research insights report insider threat program realities€¦ · the previous figure introduces a...

© 2019 by The Enterprise Strategy Group, Inc. All Rights Reserved.

By Jon Oltsik, ESG Senior Principal Analyst and ESG Fellow July 2019 This ESG Research Insights Report was commissioned by Dtex Systems and is distributed under license from ESG.

Enterprise Strategy Group | Getting to the bigger truth.™

Insider Threat Program Realities

Research Insights Report

Research Insights Report: Insider Threat Program Realities 2


Contents

Executive Summary ................................................................................................................................................................ 3

Current Challenges – The Daunting Task of Mitigating Insider Threats ................................................................................. 3

Perception Problem: Identifying the Full Scope of Insider Threats .................................................................................... 3

The Job of Protecting Organizations from Insider Threats Is Getting Harder .................................................................... 4

Insider Threat Strategies Need Improvement ........................................................................................................................ 6

The Bigger Truth ..................................................................................................................................................................... 9

Appendix: Research Methodology and Respondent Demographics .................................................................................... 11



Executive Summary

In May 2019, the Enterprise Strategy Group (ESG) completed a research survey of 300 cybersecurity and IT professionals with responsibilities for insider threat detection/response programs and technologies. Further description of the research methodology and survey demographics are presented in the appendix section of this report.

Based upon the research collected for this project, ESG concludes:

• Most organizations remain narrow-minded about the definition of insider threats. Most security professionals have a myopic view of insider threats, focusing only on malicious insiders, compromised insiders, or negligent insiders. In reality, a robust insider threat program must establish controls and continuous oversight for each type of use case.

• Insider threat detection is increasingly complex and challenging. Most organizations claim that insider threat detection is more difficult due to factors like growing attack sophistication, the use of public cloud infrastructure, and a growing attack surface. Additionally, organizations face many insider threat program challenges in areas like user behavior anomaly detection, user training, and a lack of appropriate levels of investment. These challenges open vulnerabilities for malicious insiders, employee negligence, and compromised accounts.

• Current solutions can be inefficient and ineffective. To mitigate risks associated with insider threats, many organizations employ technology controls like data loss prevention (DLP) software, user and behavior analytics (UEBA) solutions, and employee monitoring systems. Unfortunately, organizations report that these tools tend to be noisy, generate false positive alerts, and may compromise employee privacy. These issues indicate that CISOs and privacy officers may need to rethink their insider threat technology strategies and adopt a more comprehensive approach.

• Changes are in the works. Slowly but surely, business, privacy, and security executives are realizing that existing insider threat programs are either too draconian or too lenient to be effective. As a result, most organizations will increase their insider threat program budgets over the next few years and implement technologies based upon artificial intelligence and machine learning algorithms. Smart organizations will seek out non-intrusive data-driven solutions that balance algorithmic intelligence and business context to greatly increase insider threat detection accuracy and timeliness across malicious insider threats, negligent insider threats, and compromised accounts.

Current Challenges – The Daunting Task of Mitigating Insider Threats

Perception Problem: Identifying the Full Scope of Insider Threats

Just what is an insider threat? ESG believes this term is really a combination of three different types of users:

1. A threat to an organization’s cyber assets by a malicious insider.

2. A threat to an organization’s cyber assets by an external party who has successfully compromised an insider’s credentials.

3. A threat to an organization’s cyber assets by a negligent insider.

While these three situations seem obvious, only two-fifths (40%) of respondents correctly identify the full scope of insider vulnerabilities across all three areas (see Figure 1). Why is this important? Because organizations must fully understand all types of insider threats so they can deploy the right countermeasures and monitor risk on an ongoing basis. Those 60% of organizations maintaining a myopic view of insider threats may minimize defenses and/or visibility in one of these areas and will likely suffer as a result.



Figure 1. Identifying the Full Scope of Insider Threats

Source: Enterprise Strategy Group

The Job of Protecting Organizations from Insider Threats Is Getting Harder

Many malicious insiders have a distinct advantage over cyber-defenders—they have legitimate credentials, they know what they are looking for, and they usually know where and how to get it. While this issue is top of mind, many organizations also downplay the impact of human error and negligent insiders who pose a constant vulnerability for organizations. Given these circumstances, it is not surprising that the majority of survey respondents (62%) believe insider threats have become more difficult to detect in the last two years (see Figure 2). This situation seems most apparent to IT leaders as opposed to less-senior respondents—29% of IT leaders claim that detecting insider threats is much more difficult than it was two years ago compared with just 16% of middle managers and staff.

