If you are in the management chain of your organization’s security operations, you may be wondering why your risk management or compliance teams have been especially interested in your approach to mitigating insider threats in recent months. And you may have even found yourself stepping through the list of controls you have in place, such as least-privilege access, deep packet inspection, or even physically disabled USB ports.
The reason they are asking is because, according to the 2020 Verizon Data Breach Investigations Report, errors are cited as the second-highest breach enabling action, tied with social engineering, and now even more common than malware. And yet, if those same teams had asked how likely it is that your next breach investigation will be due to the carelessness, negligence, or even honest mistakes of one or more of your users (however unknowingly), which created the vulnerability that was exploited by the external attacker, your response may have been more affirming—you know full well that mistakes and misconfigurations often create the vulnerabilities that allow breaches to occur.
It’s a classic problem. We tend to see the problem as “out there.” As a result, reframing the insider threat problem to also include those actions born of accidents, ignorance, and arrogance—regardless of the intent of the internal actor—is a step that many organizations overlook. But those organizations that make double-checking and monitoring for user errors and device misbehaviors part of their security routine actually lower their risk because their risk management and compliance teams are able to build more robust insider threat mitigation programs.
Most employees have become accustomed to cyber-hygiene awareness programs and required employee cybersecurity (“think before you click”) trainings. Managing errors is no different. The next natural evolution of an effective insider threat mitigation program is the monitoring and enforcement of user behavior, whether end users, executives, or systems administrators. However, until the recent advances of user and entity behavior analytics (UEBA) and the widespread adoption of machine learning (ML), monitoring the behavior of everyone on (or off) the network would have been a nearly impossible task. Attempting to apply a rules-based approach to catching all of the strange things that users might do that could introduce vulnerabilities into the system could quickly become an overwhelming task rife with noise and false positives.
Introducing FortiSIEM 6.1 with “FortiInsight Inside”
FortiSIEM 6.1 includes the same powerful UEBA analytics engine used by FortiInsight, Fortinet’s market leading stand-alone UEBA solution. Leveraging machine learning and statistical methodologies to baseline normal behavior and incorporate real-time actionable insights, FortiSIEM UEBA monitors for anomalous user behavior that may be indicative of a threat. By combining telemetry pulled from endpoint sensors, network device flows, server and application logs, and cloud APIs, FortiSIEM is able to build comprehensive profiles of users, peer groups, endpoints, applications, files, and networks. FortiSIEM UEBA behavioral anomaly detection is a low-overhead but high-fidelity way to gain visibility into end-to-end activity, from endpoints to on-premises servers and network activity to cloud applications.
The shift to cloud-based applications has made comprehensive security operations monitoring even more complex, which was exacerbated even further by the massive shift to remote work due to COVID-19. The new corporate network edge is the remote worker’s home network. And historically, this is beyond the scope of security teams to monitor. But now, by employing FortiSIEM UEBA telemetry agents on remote endpoints, end-user devices can serve as early warning systems should the remote worker’s user accounts or devices come under attack and start to exhibit anomalous behaviors.
Even when not connected to the corporate network, the FortiSIEM UEBA telemetry agent still monitors for unusual usage, including interactions with cloud-based applications. It can then send that telemetry data to a cloud-based collector or simply store it for the next time the user connects in.
Learn more about the types of insider threats in our eBook, “Recognizing the Many Faces of Insider Threats.”
Find out more about FortiSIEM 6.1 and its new UEBA capabilities.
Engage in our Fortinet user community (Fuse). Share ideas and feedback, learn more about our products and technology, or connect with peers.