In recent years, it has become increasingly difficult to detect malicious activity carried on internal networks. One type of threat that has become more of an issue in recent times is the “insider” threat. This type of threat pertains to the situation when an insider (such as a company employee or contractor) performs malicious activities from within the company firewall. This is in contrast to many types of other threats that involve attacks from external hosts originating from outside the company network.
An increasing number of recent insider threat cases have now been reported that involve the inappropriate access and ultimate exfiltration of personally identifiable information (PII) and intellectual property. Given the extreme levels of damage that may result from malicious activities of an insider, identification of insider threat has become an important goal in the context of network security for many organizations.
It is typically very difficult to effectively detect the presence of an insider threat. By definition, perimeter solutions (firewalls or Intrusion Prevention Systems) are not deployed in a manner that allows them to detect human-driven malicious behaviors from inside the network—such systems are typically oriented to the detection of outsider threats.
A large array of sensors installed on each individual hosts is one approach that can be taken to monitor and flag malicious behavior. However, such solutions would be too invasive and require very high costs and dedicated tools to analyze the data that would be generated.
In addition, the malicious pattern involved in such cases can be highly sophisticated, involving massive data access and download in a short period of time, or regular, low volume access and download of data over long periods of time. Furthermore, most IT organizations grant hosts inside their networks a very broad set of rights. The definition and detection of anomalous and ultimately malicious behavior is thus much harder. In addition, the volume of traffic moving through modern networks is substantially larger than in the recent past, making it more difficult to assess whether any particular portion of the data conveyed is malicious, harmful, or corresponds to a security breach or threat.
Therefore, there is a need for an improved approach to implement insider threat detections.