Figure 2. Difficulty / Ease of Detecting Insider Threats Over the Past Two Years


A threat to my organization’s cyber assets conducted by a malicious

insider, 31%

A threat to my organization’s cyber assets conducted by a malicious

external party who has successfully compromised an insider’s system, 15%

A threat to my organization’s cyber assets conducted by a negligent

insider, 13%

All of the above, 40%

None of the above, 2%

Which of the following best characterizes your definition of an “insider threat?” (Percent of respondents, N=300)

It is much more difficult to detect

insider threats today than it was two years

ago, 23%

It is somewhat more difficult to detect

insider threats today than it was two years

ago, 39%

It is no more difficult to detect insider threats today than it was two

years ago, 20%

It is somewhat easier to detect insider

threats today than it was two years ago,

14%

It is much easier to detect insider threats today than it was two

years ago, 4%

Which of the following statements best reflects your opinion of detecting insider threats at your organization? (Percent of respondents, N=300)



Just why are insider threats growing more difficult to detect? The research points to several reasons, including the growing sophistication of attacks, the use of the public cloud, and an overall growing attack surface (see Figure 3). Malicious insiders can certainly escalate attack sophistication but organizations should also consider the impact of public cloud use and the effects of human negligence/error. New IT technologies and initiatives are bound to lead to issues like training deficiencies, human error, and compromised systems.

Figure 3. Factors Making Insider Threat Detection More Challenging


The previous figure introduces a security paradox of sorts. More than one-third (35%) of organizations claim they collect and process greater volumes of security data. Common wisdom would suggest that collecting, processing, and analyzing more security data would help with insider threat detection but this doesn’t appear to be the case. In fact, 66% of respondents report struggling to turn data into actionable insights to detect insider threats (see Figure 4). Malicious insiders often “blend into the crowd” by conducting their attacks slowly over long periods of time while negligent insiders may do things like make legitimate but incorrect system configuration changes. In these cases, volumes of security data can make it difficult to spot behavioral anomaly “needles” within haystacks of routine activities.

18%

23%

24%

24%

26%

27%

33%

33%

35%

36%

37%

43%

We don’t have the right skills and/or staff size to monitor/manage insider threats

There is more oversight from senior business executivesplacing more pressure on the cybersecurity team

We have gaps in our security monitoring tools andprocesses

Difficult to manage changes in regulatory requirements

There are more analytics tools for us to operate andmanage

Security analytics and operations are based upon asignificant number of manual processes

The volume of security alarms has increased

Increased authorized and unauthorized use of personaldevices and accounts for business purposes

We collect and process greater volumes of security data

The attack surface at my organization has grown

Increasing use of public cloud services makes it moredifficult to monitor insider behavior

Insider attacks have become more sophisticated

You indicated that it is more difficult to detect insider threats today than it was two years ago. Why do you believe this to be the case? (Percent of respondents, N=187, multiple

responses accepted)



Since attaining actionable insights is the real goal, organizations should strive for data quality over quantity. Insider threat data should cover all users, establish baselines of “normal” behavior for individuals and groups, and understand behavior in the context of business processes, best practices, and job responsibilities.

Figure 4. Difficulty Associated with Turning Security Data into Intelligence


Insider Threat Strategies Need Improvement

Despite high levels of investment, the majority of respondents identify significant weaknesses with popular solutions (see Figure 5). For example:

• Two-thirds (66%) of respondents agree that DLP is good at identifying sensitive data, but it is difficult to create policies that align sensitive data with business context. This is one reason why DLP solutions are notoriously “noisy,” often generating high volumes of false positive alerts. Tuning DLP systems for accuracy can be a time-consuming slog.

• Sixty-two percent of respondents believe that employee monitoring solutions tend to be intrusive to employee privacy. This issue is central to insider threat programs. CISOs need visibility into employee behavior without assuming the role of Big Brother. Unfortunately, balancing security and privacy can be difficult, leading security teams to overstep established boundaries. Organizations need to consider solutions that anonymize user data and strip out PII as part of their design.

• Sixty-one percent of respondents claim that UEBA solutions tend to generate high volumes of false positive alerts. Similar to DLP, many UEBA tools lack business process context and simply generate an alert each time a user strays a bit from his or her normal routine. To separate user anomaly signals from noise, solutions must contextualize anomaly detection with comprehensive user monitoring and risk scoring algorithms. In this way, user intelligence solutions can determine which anomalies represent true threats and which ones indicate a new type of pedestrian user action.

