4 Critical Mistakes IT Security Professionals Must Avoid is a two part series that examines four common mistakes made by security professionals and the solutions to avoid making them in the future.
Part 2 is published below. Part 1 was published on Monday here.
Of all security threats to an organization, undoubtedly one of the hardest to detect and prevent is that of the insider threat.
Insider threats usually do not involve malware, DLL injection, or other sophisticated attacks. More commonly they are the result of users using valid applications and valid credentials to access, copy, save, or print information in a way that is contrary to their normal usage patterns.
According to a recent report by KPMG, 8.6% of employees admit to having bypassed the security controls their organization put in place and 16.6% reported to have observed this behavior amongst their colleagues within the last 12 months. And, that’s only for the ones that dare to speak-up on the subject!
Endpoint and user IT analytics gives you the means to detect activity anomalies such as high traffic at a specific given time or large numbers of print jobs over a long period of time (daily jobs are normal but the sum of the month is high).
Endpoint and user IT analytics can also bring context into the analysis – things such as job role, office hours, time off, and physical presence. This allows you to detect when a user who should usually access one or two sensitive records at a time downloads hundreds of records, or when a supplier who should only have access to your payments system for a few minutes every month is logged in for hours at a time.
Most organizations conduct some form of periodic security compliance and audit function. Regardless of which type of compliance audit you are required to do (internal or external), it is generally considered best practice to use an independent tool to verify that your processes and systems are in compliance with established polices and regulations.
Endpoint and user IT analytics can map all the IT services, how they are being consumed and how the IT infrastructure is operating. Furthermore, with the addition of real-time analytics, you can see all application and service executions and all network and web connections giving you increased visibility and insight into security compliance within your environment.
Some of the common security issues endpoint and user IT analytics verify include:
- Ensuring that all endpoints and servers have up-to-date antivirus with real-time protection enabled.
- Ensuring each endpoint is compliant and fully patched to match the organizations security policies. This can and should include the OS, installed applications, browsers and Java just to name a few.
- Identifying suspicious application installations, process activity and network and web connection anomalies. Keeping an eye on these activities will help you detect threats and indicators of compromise (IOC) on devices (run as admin, scans, removable drives, new binaries, high traffic volume…)
Today’s working environment offers greater flexibility for enterprises with end-users able to work wherever, whenever and on whichever device they choose. At the same time though, this environment and new style of working provide the perfect breeding ground for new threats.
The sophistication and variety of the attacks, coupled with the threats posed by human activity, both deliberate and accidental, mean that traditional IT security tools are insufficient at identifying anything other than simple, previously recognized attacks, often not discovering them until months after a compromise has occurred.
It is no longer a question of if an organization will be compromised, it is when, and to what extent.
An enterprise context is crucial to viewing threats in a meaningful way, using IT analytics to establish patterns and identify anomalous behavior across a range of endpoints and end-users. This context provides enterprise security teams the visibility they need to recognize potential threats the moment they occur, to take immediate remedial actions and to prevent any further compromise of the wider network of endpoints.
Threats today begin with the end-users, and this is where security solutions need to look first. End-user security analytics offer the capability to detect, analyze and tackle these threats faster and more efficiently than in the past.
Businesses are at risk for compromises like never before and, in time, end-user security analytics will be widely integrated into existing enterprise security architecture.
Until then, it’s worth considering that, when a fire is lit, it’s important to act the moment the first match is struck, not when the whole structure has already been burned to the ground.