research insights report insider threat program realities€¦ · the previous figure introduces a...
TRANSCRIPT
© 2019 by The Enterprise Strategy Group, Inc. All Rights Reserved.
By Jon Oltsik, ESG Senior Principal Analyst and ESG Fellow July 2019 This ESG Research Insights Report was commissioned by Dtex Systems and is distributed under license from ESG.
Enterprise Strategy Group | Getting to the bigger truth.™
Insider Threat Program Realities
Research Insights Report
Research Insights Report: Insider Threat Program Realities 2
© 2019 by The Enterprise Strategy Group, Inc. All Rights Reserved.
Contents
Executive Summary ................................................................................................................................................................ 3
Current Challenges – The Daunting Task of Mitigating Insider Threats ................................................................................. 3
Perception Problem: Identifying the Full Scope of Insider Threats .................................................................................... 3
The Job of Protecting Organizations from Insider Threats Is Getting Harder .................................................................... 4
Insider Threat Strategies Need Improvement ........................................................................................................................ 6
The Bigger Truth ..................................................................................................................................................................... 9
Appendix: Research Methodology and Respondent Demographics .................................................................................... 11
Research Insights Report: Insider Threat Program Realities 3
© 2019 by The Enterprise Strategy Group, Inc. All Rights Reserved.
Executive Summary
In May 2019, the Enterprise Strategy Group (ESG) completed a research survey of 300 cybersecurity and IT professionals with responsibilities for insider threat detection/response programs and technologies. Further description of the research methodology and survey demographics are presented in the appendix section of this report.
Based upon the research collected for this project, ESG concludes:
• Most organizations remain narrow-minded about the definition of insider threats. Most security professionals have a myopic view of insider threats, focusing only on malicious insiders, compromised insiders, or negligent insiders. In reality, a robust insider threat program must establish controls and continuous oversight for each type of use case.
• Insider threat detection is increasingly complex and challenging. Most organizations claim that insider threat detection is more difficult due to factors like growing attack sophistication, the use of public cloud infrastructure, and a growing attack surface. Additionally, organizations face many insider threat program challenges in areas like user behavior anomaly detection, user training, and a lack of appropriate levels of investment. These challenges open vulnerabilities for malicious insiders, employee negligence, and compromised accounts.
• Current solutions can be inefficient and ineffective. To mitigate risks associated with insider threats, many organizations employ technology controls like data loss prevention (DLP) software, user and behavior analytics (UEBA) solutions, and employee monitoring systems. Unfortunately, organizations report that these tools tend to be noisy, generate false positive alerts, and may compromise employee privacy. These issues indicate that CISOs and privacy officers may need to rethink their insider threat technology strategies and adopt a more comprehensive approach.
• Changes are in the works. Slowly but surely, business, privacy, and security executives are realizing that existing insider threat programs are either too draconian or too lenient to be effective. As a result, most organizations will increase their insider threat program budgets over the next few years and implement technologies based upon artificial intelligence and machine learning algorithms. Smart organizations will seek out non-intrusive data-driven solutions that balance algorithmic intelligence and business context to greatly increase insider threat detection accuracy and timeliness across malicious insider threats, negligent insider threats, and compromised accounts.
Current Challenges – The Daunting Task of Mitigating Insider Threats
Perception Problem: Identifying the Full Scope of Insider Threats
Just what is an insider threat? ESG believes this term is really a combination of three different types of users:
1. A threat to an organization’s cyber assets by a malicious insider.
2. A threat to an organization’s cyber assets by an external party who has successfully compromised an insider’s credentials.
3. A threat to an organization’s cyber assets by a negligent insider.
While these three situations seem obvious, only two-fifths (40%) of respondents correctly identify the full scope of insider vulnerabilities across all three areas (see Figure 1). Why is this important? Because organizations must fully understand all types of insider threats so they can deploy the right countermeasures and monitor risk on an ongoing basis. Those 60% of organizations maintaining a myopic view of insider threats may minimize defenses and/or visibility in one of these areas and will likely suffer as a result.
Research Insights Report: Insider Threat Program Realities 4
© 2019 by The Enterprise Strategy Group, Inc. All Rights Reserved.
