Today’s businesses are now operating in a more challenging digital landscape with threats of hackers, viruses, and insider cyber attackers lurking around every corner. These insider threats can be generally categorized as malicious insiders or non-malicious insiders who unintentionally expose confidential information. They are also known as trusted insiders because they have the necessary access to sensitive data or systems.
The CISA has created an entire guide for mitigating insider risk, and we've discussed how mid-market organizations can get started building their insider risk program. And while all of the cloud-based productivity suites and single sign-on (SSO) products have consoles that allow you to search through user information to respond to insider risk, many Small and Medium-Sized Enterprises (SME) don't have the security expertise or the advanced tools to launch an insider risk investigation once the need arises. Simply understanding what to look for and what to filter out can be difficult for the inexperienced, and even when teams know what to look for, extracting that data from the security consoles can be clunky and time-consuming.
To illustrate this, take a look at the Google admin console in the image below. Would your team know which categories under "Audit and investigation" are useful in an insider threat investigation?
The console will allow you to download the data to a CSV, but in the middle of an incident, you really do not want to try to learn how to do security analytics using spreadsheets. https://datachant.com/2016/01/03/excel-for-security-analysts-intro/
As a guide, here's a list of some of the more common indicators of potential insider risk that an investigator might look for:
- Unusual activity for the account such as large amounts of data being sent or received from a new location.
- Unusual changes made by accounts.
- Unusual files accessed by or downloaded to the account.
- Unusual command activity
- Unusual app access
The process of finding these indicators would include searching for all the relevant logs, and then applying some sort of operator against that data to surface patterns within it. Grouping data to see the largest volumes, rarest values, or standard deviations from the norm are some of the more common analytics to apply. Representing the information in graphs and tables can also help an analyst spot patterns in the data.
Large enterprises will often spend months just setting up the logging infrastructure and processes required to do investigations across the massive amount of data those organizations generate, and hire dozens of people to manage it. Mid-market organizations often don't have the time, resources, or budget for this type of project. That's where Fletch can help.
Fletch was designed to allow anyone to search for the indicators of insider risk, without the need for advanced security knowledge, advanced security tools, or extensive data aggregation infrastructure. It allows anyone, whether it's the president of the company, a mid-tier business analyst, or an IT administrator, to look for indicators of insider risk. Using simple questions in plain english. Fletch responds to those simple questions in seconds by automatically creating tables, visualizations, views and details designed by security experts to quickly give you the answers you need.
Has Bob in accounting been behaving oddly? Asking a simple question like "Show me bob@yourcompany.com activity for the last 30 days" provides you not only all the relevant activity, but how that activity compares to Bob's baseline of activity. Did Karen in accounts payable open an email she suspects may have been a phishing scam? Asking "Show me all the objects modified by Karen today" gives you the analytics you need to see if her system has started behaving in unusual ways.
Here’s some examples of the output Fletch creates on the fly in response to those kinds of questions.
The setup for Fletch is straightforward, only requiring read-only access to the APIs of your cloud productivity suites and single sign on platforms. With the help of the system administrators of those environments, you could be running your own investigations in less than an hour.
Fletch is free to try, and you can sign up here.
