Cybersecurity With Suspicion: Scoping Out Insider Threats

Can you detect insider threats in your cloud network?

George Orwell is famous for, among other things, having said "To see what is in front of one's nose needs a constant struggle." He probably didn't know it at the time, but he aptly summed up the struggle of managing insider threats in a public cloud environment.

While Amazon Web Services, Azure and the other public cloud vendors run a tight security ship, it doesn’t fall under their purview to secure the environments that their clients operate – that’s up to the customers of those cloud services. All the while, some insider threats are readily apparent (for instance, an employee downloading hundreds of gigabytes of sensitive data on a private IP address at 1 a.m.), and right now, very few organizations are leveraging tools to identify those seemingly obvious risks.

You Can’t Secure What You Can’t See

Consider what happens when a former employee's credentials aren’t revoked. With no holds barred, said ex-employee could hypothetically continue to access sensitive information, despite having moved on to a new organization – even a competitor.

This is exactly what occurred in the summer of 2015 when an IT manager was able to continue accessing his former employer's systems for three months. According to the U.S. Department of Justice, the ex-employee used this ability to send malicious computer code to the company's servers to delete intellectual property. Ultimately, the organization experienced thousands of dollars worth of damage.

To be clear, this is not a one-off anomaly.

According to Osterman Research, nearly 90 percent of employees hold on to the login credentials that will give them access to one or more of their former employers’ services. In a public cloud environment, these credentials are often the only barrier between an ex-staff member and sensitive data. Forget to revoke access, and suddenly tens and hundreds of thousands of dollars – if not more – are at stake.

But malice is only one piece of the private cloud’s very complicated cyberthreat detection puzzle. Many insiders who introduce risk on a public cloud network do so inadvertently and unknowingly. For instance, maybe they've made the rookie mistake of forgetting to log out of an application on a public machine. Maybe they misplaced a mobile endpoint. Alternatively, certain permissions may have been created to allow temporary access. The problem is, these permissions are forgotten once the need has passed, and they are subsequently discovered and exploited by a third party. In many cases, careless end users can cause just as much harm as a malicious insider.

These scenarios can easily lead to system access ending up in the wrong hands. From there, a hacker only needs to use the information available to dig deeper into the network – and by that point, there's really no way to distinguish the hacker from an authorized user.

It takes more than user identification to detect an insider threat, even on a public cloud network.

System access can all too easily end up in the wrong hands.

Enter Dynamic Endpoint Modeling

The virtual layer protection supplied by public cloud vendors won’t necessarily protect your company’s applications, or its data. And while most cloud security tools can underscore vulnerabilities in your current configuration, they won’t tell you what these assets are doing, and they certainly won’t be able to automatically notify you of suspicious or threatening behavior. In many ways it’s analogous to locking the doors and windows in a home and deploying a home security system. It might defend against a physical break-in, but it won’t do anything if someone’s already lurking in the basement, especially not if you gave your former neighbor the keys.  

The beauty of a solution like Observable Network's Dynamic Endpoint Modeling is that it uses advanced learning algorithms based on endpoint behavior to tell you what’s really happening inside the house, so to speak. For instance, just as random doors inside the home shouldn’t be opening and closing when the place is presumably empty, an employee shouldn’t be logging into the network at certain times of the day just to delete or download a few files on a critical database.

Dynamic Endpoint Modeling works by recognizing this activity as being suspicious. Comprehensive, qualitative analysis of the network metadata associated with the “insider’s” behavior automatically tells you with certainty, that there’s someone in the house, and they won’t stop at just raiding the fridge. From here, it’s just a matter of cutting them off before they can do serious damage.

Experience Dynamic Endpoint Modeling on your own network

Protecting your public cloud infrastructure by identifying insider and external threats faster couldn't be easier. Sign up for a free, no-risk trial of Observable’s Endpoint Modeling solution, and change the way you see security.

Detect Threats Faster – Start Your Free, No-Risk Trial