Figure 1. Identifying the Full Scope of Insider Threats
Source: Enterprise Strategy Group
The Job of Protecting Organizations from Insider Threats Is Getting Harder
Many malicious insiders have a distinct advantage over cyber-defenders—they have legitimate credentials, they know what they are looking for, and they usually know where and how to get it. While this issue is top of mind, many organizations also downplay the impact of human error and negligent insiders who pose a constant vulnerability for organizations. Given these circumstances, it is not surprising that the majority of survey respondents (62%) believe insider threats have become more difficult to detect in the last two years (see Figure 2). This situation seems most apparent to IT leaders as opposed to less-senior respondents—29% of IT leaders claim that detecting insider threats is much more difficult than it was two years ago compared with just 16% of middle managers and staff.
Figure 2. Difficulty / Ease of Detecting Insider Threats Over the Past Two Years
Source: Enterprise Strategy Group
A threat to my organization’s cyber assets conducted by a malicious
insider, 31%
A threat to my organization’s cyber assets conducted by a malicious
external party who has successfully compromised an insider’s system, 15%
A threat to my organization’s cyber assets conducted by a negligent
insider, 13%
All of the above, 40%
None of the above, 2%
Which of the following best characterizes your definition of an “insider threat?” (Percent of respondents, N=300)
It is much more difficult to detect
insider threats today than it was two years
ago, 23%
It is somewhat more difficult to detect
insider threats today than it was two years
ago, 39%
It is no more difficult to detect insider threats today than it was two
years ago, 20%
It is somewhat easier to detect insider
threats today than it was two years ago,
14%
It is much easier to detect insider threats today than it was two
years ago, 4%
Which of the following statements best reflects your opinion of detecting insider threats at your organization? (Percent of respondents, N=300)
Research Insights Report: Insider Threat Program Realities 5
© 2019 by The Enterprise Strategy Group, Inc. All Rights Reserved.
Just why are insider threats growing more difficult to detect? The research points to several reasons, including the growing sophistication of attacks, the use of the public cloud, and an overall growing attack surface (see Figure 3). Malicious insiders can certainly escalate attack sophistication but organizations should also consider the impact of public cloud use and the effects of human negligence/error. New IT technologies and initiatives are bound to lead to issues like training deficiencies, human error, and compromised systems.
Figure 3. Factors Making Insider Threat Detection More Challenging
Source: Enterprise Strategy Group
The previous figure introduces a security paradox of sorts. More than one-third (35%) of organizations claim they collect and process greater volumes of security data. Common wisdom would suggest that collecting, processing, and analyzing more security data would help with insider threat detection but this doesn’t appear to be the case. In fact, 66% of respondents report struggling to turn data into actionable insights to detect insider threats (see Figure 4). Malicious insiders often “blend into the crowd” by conducting their attacks slowly over long periods of time while negligent insiders may do things like make legitimate but incorrect system configuration changes. In these cases, volumes of security data can make it difficult to spot behavioral anomaly “needles” within haystacks of routine activities.
18%
23%
24%
24%
26%
27%
33%
33%
35%
36%
37%
43%
We don’t have the right skills and/or staff size to monitor/manage insider threats
There is more oversight from senior business executivesplacing more pressure on the cybersecurity team
We have gaps in our security monitoring tools andprocesses
Difficult to manage changes in regulatory requirements
There are more analytics tools for us to operate andmanage
Security analytics and operations are based upon asignificant number of manual processes
The volume of security alarms has increased
Increased authorized and unauthorized use of personaldevices and accounts for business purposes
We collect and process greater volumes of security data
The attack surface at my organization has grown
Increasing use of public cloud services makes it moredifficult to monitor insider behavior
Insider attacks have become more sophisticated
You indicated that it is more difficult to detect insider threats today than it was two years ago. Why do you believe this to be the case? (Percent of respondents, N=187, multiple
responses accepted)
Research Insights Report: Insider Threat Program Realities 6
© 2019 by The Enterprise Strategy Group, Inc. All Rights Reserved.
