After establishing a threat model, organizations focus on detecting and remediating insider threats and security breaches.
Security teams must distinguish between a user's regular activity and potentially malicious activity to detect insider threats. To differentiate between activities, organizations must first close visibility gaps. They should then aggregate security data into a centralized monitoring solution, whether part of a security information and event management (SIEM) platform or standalone user and entity behavior analytics (UEBA) solution. Many teams begin with access, authentication and account changelogs. Then, they broaden the scope to additional data sources, such as a virtual private network (VPN) and endpoint logs, as insider threat use cases mature.
Organizations must adopt a privileged-access-management (PAM) solution and feed data about access to privileged accounts from that solution into their SIEM. Once organizations centralize the information, they can model user behavior and assign risk scores. Risk scores are tied to specific risky events, such as user geography changes or downloading to removable media. Assigning risk scores also gives security operations center (SOC) teams the ability to monitor risk across the enterprise, whether creating watch lists or highlighting the top risky users in their organization.
With enough historical data, security models can create a baseline of normal behavior for each user. This baseline indicates the normal operating state of a user or machine so that the system can flag deviations. Deviations should be tracked for individual users and compared to other users in the same location, with the same job title or job function.
By adopting a user-focused view, security teams can quickly spot insider threat activity and manage user risk from a centralized location. For example, user behavioral analytics can detect abnormal login attempts at an unusual time of day or from an unusual location or multiple failed password attempts and generate an alert as appropriate for an analyst's validation. In other words, any behavioral anomalies will help identify when a user has become a malicious insider or if an external attacker has compromised their credentials.
Once validated, a security orchestration, automation and response (SOAR) system can create an insider threat remediation workflow. Then, the playbook can specify what remediation is needed. Potential remediation could include challenging the insider with MFA or revoking access, either of which can be done automatically in the identity access management (IAM) solution.