SIEM Alone Can’t Stop Insider Threats

by Pablo Guilamo

Hackers come in many forms. They could be a single person acting alone or an organized group of individuals with nefarious intent. With so many possible origin points and numerous varieties of attacks it can be very difficult to prevent them all, let alone figure out where they are coming from and who is perpetrating them. Owing to how complicated investigating and solving these incidents can be, sometimes it is easier to think about the attack itself and defend against it, rather than try to stop every single attack. This might work in the short-term, but longer-term this approach does not guarantee that the attacker will not be back again. To make matters worse, the attacker might be closer than you realise.

Insider threats are a recurring problem for enterprise security as those with malicious intent are given direct access to the network infrastructure. Often, an insider threat is a disgruntled employee or ex-employee who still has access to your systems, or they could be a spy working for a third party to steal confidential and sensitive information. The most dangerous insider threats are the employees who are not even aware they are the cause of the problem. Due to ignorance or carelessness, the accidental threat looms large whereby employees may have allowed harmful malware onto the system unintentionally. It is a very complicated process to identify an insider threat, and this has led to some businesses adopting a ‘zero trust’ policy. This is a model based on the principle of maintaining strict access controls and not trusting anyone by default, especially individuals already inside the network perimeter.

There is technology designed to help fight against insider threats and the most commonly used are aptly called Security Information and Event Management (SIEM) tools. SIEM tracks and collects system events captured in firewalls, workstations, network appliances and more, it then collates them all into one database for easy viewing. This data can then be analysed for any anomalous events captured and an alert sent to the security team, allowing them to take instant action to remedy the situation.

With a growing number of devices connected to the enterprise network, the number of records the SIEM tool must monitor and analyse is growing. To solve this problem the device administrator creates a profile of the system during peace time. Then the SIEM is pre-configured with rules that help to identify when something unusual has happened and so when to trigger an alert. That way only what is seen as unusual gets flagged and the normal traffic is ignored. For general cyber security this works well and this is the reason why SIEM tools are so widely adopted. However, when pin-pointing the origin of an insider threat the information is simply too broad.

SIEM can track anomalies across an entire network and flag up dangerous events to the security teams, however it is always reactionary and cannot supply intelligence around the individuals who may have caused the event. This data is vital for countering insider threats as the key to defending against it is identifying the individuals involved. SIEM tools by themselves cannot stop insider threats, but there are tools that can support SIEMs to improve on this, these are called User Behaviour Analytics (UBA) tools.

UBA tools function in a very similar way to SIEMs. A baseline is laid out identifying what is normal and what is abnormal and then the UBA scans for events that fall into the latter category. The difference is that, as the name implies, UBA looks at the actions of individual users in the internal enterprise network as opposed to the whole infrastructure. The UBA can quickly identify user deviations from what is considered the norm and generate an alert. Utilizing this method, the source of the attack can be identified instead of just the attack itself, helping develop a definite solution to stop the root cause.

UBA can spot changes in the activity of employees that signal insider data theft or IT sabotage. It can also tell whether an employee’s credentials are being used by outsiders by identifying whether the access is coming from within the internal network or from the outside. UBA gives a greater level of visibility and intelligence that SIEMs cannot provide on their own. It provides organisations with multiple ways in which statistics can be analysed and offers both numerical and categorical data. This allows security professionals to prevent insider attacks before they happen, making UBA proactive instead of responsive.

An important fact to note is that UBA tools cannot work on a standalone basis. UBA is a complement to SIEMs and so both must be implemented for the greatest level of defence and intelligence. Utilising a combination of both SIEM and UBA allows for maximum visibility of the full network and the individual users on that network. This allows security teams to keep the organisation safe from outside threats while simultaneously preventing inside threats from launching a surprise attack. The ultimate in cyber defence.

SIEM is a valuable cyber security tool. It provides wide visibility across the network but requires the precise intelligence on the individual users that UBA offers. Insider threats are rising in prominence as a cyber security threat and SIEM alone simply cannot supply enough data to fight against it and can only react when the attack has already occurred. To be proactive in preventing and identifying insider threats UBA needs to be adopted alongside SIEM so that both can be used in tandem to protect the business from both outsider and insider threats.

By Pablo Guilamo