Since attaining actionable insights is the real goal, organizations should strive for data quality over quantity. Insider threat data should cover all users, establish baselines of “normal” behavior for individuals and groups, and understand behavior in the context of business processes, best practices, and job responsibilities.
Figure 4. Difficulty Associated with Turning Security Data into Intelligence
Source: Enterprise Strategy Group
Insider Threat Strategies Need Improvement
Despite high levels of investment, the majority of respondents identify significant weaknesses with popular solutions (see Figure 5). For example:
• Two-thirds (66%) of respondents agree that DLP is good at identifying sensitive data, but it is difficult to create policies that align sensitive data with business context. This is one reason why DLP solutions are notoriously “noisy,” often generating high volumes of false positive alerts. Tuning DLP systems for accuracy can be a time-consuming slog.
• Sixty-two percent of respondents believe that employee monitoring solutions tend to be intrusive to employee privacy. This issue is central to insider threat programs. CISOs need visibility into employee behavior without assuming the role of Big Brother. Unfortunately, balancing security and privacy can be difficult, leading security teams to overstep established boundaries. Organizations need to consider solutions that anonymize user data and strip out PII as part of their design.
• Sixty-one percent of respondents claim that UEBA solutions tend to generate high volumes of false positive alerts. Similar to DLP, many UEBA tools lack business process context and simply generate an alert each time a user strays a bit from his or her normal routine. To separate user anomaly signals from noise, solutions must contextualize anomaly detection with comprehensive user monitoring and risk scoring algorithms. In this way, user intelligence solutions can determine which anomalies represent true threats and which ones indicate a new type of pedestrian user action.
Yes, definitely, 16%
Yes, somewhat, 50%
No, not really, 22%
No, not at all, 10% Don't know, 2%
Considering all your organization’s security technologies in place, do you believe your organization has a difficult time turning data into actionable
intelligence that can be used to detect insider threats? (Percent of respondents, N=300)
Research Insights Report: Insider Threat Program Realities 7
© 2019 by The Enterprise Strategy Group, Inc. All Rights Reserved.
Figure 5. Agreement that Popular Solutions Have Significant Issues
Source: Enterprise Strategy Group
The ESG data indicates that when it comes to insider threat programs, most existing technologies remain flawed in one way or another. Along with process problems and immature insider threat programs, this can lead to numerous challenges (see Figure 6). For example, 31% of organizations recognize that it is hard to detect insider threats because user behavior is extremely diverse. One user’s anomaly can be another’s routine. Furthermore, nearly one in four (24%) organizations are challenged with balancing employee monitoring and privacy. ESG believes this balance has grown more difficult with the implementation of privacy regulations like GDPR. Organizations want to improve their insider threat program without sacrificing employee privacy.
Figure 6. Biggest Insider Threat Challenges Anticipated
Source: Enterprise Strategy Group
61%
62%
66%
39%
38%
33%
UEBA solutions tend to generate a high number of falsepositive alerts (N=296)
Employee monitoring solutions tend to be intrusivetoward employee privacy (N=299)
DLP solutions are good at identifying sensitive data but itis difficult to create policies that map content to business
context (N=300)
0% 20% 40% 60% 80% 100%
In your opinion (i.e., your first-hand experiences and what you have heard and read), please rate your level of agreement with the following statements. (Percent of
respondents)
Agree Do not agree
19%
21%
21%
24%
31%
Processes are too manual
Insufficient budget resources
Hard to provide the appropriate level of user training
Challenging to balance threat monitoring with employeeprivacy requirements
It is hard to identify true insider threats because userbehavior varies depending upon the role and function of
employees
Which of the following represent the biggest challenges for your organization’s insider threat program over the next 24 months? (Percent of respondents, N=178, five responses
accepted, five most frequent responses shown)
Research Insights Report: Insider Threat Program Realities 8
© 2019 by The Enterprise Strategy Group, Inc. All Rights Reserved.
In the past, many organizations minimized spending on insider threat programs, putting their trust in employee honesty and competence. This is reflected in current spending trends, as 24% of organizations spend between 4% and 6% of their cybersecurity budgets on insider threat programs while 22% invest between 7% and 10% of budgets (see Figure 7).