Yes, definitely, 16%

Yes, somewhat, 50%

No, not really, 22%

No, not at all, 10% Don't know, 2%

Considering all your organization’s security technologies in place, do you believe your organization has a difficult time turning data into actionable

intelligence that can be used to detect insider threats? (Percent of respondents, N=300)



Figure 5. Agreement that Popular Solutions Have Significant Issues


The ESG data indicates that when it comes to insider threat programs, most existing technologies remain flawed in one way or another. Along with process problems and immature insider threat programs, this can lead to numerous challenges (see Figure 6). For example, 31% of organizations recognize that it is hard to detect insider threats because user behavior is extremely diverse. One user’s anomaly can be another’s routine. Furthermore, nearly one in four (24%) organizations are challenged with balancing employee monitoring and privacy. ESG believes this balance has grown more difficult with the implementation of privacy regulations like GDPR. Organizations want to improve their insider threat program without sacrificing employee privacy.

Figure 6. Biggest Insider Threat Challenges Anticipated


61%

62%

66%

39%

38%

33%

UEBA solutions tend to generate a high number of falsepositive alerts (N=296)

Employee monitoring solutions tend to be intrusivetoward employee privacy (N=299)

DLP solutions are good at identifying sensitive data but itis difficult to create policies that map content to business

context (N=300)

0% 20% 40% 60% 80% 100%

In your opinion (i.e., your first-hand experiences and what you have heard and read), please rate your level of agreement with the following statements. (Percent of

respondents)

Agree Do not agree

19%

21%

21%

24%

31%

Processes are too manual

Insufficient budget resources

Hard to provide the appropriate level of user training

Challenging to balance threat monitoring with employeeprivacy requirements

It is hard to identify true insider threats because userbehavior varies depending upon the role and function of

employees

Which of the following represent the biggest challenges for your organization’s insider threat program over the next 24 months? (Percent of respondents, N=178, five responses

accepted, five most frequent responses shown)



In the past, many organizations minimized spending on insider threat programs, putting their trust in employee honesty and competence. This is reflected in current spending trends, as 24% of organizations spend between 4% and 6% of their cybersecurity budgets on insider threat programs while 22% invest between 7% and 10% of budgets (see Figure 7).

Moving forward, organizations are increasing insider threat program spending. On average, organizations plan to increase insider threat program spending around 8% over the next two years. ESG speculates that this increase has several root causes:

• A lack of employee trust. Cybersecurity professionals often refer to this newfound employee paranoia as the “Snowden effect,” referring to NSA contractor Edward Snowden’s public exposure of top secret NSA documents in 2013. Based upon this data breach, business and security executives now understand risks associated with malicious insiders and are willing to bolster spending on insider threat programs for risk mitigation.

• Growing IT complexity. As organizations move workloads to the public cloud, deploy IoT devices, and embrace digital transformation applications, they realize that it will be difficult for employees to keep up with these dynamic changes. While many firms will increase employee training, it’s also important to bolster insider threat programs to monitor employee behavior and identify human error and negligence that can greatly increase cyber-risk.

• Sophisticated attacks. Even the most diligent organizations may be compromised by targeted attacks from persistent adversaries. Therefore, insider threat programs must be prepared to detect things like credential theft due to various social engineering techniques.

Figure 7. Funding Allocated for Insider Threat Programs, Now and Future


Where will organizations invest these growing budget dollars? The data points toward insider threat technologies using artificial intelligence and machine learning (AI/ML) algorithms (see Figure 8). More than four out of five respondents (86%) report AI/ML is a tool that can be used for insider threat detection use cases. However, ESG believes the proper AI/ML

9%

16%

24%22%

10%8%

2% 5% 4%

Less than 1% 1% to 3% 4% to 6% 7% to 10% 11% to 15% 16% to 20% 21% to 25% More than25%

Don’t know

In your estimation, what percent of your organization’s cybersecurity budget is consumed by its insider threat program? (Percent of respondents, N=178)

Mean percentage increase expected over next two years: 8.2%



technology will be able to contextualize and evolve accepted user behavior based upon changing user roles, business processes, and risk factors.

Figure 8. AI/ML Are Promising for Insider Threat Programs


The Bigger Truth

Existing cybersecurity solutions based upon simple rules, multiple point tools, and manual processes are no longer adequate for preventing, detecting, and responding to modern types of threats. While this is the case in many areas, this ESG research project reveals that this is especially true regarding insider threat programs. Alarmingly, implementing these programs continues to grow more difficult and current solutions like DLP, UEBA, and employee monitoring systems are often seen as inaccurate, cumbersome, or intrusive to employee privacy. Thus, these technologies don’t go far enough to mitigate growing risks.

