annoying. There can be significant security risks if alerts fall by the wayside. So what exactly should these tools be looking for when detecting insider threats?

What to look for when detecting insider threats

Whether an insider threat stems from poor security hygiene or from a malicious employee or third-party contractor, there are multiple detection methods that can and should be used to detect this type of activity. How to respond to an insider threat is a different topic, so let’s focus on the ways to stop them from the start by understanding how Fletch detects insider threats:

Usage Frequency

Usage frequency is one of the methodologies used to detect insider threats and is usually the leading indicator of suspicious activity following an attacker’s journey. Specific types of activity included here are:

• More login failures than normal
• More login activity than normal
• More login activity to new applications than normal
• More successful activity with objects, such as files and folders than normal
• Increased activity (including failures) across more objects, such as files and folders than normal
• Sharing more content than normal
• Changing more content than normal
• Performing new commands than normal
• Touching new content than normal
• Downloading more objects, such as files and folders than normal
• Downloading more data than normal

These types of behaviors are all considered high-risk. They can mean that a user is trying to access more resources than they are authorized to, perform reconnaissance of high-value data, exfiltrate content outside the company, and perhaps an indication that the account has been compromised. It’s probable that there are business justifications for these types of high-risk behaviors; however, it should not be assumed that is the case and instead investigated further and correlated with other insider threat activity, such as where users are accessing systems and data from.

Usage Location

To effectively detect insider threats, it is critical to understand where users are logging in and accessing information. Even in a remote workforce, most users typically access data and applications from a small number of known locations. If a user is accessing information from multiple new locations without business justification, this could signal an account compromise. 

Specific types of activity that should be tracked include:

• Logins from suspicious locations that are associated with hacker groups
• Logins from previously unknown cities, regions, states, or countries
• Concurrent logins from multiple IP addresses
• Concurrent logins from multiple countries
• Logins from new IP addresses
• Logins from new locations

These types of behaviors are indicators of insider threat activity and can mean an account has been compromised. A cyber attacker will try to access your environment from their current location because they most likely don’t know or don’t care where the true account holder is located. Time is of the essence when it comes to this type of activity, so it’s important to monitor usage location while also looking at other indicators, such as when applications and data are being accessed.

Time-of-Day Usage

As a general rule of thumb, regardless of the time zone a user resides, each account holder has a set of core working hours. Whether the offender is a malicious employee, an unintentionally compromised account, or a third-party contractor’s credentials have been stolen, abnormal time-of-day usage can identify high-risk activity such as:

• Logins outside of their normal working hours
• Successful activity outside of their normal working hours
• Failed activity outside of their normal working hours

These types of high-risk behaviors can indicate that an account has been compromised. The attacker may not know or care when a user’s normal working hours are and could be performing suspicious activity entirely outside of the user’s typical working hours. More sophisticated attackers will subvert an account and hold off performing any activities until the security team is at a lower staffing level, such as during the weekends or on a holiday. Other sophisticated types of behaviors can be seen by attackers when they take over an administrative account and change policies. 

Role or Policy Usage

Regardless if an insider threat is a malicious employee or the result of a user’s account being unintentionally compromised, many sophisticated attackers tend to not reveal themselves with the nefarious activity they perform. Instead, they may create disposable credentials to cover their tracks. It’s important to note that there are legitimate business reasons why some administrative users can create sub-accounts or disposable credentials, such as a recently promoted employee that needs updated role or policy privileges; however, this should be confirmed as part of the security process and not assumed. Other types of high-risk activity to look for with this method include:

• Third-party users that gained administrative access
• Modifying user roles
• Modifying policies

These high-risk behaviors can indicate an account with elevated administrative privileges has been compromised, which is especially important since this type of user typically has access to all company data, systems, and has the ability to create accounts, delete accounts, and change company-wide policies. 

