While most security teams focus on preventing malicious attacks from outsiders, recent data suggests that about 30 percent of currently confirmed infractions involve privileged information.
The increasingly complex networks of today in physical systems, information technology (IT) and operational technology (OT) make it difficult for security teams to detect and prevent internal threats. This is complicated by the proliferation of data, devices, applications and users accessing network resources.
Rising insider threat of malicious attacks
As the threat landscape evolves rapidly, CISOs must intensify their game.
According to the Survey on the Status of US Computer Crimes UU As of 2017, 50 percent of organizations experience at least one incident of malicious confidential information per year. And the Verizon 2018 Data Breach Report found that about 30 percent of infractions confirmed today involve insider information. In August 2018, a tragic accident involving a Seattle airplane stolen by an employee raised awareness of the need for a physical knowledge of internal threats (as well as a psychological evaluation before employment).
As the threat landscape evolves rapidly, CISOs must intensify their game, says Aamir Ghaffar, Director of Solution Engineering at AlertEnterprise. They must implement security controls that protect the people, physical assets, data, intellectual property and reputation of their company, both inside and out. And they must do so while meeting the industry's compliance requirements. In response to our questions, Aamir Ghaffar offered some additional ideas on the timely topic of internal threats.
Q: We are listening to discussions about the emergence of cybersecurity systems. What are they and how do they help organizations address internal threats?
Threats now originate not only in physical space but also in cybernetic environments.
Ghaffar: the concept of convergence has evolved in response to risk and the general threat landscape. Threats now originate not only in physical space but also in cybernetic environments: this is what is commonly called combined risk. These combined risks require a convergent approach and a convergent vision of security as a whole; connecting data, creating new capabilities and acquiring new knowledge to allow security teams to defend themselves better against attacks.
Q: How are organizations responding?
Ghaffar: they are moving towards centralization, from the security operations center to the executive level, where a C-Suite executive manages all the security in the physical, IT and OT domains. According to Gartner by 2023, 75% of organizations will restructure government risk and security to address new cyber systems (CPS) and converged IT, OT, Internet of Things (IoT) and physical security needs, which It is an increase of less than 15% today.
Q: How does the change affect internal threats?
Ghaffar: physical and cybernetic unification unlocks powerful new capabilities. For example, cybernetic teams face a threat, as an intrusive device placed within their network environment, can quickly connect the cybernetic footprint to a physical location: understand where the threats originate and identify those responsible for bringing it. Cybernetic identity through platforms that connect physical access control, IT systems and OT is an example of how organizations can best prepare for combined security threats
An automated system enabled for AI is the most practical and humane solution to the test of errors at present.
Q: How is AI used to protect against internal threats?
Ghaffar: with greater security convergence, we are now gathering such a large volume of data that relying on manual detection of internal or external threats is no longer a viable solution. An automated system, driven by artificial intelligence used with digital identities, is now the most practical and human solution to fail-proof. Artificial intelligence and machine learning (ML) technology helps organizations map complex patterns of user behavior, process tens of millions of events in seconds to detect threats in near real time, and respond quickly. This benefits security operations personnel to move from distraction to action, allowing them to focus on what really matters, what their most critical security events are.
Q: Sometimes the threat is about human error.
We often think that the most harmful internal threats are intentionalGhaffar: We often think that the most harmful internal threats are intentional; however, the user's unintentional behavior and negligence could have serious ramifications for an organization. Organizations must implement technology that offers automation and active policy compliance to prevent employees from making unintentional but critical mistakes. Organizations must also do regular risk assessments, not one and they are done. Do not implement a process and think you are safe. Automated access and identity management technology can provide scheduled access reviews to help detect high-risk user profiles with a combination of cumulative or toxic access, as well as violations of segregation of duties due to department changes or work transfers .
Q: What are the biggest misconceptions about internal threats?
Ghaffar: First, that the greatest threats originate outside of my company. Or that internal threats are a problem for government agencies and highly sensitive organizations, not for "regular" companies like us. A company may also mistakenly think that they have limited assets that could be exposed, or that assets have little value; therefore, a large-scale violation is less likely to occur. And even if it does, it probably will not have a big impact.
Risk management leaders must begin by developing a compelling vision.Q: So, they think that "it can not happen here."
Ghaffar: Yes, and they believe that their employees are inherently reliable, and that with the basic security measures implemented, the risk is small. They think that internal threats are always intentional. Or they think "it's not my job".
Q: What next steps should security leaders take to address internal threats in your organization?
Ghaffar: Security and risk management leaders must start by developing a compelling vision and strategy that resonates with key stakeholders in the company. They can expand the visibility they have about user activity beyond what happens in the network. Go beyond a data-centric approach to a people-centered approach through the analysis of identity behavior. Improving the visibility of user activity and adopting a more preventive approach are the best ways to manage the risk of an incident. Develop an internal approach to security. By converging physical, cybernetic and OT security, you get a comprehensive view of your security environment throughout the company.