Conducting an insider threat investigation the right way could mean the difference between a minor cybersecurity policy violation and a costly incident.
Research from The Ponemon Institute shows that the longer an insider threat incident takes to contain, the faster the costs add up. The average time to contain an insider threat was 72 days (at an average annualized cost of $9.55 milion!) — only 16% of incidents were identified and contained within 30 days.
A big part of insider threat containment involves a swift and thorough forensic investigation. When an incident takes place, you need to know exactly where to get context about what happened. But system, network, and log data can be difficult to sift through. Even with a SIEM tool, it’s challenging to parse data and get the context and visibility needed to investigate.
Here’s an example of what an ideal insider threat investigation looks like, with the right insider threat investigation tools in place:
Receive Insider Threat Alerts
If a cybersecurity team has an insider threat management software in place (like ObserveIT) that can help monitor user activity, they can get continuous visibility into who is doing what, when, and why. This visibility enables the team to receive alerts when suspicious activity takes place on the network, and then react accordingly.
For example, if a privileged user is accessing and extracting data from sensitive databases, an alert will trigger that will allow the team to further investigate the user’s action.
What’s more, visibility into user activity can help the team identify suspicious users, detecting any anomalies in behavior or risky application usage. Secure keylogging detects any inappropriate activity in real-time, triggering alerts on any sensitive keywords or commands, and detecting data exfiltration attempts when certain protected keywords are entered by the user.
ObserveIT comes with a comprehensive insider threat library that can be used as a starting point for detecting, receiving alerts for, and investigating insider threats. Alternatively, these rules can be customized for each individual need.
Leverage User Session Recording & Video Playback
By leveraging video-based user session recordings, teams can investigate insider threats in minutes instead of days. These session recordings can provide a visual playback of exactly what happened, when, where, and why. The team gets “click-by-click” user activity data on individual endpoints, which takes snapshots of each action. These can be played back when a potential insider threat has been detected.
Capture User Activity Via Log Files
The team regularly collects detailed user activity logs in Windows and Unix/Linux sessions, which are indexed with video and detailed metadata. In addition, they add user session data to their SIEM dashboards and reports, including lists of applications run, data visualization showing active users and servers, and detailed lists of specific user actions—all linked directly to the session recording.
Using this information, the team can draw a clearer picture of exactly what happened before, during, and after an incident.
Teams can also use insider threat management tools to require individual administrators and remote vendors to identify who they are before logging in via a shared account (e.g., administrator, root). That way, during the investigation of an insider threat incident, they can search and review user activity monitoring session summaries and recordings by individual user, regardless of the initial login account used.
A Team Effort
Any insider threat investigation extends far beyond the cybersecurity team alone. An effective insider threat incident response involves stakeholders across the organization, including, HR, PR, legal — all the way up to the CEO.
With that said, it is important to find an appropriate balance between your people, processes, and technology, to ensure that your insider threat management program works effectively.