Context-aware systems are the key to detecting insider threats and attacks

Context-aware systems are the key to detecting insider threats and attacks

The world has shifted. Threat actors spend less time exploiting vulnerabilities and more time logging in using stolen credentials. This makes it difficult to detect and prevent cyber-attacks. The most recent Verizon Data Breach Investigations Report found that about two-thirds of attack are insider – malicious or unintended. 



Criminals don’t hack – they log in says Ajay Biyani, Vice President, Sales – APMEA

“Credentials might be guessed by brute force. An insider may knowingly use their credentials maliciously, or acquire re-used credentials stolen during a third-party breach. All ultimately mean somebody is logging in using legitimate credentials – that is an insider threat.” 

Many organisations underestimate the significance of the insider threat risk. Threat actors a vast trove of data, through social media, that traditional SIEM solutions don’t have, and there’s a lack of awareness that there are solutions which can manage insider threat.  

The impact of AI on the threat environment 

Attackers are using social media to craft phishing attacks that use better spelling and grammar, and personal information such as travel details, birthdays and other details to make their attacks look more credible. This, coupled with the ability to create malicious software code faster and with less expertise, has vastly boosted the weapons at threat actors’ disposal.  

“At last year’s World Economic Forum there was a special session where Securonix’s CEO was invited. One of the things that was of great concern was AI-generated misinformation and AI-generated disinformation. Attackers leveraging deepfake videos and voices are making it even more difficult for defenders,” says Biyani.  

Detecting insider threats 

Detecting insider threats is complex because threat actors use trusted credentials. Traditional methods for detecting these attacks relied on logging all activity and flagging anomalies – an approach Biyani says has not delivered the desired outcomes.  

“This approach is complex, expensive and resource intensive. It relies on creating rules that must be maintained. Context is key to understanding user behaviour. A person downloading lots of data might be a normal behaviour. But if they recently had a poor performance appraisal or submitted their resignation then this might be a sign of an insider threat. Securonix has invested heavily over the last 15 years in developing technology to put better context around alerts,” explains Biyani. “I can collect all the data in the world, but if I don’t understand where it fits into the world, it’s useless to me.”  

Weren’t SIEMs meant to fix this? 

SIEM has not been able to deliver the promise. Most of the SIEMs on the market are based on static rules that are created manually and must be manually updated as data sources change. A missed alert is often remedied by acquiring more data which leads to increased licensing and storage costs. Next generation SIEMs address this problem and CISOs need to quantify the risk so they can get executive buy in from CROs and CEOs.  

“Next generation SIEM, like Securonix, evolved because traditional SIEMs did not detect insider attacks. Static rule-based SIEM have not been able to deliver the expected value. We have UEBA [User and Entity Behaviour Analytics] based insider threat detection out of the box with use-cases that can prove value within 30 days,” says Biyani. 

AI and machine learning enable security analysts to spend more time investigating real events rather than chasing false positives because the system has a better understanding of the context associated with each alert.  

“With one customer, we were able to save 30% of the cost by just implementing Data Pipeline Manager as part of our SecOps offering. They were receiving 1 million events per second and 30 terabytes each day. We were able to reduce the data injection while giving them a better understanding of the risks and threats they needed to action,” says Biyani.  

Securonix brings its market-leading solutions to market through two core partner groups – managed security service providers and system integrators. The company does not compete with partners. Unlike other solutions, the Securonix platform is built to be multi-tenanted, enabling organisations to design a system that works on-prem, in the cloud or through hybrid infrastructure.  


Source link