[On-demand webinar] CISO Series: Decoding Cybersecurity Language with Adam Shostack

Watch now
July 12, 2022

Avoiding the Inkblot Problem of Insider Risk: How to Get Clarity and Take Action

Insider risk is one of the most pervasive problems facing enterprise security teams today. It is the risk that every organization is guaranteed to have by default. And unlike traditional threats which often need to go through many technical machinations to get to the data that really matters, insiders already have that access by default.

From a threat modeling perspective, insiders are born on third base and are always just a step away from data loss whether due to a malicious action or a careless mistake.

This also makes insider risk particularly nebulous when it comes to detection and control. Risky behavior often blends in with normal end-user work. Most teams lack the fine-grained resolution needed to distinguish an insider threat from insider productivity. And in many cases, insider risk can pop in blind spots where HR and security teams have no visibility.

Let’s take a look at two common problems, and how organizations can use Data Detection and Response (DDR) to get control.

The User Anomaly Inkblot

Insider risk management tools come in a variety of forms, and many work by attempting to identify anomalies in user behavior, either at the endpoint or network level. This can be a very valuable tactic. After all, insider threats don’t need to use exploits or malware and don’t exhibit the IOCs used to find traditional threats. So, looking for user actions that look out of place can be a great way to find potential problems.

However, that word, “potential”, is where things get a little sticky. An anomalous behavior is typically not conclusive on its own. A user doing something unusual doesn’t necessarily mean something bad is happening. In fact, statistically speaking, users are almost guaranteed to do something anomalous over time. This is known as a long-tail distribution in which some user behaviors will naturally deviate from the norm.

This often leads to something akin to the old Rorschach inkblot test for security teams in which an analyst must try to interpret a blob of ambiguous data. Unfortunately, unlike a real-world inkblot in which any answer is acceptable, a security incident has a very clear right or wrong answer and there are serious consequences to guessing incorrectly.

And this leads to two major problems for security teams. First, since the anomaly isn’t conclusive, most organizations will not be willing to block the action out of fear of blocking valid user behavior. To be fair, this is only a theoretical drawback since most behavior-based tools can’t block in the first place. But suffice it to say, the approach almost always fails to mitigate risk in real-time.

And since the initial alert is inconclusive, it now typically falls to a human analyst to investigate the incident and make sense of it all. It can take hours or days to collect all the relevant context around the specific user and event, and even then, there is often no smoking gun. Ultimately, staff are left to make a judgment call without all the necessary data.

A Better Approach With DDR

Faced with the need to perform large amounts of work in order to achieve inconclusive results, it is no wonder that many organizations have become disillusioned when dealing with insider risk. Cyberhaven’s DDR platform changes this by giving security teams high-resolution visibility into actual business risk paired with the ability to take proactive enforcement actions in real time. The solution brings together several capabilities that work together to provide a clear, actionable result. This includes:

  • Host and application context – Cyberhaven analyzes virtually every action performed on a piece of data. This could include edits made to a document, a user that copies data from one file to another, data that is shared across an application, saved to a USB drive, or data that is encrypted or compressed. This ensures that all the important actions are seen even in cases where the content itself is no longer visible.
  • Enterprise-wide context – Seeing events on a given host is only the start. Cyberhaven tracks and correlates all of these events across the entire life and workflow of the data as it passes between users, machines, and applications. Now instead of just looking for anomalies at the host or network level, Cyberhaven can follow the entire business workflow.
  • Full data context – One of the biggest weaknesses of behavior-based insider risk tools is that they simply don’t know what data is actually valuable. Sharing small amounts of data rarely look anomalous, yet a single design file or financial presentation can have a disastrous effect if leaked. Cyberhaven automatically tracks the full lineage of every piece of data back to its source application and the user who created it. Teams can clearly see what the data is in terms of its business value both based on its content, but more importantly, based on where it is from and how it used in the business.
  • Combined view of risk – Cyberhaven uses these and other contexts in order to maintain a real-time understanding of risk based on the data and al the actions around it. This can include seeing high-value data being shared in unsafe ways, being sent to risky locations, or being shared in unusual ways. However, instead of simply triggering on an anomaly, staff can automatically know the full history of the data involved.
  • Real-time enforcement – Cyberhaven performs all of this work instantly and gives staff the opportunity to enforce policy in real time before a violation occurs. This can include the option of in-line blocking as well as less disruptive options such as warning users or redirecting them to a safer, approved path.

Taken together, organizations can achieve a far more proactive approach to mitigating insider risk. Now, instead of analysts squinting at screens and trying to decide if they see a threat or not, the answer can be seen in detail with all the supporting evidence. Actions can be taken preventatively, and policies integrated into the natural business workflow so that threats can be prevented without getting in the way of productivity. This gives organizations one less thing to worry about leaves the inkblots to the therapists.

See our product in action