One of the most pressing questions on every security leader's mind is whether their company faces Insider Threats. Whether the cause is human error, the result of poor security hygiene, or malicious intent by an employee, third-party contractor or an attacker taking over their credentials, insider threat incidents refer to “individuals misusing access to networks and assets from within the organization. These individuals have the potential to wittingly or unwittingly disclose, modify and delete sensitive information” (aka, “data loss”).
According to a report by IBM, 60% of organizations had more than 20 incidents of insider attacks a year, and on average, companies spend $644,582 to resolve an insider threat incident. Products like Google Workspace and Microsoft 365 represent the core of work and the gateway of how most organizations login to all of their SaaS products to do business every day. Some of an organization's most critical and high-value assets are hosted inside these platforms, which oftentimes are the first place a bad actor will start their journey to steal data. This journey usually develops in a staggered manner, delivering the more serious blows after a period of reconnaissance.
Given the very nature of insider attacks, consisting of the same type of actions as legitimate behavior, security specialists struggle to make headway towards data loss prevention (DLP). Industry expert, Darien Kindlund, will tell you the reconnaissance period is key to catching insider attackers before high value assets are lost. The trick, he says, is being able to detect that small deviations from an individual’s normal activity are occurring on multiple types of key actions or behaviors.
In contrast, the industry has too often focused on live alerts of isolated and generic “risky behavior" for the fight against insider threats. Perhaps the most common is the “Impossible Traveler”, alerting when a user logs in from multiple countries at the same time. More sophisticated alerts are based on black box machine learning algorithms, which compare signals from a user account to their cohort (for example, their department). In both cases, alerts are going off of individual actions and provide no context into the assets at risk.
The problem with this approach is that it fails on both ends of the spectrum. The high rate of false positives leads to extreme alert fatigue for professionals, while many incidents are uncovered only after the fact. The reason it fails is fundamental. In a nutshell, identifying insider threats is inherently difficult for two reasons: true risky behavior cannot be told apart from legitimate variations on a one action and one day basis, nor at a cohort level.
Moreover, removing the human from the loop is far-fetched at the moment. With the time and technical skills needed today to connect the dots and surface the context of any given alert (or confirmed incident), most small businesses are at a loss.
Fletch’s Insider Risk App
That’s why we built the Fletch Insider Risk app. This app is rooted in three basic principles: proactive, easy to understand, and simple to set up-- the inverse of most DLP (data loss prevention), and UBA (user behavior analytics) products on the market that are reactionary, hard to use, and harder to set up.
Proactive means to focus on exposing threats during the attacker’s reconnaissance phase, not when data is out the door.
Easy to understand means that our simple UI is fast to scan and easy to take action on.
Simple to set up means it only takes minutes to connect the data needed and Fletch handles all of the data plumbing for you.
Starting from basic principles, we give organizations the visibility they need to quickly get a snapshot into their whole population, see who’s not acting like themselves, and dive into anyone with a click.
How this works
Every day, the Insider Risk app goes through thousands of data points to analyze daily activity level changes across 15+ behaviors for each user account over the past week. Changes are calculated by comparing activity levels during the last week to past levels, using the previous 30 days as a baseline or typical range. The amounts of change on all behaviors are aggregated into one measure, which accounts for how many behaviors deviated unusually high and how high each deviation was compared to past levels. Finally, each user account is assigned a variability score by comparing their aggregate deviation amount across all behaviors to the top 5% and 10% of all user accounts, over the last 30 days.
Using the method above and a unique UI, the Insider Risk app provides three key advantages: individual user analyses, interpretable metrics and context at your fingertips.
Individual user analysis
While there are some generic risky behaviors, such as the impossible traveler, most insider threats leave a trail of deviations from the user’s typical behavior, which are inherently specific to the user. For example, touching 5 new files in a day could be a significant increase for a software engineer who usually interacts with Jira, Slack and GitLab only. However, touching 5 new files per day could be the norm for a product manager.
Going beyond department similarities, one user could typically download 4 files per day, perhaps to deal with unstable internet in their cabin, while another could almost never download files. The Fletch Insider Risk app maintains a historical typical range for each user and each behavior monitored, using only that user’s individual activity. By comparing activity levels in the most recent week to the historical typical range, the app surfaces who’s not acting like themselves instead of who’s activity levels are above arbitrary thresholds; arbitrary thresholds that could be routinely and legitimately crossed by the same users.
Interpretable metrics
Every step of the analysis in the Fletch Insider Risk app is interpretable and transparent, and the UI pulls them all together to help you quickly understand the data. Starting with the 15+ simply named behaviors the app monitors, the typical ranges maintained on each behavior are built using simple yet powerful statistics. For each behavior and each user, the typical range is calculated as the range between the 25th and 75th percentile of daily activity level on that behavior, in the 30 days previous to the week monitored. The app compares the maximum daily activity on each behavior to the typical range, and aggregates all deviations into one measure, which accounts for both the number of behaviors above the typical range, and the significance of the increase.
The UI surfaces the comparisons across all behaviors in a visually intuitive way, allowing you to quickly scan and triage.
The aggregated deviation is surfaced in the UI through variability levels, which are assigned to each user by comparing their aggregate deviation amount across all behaviors to the top 5% and 10% of all user accounts, over the last 30 days. These levels show on the one hand, whether an organization currently has a high potential for insider threat, and on the other, how to triage user accounts for further investigation and/or watchlist.
Context at your fingertips
The Fletch Insider Risk app connects the dots for you by aggregating abnormal activity counts across all monitored behaviors, but it doesn’t stop there. For each behavior, dive into the details with one click to see day by day activity levels in the past week, and all assets involved.
To learn more about Fletch’s Insider Risk app checkout the video below.
If you like to give the app a try, starting at zero cost use this link to create your account.
