Insiders – the people with legitimate access to an organization’s data and systems – are the root cause of most cybersecurity incidents. As humans, insider risks are complex. Their behaviors and intentions can manifest in a multitude of ways, and they don’t always add up. An unusual action does not necessarily translate into an intention to cause harm, for instance. It is this complexity that makes insider threats so difficult to detect.

Insider Risk Indicators, specifically behavioral risk indicators, provide the earliest indication of insider risk by homing in on the human psychology that underpins a user’s everyday actions and their potential to become an insider threat.

This blog demystifies behavioral risk indicators with specific examples, insight on how they differ from other indicators, and why they are important in managing insider risks.

Insider Risk Indicator Vs Indicator of Compromise – What’s the Difference?

There are several terms floating around relating to indicators: Indicators of Compromise, Indicators of Attack, Insider Risk Indicators… the list goes on. In the context of insider risk management, the terminology is still maturing and is likely to evolve, especially as more organizations begin adopting insider risk programs.

DTEX defines behavioral risk indicators as concerning activities based on a user’s behavioral patterns (usually against a user or peer group) which can be used early to detect, deter, and disrupt insider risks before an incident occurs. Behavioral risk indicators provide context to any given interaction, enabling security and risk teams to distinguish intent behind commonplace user actions.

On the other hand, Indicators of Compromise (IoCs) refer to the forensic evidence left behind following a cybersecurity incident. This could include vulnerability exploitation, malware, log data and so forth. Specific (or atomic) IoCs might include IP addresses, domain names, file hashes or unexplained account activities. As IoCs often are used in the sense of a cyber attack, IoCs are typically reactive – by the time the evidence is surfaced, the damage is already done. Whilst this might be helpful for threat hunting or future mitigations, it has little place in preventing insider risks from escalating into data loss incidents.

Examples of Behavioral Risk Indicators

There are multiple examples of behavioral indicators, though the relevance of those indicators is entirely dependent on the organization’s culture and behavioral norms. The Common Sense Guide to  Mitigating Insider Threats, by Carnegie Mellon University Software Engineering Institute, lists the following as examples of behavioral indicators and the insider risks they are associated with:

• Repeated policy violations – indicator correlated to sabotage
• Disruptive behavior – indicator correlated to sabotage and workplace violence
• Financial difficulty or unexplained extreme change in finances – indicator correlated to fraud
• Job performance problems – indicator correlated to sabotage and IP theft.

DTEX i³, who provides insider risk services and publishes regular counter insider risk research, has developed several unique behavioral risk indicators from leveraging the DTEX InTERCEPT platform. Whilst sensitive in nature and not available to the general public, the i³ team offers Threat Briefings to customers and trusted practitioners on the latest data-driven research and indicator development.

Data Silos Won’t Cut It. A Holistic Approach is Key

The Insider Threat Mitigation Guide by the Critical Infrastructure Security Agency (CISA) cautions that confirmation of any insider risk indicator requires a solid understanding of context and a holistic view of the person of concern.

What makes behavioral indicators so powerful is that they can be directly observed by people as well as technology to provide this much-needed context. Equally important is having a program for capturing, aggregating, and enriching the data, for one indicator in isolation is meaningless.

AI and data science are becoming increasingly critical in insider risk detection, maximizing behavioral enrichment and development of indicators to filter noisy alerts from true positives in near real time.

Going forward, this is only likely to evolve and advance, helping insider risk practitioners get better and faster at detecting and mitigating risks.

To learn more about DTEX’s behavioral risk indicators and data-driven research, request a Threat Briefing.

The post What is a Behavioral Risk Indicator? Demystifying Insider Risk Indicators appeared first on DTEX Systems Inc.

*** This is a Security Bloggers Network syndicated blog from DTEX Systems Inc authored by Kellie Roessler. Read the original post at: https://www.dtexsystems.com/blog/demystifying-behavioral-risk-indicators/