The data also points to changes on the horizon, as many organizations will increase insider threat program budgets over the next few years. As part of these investments, ESG believes that organizations should assess their insider threat programs, making sure to emphasize:

• A comprehensive approach that includes all types of insider threats including malicious insiders, negligent insiders, and compromised accounts.

• A foundation of complete high-quality user data that can be used to monitor user behavior in the context of their job responsibilities and overall cyber-risk

• An aggressive but cautious approach to AI/ML. Advanced analytics can help organizations improve threat detection, but poor, uninformed algorithms will only result in more noise, false positive alerts, and operational overhead. To

Definitely, AI/ML is a game changer for

insider threat detection, 26%

Somewhat, AI/ML is one of many tools that can help with insider threat detection, 60%

No, AI/ML technology is not mature enough

to be applied to insider threats, 8%

Don’t know, 6%

Do you believe that artificial intelligence and machine learning (AI/ML) can help your organization more effectively detect and respond to insider threats? (Percent of

respondents, N=300)



improve accuracy, AI/ML solutions must also see and understand what users are interacting with and use this context to uncover truly risky behavior.

• An appreciation for employee privacy. Organizations must be sensitive to employees by focusing insider threat programs on threat detection and risk mitigation without resorting to “spying” techniques.

Finally, organizations should seek out technology partners with years of insider program experience and knowledge. These firms can help them establish thorough insider threat programs anchored by best practices that maximize efficacy and efficiency while eschewing draconian tactics.



Appendix: Research Methodology and Respondent Demographics

To gather data for this report, ESG conducted a comprehensive online survey of cybersecurity and IT professionals spending more than one-third of their day-to-day responsibilities focused on cybersecurity activities. Moreover, all respondents were required to be involved in their organizations’ purchase process for insider threat detection technologies.

Two-thirds (67%) of respondents were based in North America with the remainder (33%) based in the UK. All respondents were employed at organizations with 1,000 or more employees. Respondents represented numerous industry and government segments, with the largest participation coming from the manufacturing (23%), financial services (19%), information technology (12%), and health care (8%) verticals.

The survey was fielded between April 8, 2019 and May 1,2019.

After filtering out unqualified respondents, removing duplicate responses, and screening the remaining completed responses (on several criteria) for data integrity, a final sample of 300 respondents remained.

All respondents were provided an incentive to complete the survey in the form of cash awards and/or cash equivalents. Note: Totals in figures and tables throughout this report may not add up to 100% due to rounding.

The figures below detail the full demographics of the respondent base: individual respondents’ roles and influence over insider threat technology investments, as well as respondent organizations’ total number of employees, primary industry, and annual revenue.

Figure 9. Survey Respondents, by Insider Threat Technology Purchase Influence


I make/approve purchase decisions,

66%

I influence purchase decisions, 28%

I provide input for purchase decisions,

7%

To what degree are you responsible for making purchase decisions related to insider threat detection/response technology products and services? (Percent of

respondents, N=300)



Figure 10. Survey Respondents, by Role


Figure 11. Survey Respondents, by Company Size (Number of Employees)


IT management, 35%

Senior security management, 29%

Senior IT management, 23%

Cybersecurity analysis and/or operations, 5%

IT staff, 5%Security

management, 2%

Which of the following best describes your current responsibility within your organization? (Percent of respondents, N=300)

1,000 to 2,499, 20%

2,500 to 4,999, 23%

5,000 to 9,999, 16%

10,000 to 19,999, 13%

20,000 or more, 27%

How many total employees does your organization have worldwide? (Percent of respondents, N=300)



Figure 12. Survey Respondents, by Company Size (Revenue)


Figure 13. Survey Respondents, by Industry


3% 3%5%

9%12%

32%

12%9% 10%

4%

Less than$100 million

$100 millionto $249.999

million

$250 millionto $499.999

million

$500 millionto $749.999

million

$750 millionto $999.999

million

$1 billion to$4.999billion

$5 billion to$9.999billion

$10 billionto $19.999

billion

$20 billionor more

Notapplicable

(e.g., publicsector, non-

profit)

What is your organization’s total annual revenue ($US)? (Percent of respondents, N=300)

Manufacturing, 23%

Financial, 19%

Information Technology, 12%

Health Care, 8%

Business Services, 7%

Government, 7%

Retail/Wholesale, 6%

Communications & Media, 4%

Other, 13%

What is your organization’s primary industry? (Percent of respondents, N=300)


All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188.

www.esg-global.com [email protected] P. 508.482.0188

Enterprise Strategy Group is an IT analyst, research, validation, and strategy firm that provides actionable insight and intelligence to the global IT community.


research insights report insider threat program realities€¦ · the previous figure introduces a...

Documents