Although just one of the indicators mentioned from the four different methods can be alarming, most true insider threats, whether malicious or unintentional, will convey multiple high-risk behaviors when trying to access and exfiltrate sensitive information. This is where Fletch comes in. We’re changing the game of detecting and mitigating insider threats by stopping cyber attackers at the pass. 

How Fletch automates insider threat detection and mitigation

Fletch is solving one of the biggest challenges that traditional insider threat and UBA tools lack: the ability to look holistically across different applications and connect the dots to see how a user behaves. Other ways that Fletch is revolutionizing how insider threats should be detected include things like:

Fletch dynamically creates risk profiles.

Fletch triangulates thousands of activities and events for each user account using four different methodologies and 20 types of behaviors. Fletch baselines each user accounts’ historical activity and alerts security teams of risky and anomalous behaviors outside the normal range. Instead of sending an alert for each flagged behavior, Fletch helps security teams prioritize efforts by surfacing user accounts flagged for the most amount of abnormal behaviors across your applications. Say goodbye to the days of sifting through alert after alert. 

Fletch follows industry-leading frameworks and best practices.

Fletch helps protect against insider threats while also helping security teams answer a lot of compliance questions as it relates to protecting customer data. There are a common set of controls that need to be provided to an auditor when being certified for frameworks, such as SOC2, HI-TRUST, or ISO-27001. Sifting through audit logs can be extremely time-consuming, especially for resource-strapped security teams. Fletch helps security teams provide evidence and prove they are in compliance by following industry-leading frameworks such as CSA (Cloud Security Alliance), the National Institute of Standards and Technology (NIST), and much more. 

Fletch is instantly effective.

When we say Fletch is easy to set up, we mean it. Fletch is turnkey and takes only 15-minutes to set up. All you need to do is provide a read-only access key to the applications we support, and Fletch will do all the work for you. There is zero heavy-lifting on your part. Fletch will index, normalize, triangulate information, run queries, establish baselines and risk profiles, identify trends and highlight key behaviors for you. Within days, you’ll get full automated intelligence covering that last 30 days. 

Fletch makes investigation simple - with one click of a button

Picture these scenarios: 

• An employee alerts the security team that they may have clicked on a phishing link. 
• A third-party contractor lost their single-sign-on device.
• An employee from the sales team has been fired and they have until the end of the day to wrap up work.

Now picture the steps you’d typically take to investigate and respond to these scenarios. The countless hours spent checking each of the applications the associated user has access to. The cycles spent resetting passwords, removing access, and determining if any high-value assets were compromised. Picture having to deprioritize and reshuffle your security team’s efforts to respond to each of these incidents and realizing how much time is lost just on investigation. Every. Single. Day.

Fletch is reimagining cybersecurity investigation through one-click search technology. Security teams must move quicker and faster than ever, and with Fletch, you can. Simply type in a user’s name or email address, click, and instantly see the user’s behavior across your workforce environment. Investigate potential insider threats, whether malicious or unintentional, with the click of a button and know which accounts, systems, assets, and content to prioritize first.

Fletch is affordable

Fletch is affordable because machines take care of the mundane and monotonous work so you can get the intelligence you need to focus on important problems, like stopping insider threats before they become a real issue. 

The Insider Threat Detection solution is affordable at $1/user account/month. For example, if you have 100 Google Workspace user accounts, we charge $100 per month. The most recent data has found companies spend $644,582 to resolve a single insider threat incident. With Fletch’s affordable and easy-to-understand pricing, now any security team, or an army of one, can afford to detect and defend against insider threats. 

To learn more, watch this video of our CEO & Co-Founder and VP of Technology share how Fletch automates detecting insider threats.

Get started with Fletch today

We believe there is a better way, a more human-centric, inclusive, automated, and affordable way to detect and mitigate insider threats. Are you ready to instantly detect and protect your organizations against insider threats? It only takes one rogue employee or a single account compromise to result in a data breach, so don’t wait. Use Fletch to combat insider threats today. 

If you are interested in learning more about what Fletch is capable of, join our waitlist today for FREE access. Fletch will launch on September 1, 2021.