Just about every company has a network security engineer. And if a company doesn’t have one, it’s probably on the hunt; a quick search on LinkedIn will offer a long list of places seeking a guardian of all things network related.
A network security engineer is a critical role; it safeguards servers and systems against those wanting to steal vital information. But a network security engineer typically has the tools and organizational backing to focus only on thwarting external threats, and fails to address the actual leading cause of security incidents and breaches: insider threats.
Consider that a 2015 Verizon report on data breaches found that 90 percent of security incidents start with people – a company’s business users, privileged users and third parties. Whether intentional or accidental, the people who have access to your applications, data and systems are the ones who make breaches possible.
So perhaps it’s time that security-minded organizations create a new role to address insider threats – the user security engineer. This doesn’t need to be an actual person, but rather a new mind set; to stop threats from the insider, you have to understand the behavior of your users.
Applying User Behavior Analytics to Stop Insider Threats
A user security engineer would start work facing a difficult but not impossible task. In a recent insider threat study by ObserveIT and LinkedIn Information Security, three out of four information security professionals said it’s hard to distinguish legitimate from abusive user behavior. It’s tough to notice when an employee is performing a regular task with legitimate access or is acting out of turn, either negligently or maliciously.
Not that everyone should be viewed with suspicion, but a user security engineer can’t play favorites. The jobholder needs to monitor everyone with insider access to sensitive applications, data or systems. This includes rank-and-file employees, privileged users, as well as third-party vendors such as managed service providers and IT consultants.
Rather than watching and reacting to a continual onslaught of log-based security events, a user security engineer would focus on a user-centric view of security. They would use user behavior analytics to identify and prioritize their riskiest users and to clearly understand what those users are doing to put the company at risk.
Here are just a few types of behaviors that are critical to detect and stop:
- Running application reports that export large amounts of customer data.
- “Innocently” uploading sensitive data to a third-party cloud application.
- Deliberately sharing sensitive data with others via email, cloud application, thumb drive, etc.
- Responding to a phishing email, granting credentialed access to a hacker.
You can think of the user security engineer as the role that is responsible for implementing the security policy you have everyone sign and acknowledge on their first day at work, but then never actually adhere to. With the right user behavior-based security solution, an insider threat security program will be the best return on investment in a world where we have over-invested, to diminishing returns, on perimeter and network security[su_box title=”Dimitri Vlachos, VP of Marketing, ObserveIT” style=”noise” box_color=”#0e0d0d”]ObserveIT is the leader in user behavior monitoring and analytics that enables companies to mitigate the risk of insider threats from business users, privileged users, and third-party contractors.
ObserveIT records, monitors, and analyses user behavior across the entire enterprise down to the application field level with zero operational impact. Analytics and scoring identify users who represent the greatest risk, enabling security teams to respond before the business is impacted. Our granular user activity logs provide a detailed audit trail of all user behavior to streamline compliance and internal audits.
ObserveIT is trusted by over 1,200 customers in 70 countries across all verticals. For more information on ObserveIT, visit www.ObserveIT.com, or find us on Twitter @ObserveIT.
[/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.