Behavioral analytics vs. the rogue insider

The promise of User Behavioral Analytics is that it can go beyond simply detecting insider threats to predicting them. Some experts say that creates a significant privacy problem

1 2 Page 2
Page 2 of 2

He agrees that there is a limited expectation of privacy in the workplace, especially on the corporate network. But he said a “creative advocate” for an employee could argue that, “UBA is so different from other types of monitoring that some sort of express reference to UBA needs to be provided in the notice.”

Loomis added that in states not governed by “right-to-work” laws, UBA, “will cause legal issues if one terminates without cause other than predictive intelligence.”

And Gumbs said U.S. courts have ruled that workers have a reasonable expectation of privacy in the workplace. “I could not envision a scenario where behavioral prediction would not cross this line,” he said. “Only matters of national security could plausibly supersede such rulings.”

[ ALSO: Why we can't stop malicious insiders  ]

Advocates of UBA emphasize that it is not aimed just at tracking those with criminal intent. While malicious rogue employees can cause the most damage and tend to get the most headlines, they are relatively rare.

The much larger problem, they say, is from unintentional rogues – those with too many access privileges, who use “shadow” IT and/or who are simply lazy or careless.

“In our experience over-privileged scenarios account for approximately 65% of insider threat incidents, shadow IT 20% and carelessness 15%,” Nayyar said.

Moreland has a list of labels for such employees, including “access hoarders” who “gobble up as much access as they possibly can and refuse to relinquish any of it, even when it's no longer needed.”

Others, who he calls “innovators,” are well intentioned – they are trying to be more productive – but one of the ways they do so is by circumventing IT policies.

Gumbs noted that the Verizon Data Breach Investigations Report found that, “privilege abuse is the most damaging of insider threats.”

But he added that not all abuse of access privileges is innocent, and does not necessarily mean an employee is over-privileged. “In the majority of cases, users had the proper level of privilege for their roles, they simply abused those privileges for personal or financial gain,” he said.

In those cases, he and other experts say identity and access management can reduce the security risks significantly.

“Over-privilege is a substantial concern,” Overly said. “In general, the majority of users in businesses today are over-privileged. The concept of least privilege is seldom implemented properly and even more seldom addressed as personnel duties change and evolve over time.”

Dennis Devlin, cofounder, CISO and senior vice president of privacy practice at SAVANTURE, said he sees the same thing. “In my experience most individuals who have been with an organization for a long time are over-privileged,” he said. “Access privileges are accretive and tend to grow over time. The law of least privileges exists not just to prevent malicious access, but to also to prevent accidental or inadvertent disclosure.”

He said better access management could reduce the need for intrusive monitoring. “Appropriate privileges keep individuals in their respective ‘swim lanes,’ reduce the need for excessive monitoring and make SIEM analysis much more effective,” he said.

Beyond the legal and morale questions, however, the verdict is still out on how well UBA works.

Overly said in his experience, “it has a long way to go with regard to accuracy. All too often, the volume of false alarms causes the results to be disregarded when an actual threat is identified.”

Nayyar said it does work, through analysis of unusual or “anomalous” behaviors in things like geolocation, elevated permissions, connecting to an unknown IP or installing unknown software for backdoor access to sensitive data (see sidebar).

She provided an example of flagging rogue behavior: A software engineer who had resigned from a company and was leaving in a month, exhibited behavior never seen before.

While on vacation, the employee, “logged in from a previously unseen IP address, accessed source code repository and downloaded sensitive files from a project he wasn't assigned to,” she said.

“Two days later, the engineer accessed multiple servers and moved the downloaded files to a NFS (Network File System) location, which he made mountable and attempted to sync the files to prohibited consumer cloud storage service.”

She said the user was flagged as soon as he created the NFS mount point, “based on predictive modeling, and his VPN connection was terminated.”

But as effective as that sounds, even advocates of UBA warn that, like any security tool, it is a “layer” of protection, not a guarantee.

“Perfection cannot be achieved,” Overly said. “If an insider is intent on causing harm to the business, it may be impossible to prevent it.”

Copyright © 2015 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 hot cybersecurity trends (and 2 going cold)