Detecting and ultimately preventing ongoing malicious insider attacks has become a crucial problem for enterprise and government organizations in recent years. Insider threats pertain to the situation when an insider (such as a company employee or contractor) performs malicious activities from within the company firewall. This is in contrast to many types of other threats that involve attacks from external hosts originating from outside the company network.
Malicious insiders often seek to obtain valuable information located at key assets that might comprise of, but not be limited to, trade secrets, intellectual property and private information regarding an organization's customers, employees and associates. In addition, malicious insiders may commit sabotage of key infrastructure that can affect crucial functional aspects of the organization.
Given the extreme levels of damage that may result from malicious activities of an insider, identification of insider threats has become an important goal in the context of network security for many organizations.
However, it is very difficult to effectively detect the presence of an insider threat. By definition, perimeter solutions (firewalls or Intrusion Prevention Systems) are not deployed in a manner that allows them to detect human-driven malicious behaviors originating from inside the network—such systems are typically oriented to the detection of outsider threats. Furthermore, most IT organizations grant hosts inside their networks a very broad set of rights. The definition and detection of anomalous and ultimately malicious behavior is thus much harder. In addition, the volume of traffic moving through modern networks is substantially larger than even in the recent past, making it more difficult to assess whether any particular portion of the data conveyed is malicious, harmful, or corresponds to a security breach or threat.
A large array of sensors installed on hosts would be able to monitor and flag malicious behavior. However, such solutions are invasive, costly and difficult to maintain. These solutions also often operate by attempting to detect a set of known scenarios using pre-programmed rules or heuristics. Therefore, another problem with this approach is that it is impossible to always know ahead of time the specific characteristics of every threat that may be carried out, and hence such systems are always playing “catch up” to the real-world ever evolving threats that may occur.
Another conventional approach is to merely search for access violations. However, this approach cannot routinely solve the insider threat problem due to the insider being by default an authorized user.
A final approach is to implement fine-grained access controls to limit what each insider can access to the narrow definition of the inciderproblem insider problem due to fine-grained access controls will be costly to maintain and will hinder productivity because it may restrict access to assets for legitimate users.
Therefore, there is a need for an improved approach to implement insider threat detections.