Moving forward, organizations are increasing insider threat program spending. On average, organizations plan to increase insider threat program spending around 8% over the next two years. ESG speculates that this increase has several root causes:
• A lack of employee trust. Cybersecurity professionals often refer to this newfound employee paranoia as the “Snowden effect,” referring to NSA contractor Edward Snowden’s public exposure of top secret NSA documents in 2013. Based upon this data breach, business and security executives now understand risks associated with malicious insiders and are willing to bolster spending on insider threat programs for risk mitigation.
• Growing IT complexity. As organizations move workloads to the public cloud, deploy IoT devices, and embrace digital transformation applications, they realize that it will be difficult for employees to keep up with these dynamic changes. While many firms will increase employee training, it’s also important to bolster insider threat programs to monitor employee behavior and identify human error and negligence that can greatly increase cyber-risk.
• Sophisticated attacks. Even the most diligent organizations may be compromised by targeted attacks from persistent adversaries. Therefore, insider threat programs must be prepared to detect things like credential theft due to various social engineering techniques.
Figure 7. Funding Allocated for Insider Threat Programs, Now and Future
Source: Enterprise Strategy Group
Where will organizations invest these growing budget dollars? The data points toward insider threat technologies using artificial intelligence and machine learning (AI/ML) algorithms (see Figure 8). More than four out of five respondents (86%) report AI/ML is a tool that can be used for insider threat detection use cases. However, ESG believes the proper AI/ML
9%
16%
24%22%
10%8%
2% 5% 4%
Less than 1% 1% to 3% 4% to 6% 7% to 10% 11% to 15% 16% to 20% 21% to 25% More than25%
Don’t know
In your estimation, what percent of your organization’s cybersecurity budget is consumed by its insider threat program? (Percent of respondents, N=178)
Mean percentage increase expected over next two years: 8.2%
Research Insights Report: Insider Threat Program Realities 9
© 2019 by The Enterprise Strategy Group, Inc. All Rights Reserved.
technology will be able to contextualize and evolve accepted user behavior based upon changing user roles, business processes, and risk factors.
Figure 8. AI/ML Are Promising for Insider Threat Programs
Source: Enterprise Strategy Group
The Bigger Truth
Existing cybersecurity solutions based upon simple rules, multiple point tools, and manual processes are no longer adequate for preventing, detecting, and responding to modern types of threats. While this is the case in many areas, this ESG research project reveals that this is especially true regarding insider threat programs. Alarmingly, implementing these programs continues to grow more difficult and current solutions like DLP, UEBA, and employee monitoring systems are often seen as inaccurate, cumbersome, or intrusive to employee privacy. Thus, these technologies don’t go far enough to mitigate growing risks.
The data also points to changes on the horizon, as many organizations will increase insider threat program budgets over the next few years. As part of these investments, ESG believes that organizations should assess their insider threat programs, making sure to emphasize:
• A comprehensive approach that includes all types of insider threats including malicious insiders, negligent insiders, and compromised accounts.
• A foundation of complete high-quality user data that can be used to monitor user behavior in the context of their job responsibilities and overall cyber-risk
• An aggressive but cautious approach to AI/ML. Advanced analytics can help organizations improve threat detection, but poor, uninformed algorithms will only result in more noise, false positive alerts, and operational overhead. To
Definitely, AI/ML is a game changer for
insider threat detection, 26%
Somewhat, AI/ML is one of many tools that can help with insider threat detection, 60%
No, AI/ML technology is not mature enough
to be applied to insider threats, 8%
Don’t know, 6%
Do you believe that artificial intelligence and machine learning (AI/ML) can help your organization more effectively detect and respond to insider threats? (Percent of
respondents, N=300)
Research Insights Report: Insider Threat Program Realities 10
© 2019 by The Enterprise Strategy Group, Inc. All Rights Reserved.
improve accuracy, AI/ML solutions must also see and understand what users are interacting with and use this context to uncover truly risky behavior.
• An appreciation for employee privacy. Organizations must be sensitive to employees by focusing insider threat programs on threat detection and risk mitigation without resorting to “spying” techniques.
Finally, organizations should seek out technology partners with years of insider program experience and knowledge. These firms can help them establish thorough insider threat programs anchored by best practices that maximize efficacy and efficiency while eschewing draconian tactics.
Research Insights Report: Insider Threat Program Realities 11
© 2019 by The Enterprise Strategy Group, Inc. All Rights Reserved.
Appendix: Research Methodology and Respondent Demographics
To gather data for this report, ESG conducted a comprehensive online survey of cybersecurity and IT professionals spending more than one-third of their day-to-day responsibilities focused on cybersecurity activities. Moreover, all respondents were required to be involved in their organizations’ purchase process for insider threat detection technologies.
Two-thirds (67%) of respondents were based in North America with the remainder (33%) based in the UK. All respondents were employed at organizations with 1,000 or more employees. Respondents represented numerous industry and government segments, with the largest participation coming from the manufacturing (23%), financial services (19%), information technology (12%), and health care (8%) verticals.
The survey was fielded between April 8, 2019 and May 1,2019.
After filtering out unqualified respondents, removing duplicate responses, and screening the remaining completed responses (on several criteria) for data integrity, a final sample of 300 respondents remained.
All respondents were provided an incentive to complete the survey in the form of cash awards and/or cash equivalents. Note: Totals in figures and tables throughout this report may not add up to 100% due to rounding.
The figures below detail the full demographics of the respondent base: individual respondents’ roles and influence over insider threat technology investments, as well as respondent organizations’ total number of employees, primary industry, and annual revenue.
Figure 9. Survey Respondents, by Insider Threat Technology Purchase Influence
Source: Enterprise Strategy Group
I make/approve purchase decisions,
66%
I influence purchase decisions, 28%
I provide input for purchase decisions,
7%
To what degree are you responsible for making purchase decisions related to insider threat detection/response technology products and services? (Percent of
respondents, N=300)
Research Insights Report: Insider Threat Program Realities 12
© 2019 by The Enterprise Strategy Group, Inc. All Rights Reserved.
Figure 10. Survey Respondents, by Role
Source: Enterprise Strategy Group
Figure 11. Survey Respondents, by Company Size (Number of Employees)
Source: Enterprise Strategy Group
IT management, 35%
Senior security management, 29%
Senior IT management, 23%
Cybersecurity analysis and/or operations, 5%
IT staff, 5%Security
management, 2%
Which of the following best describes your current responsibility within your organization? (Percent of respondents, N=300)
1,000 to 2,499, 20%
2,500 to 4,999, 23%
5,000 to 9,999, 16%
10,000 to 19,999, 13%
20,000 or more, 27%
How many total employees does your organization have worldwide? (Percent of respondents, N=300)
Research Insights Report: Insider Threat Program Realities 13
© 2019 by The Enterprise Strategy Group, Inc. All Rights Reserved.
Figure 12. Survey Respondents, by Company Size (Revenue)
Source: Enterprise Strategy Group
Figure 13. Survey Respondents, by Industry
Source: Enterprise Strategy Group
3% 3%5%
9%12%
32%
12%9% 10%
4%
Less than$100 million
$100 millionto $249.999
million
$250 millionto $499.999
million
$500 millionto $749.999
million
$750 millionto $999.999
million
$1 billion to$4.999billion
$5 billion to$9.999billion
$10 billionto $19.999
billion
$20 billionor more
Notapplicable
(e.g., publicsector, non-
profit)
What is your organization’s total annual revenue ($US)? (Percent of respondents, N=300)
Manufacturing, 23%
Financial, 19%
Information Technology, 12%
Health Care, 8%
Business Services, 7%
Government, 7%
Retail/Wholesale, 6%
Communications & Media, 4%
Other, 13%
What is your organization’s primary industry? (Percent of respondents, N=300)
© 2019 by The Enterprise Strategy Group, Inc. All Rights Reserved.
All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188.
www.esg-global.com [email protected] P. 508.482.0188
Enterprise Strategy Group is an IT analyst, research, validation, and strategy firm that provides actionable insight and intelligence to the global IT community.
© 2019 by The Enterprise Strategy Group, Inc. All Rights Reserved.