Here is a quick one on INSIDER THREAT. Deep down, we all know that nobody cares about the insider threat. Well, not literally “nobody”; few organizations do care about their insider threats [and, yes, those who genuinely care tend to care a whole lot, granted].
Now, many say they do care (a great example), but, frankly, I don’t think they spend money on it, hence their actions scream “WE DON’T CARE!” while their words whisper “eh…we …eh…care…maybe!” Off the cuff, we may get 50 malware calls for every 1 insider threat call, based on my purely unscientific impression of available data. Meanwhile, one may argue that insider threat is mostly about process than tools and so the spend is less visible, to which I say: try building a robust, mature process without spending lots of money – or time.
On the other hand, many organizations today are starting to care about the threats that are already inside (malware, attackers who hacked in, etc). Funnily, some security vendors market “insider threat solutions” to those people – thus creating hilarity (like “sandboxing to catch insider threat” or “top exploits used by insiders”…huh?)
To reduce this confusion, maybe we can think about this like so:
- THREATS INSIDE – drive spending on UBA / UEBA, traffic analysis (NTA), SIEM, deception, lots of other tools, etc. A BIG DEAL!
- INSIDER THREAT – drive almost no spending (as per our research, <10% of security budget). For a small number of organizations, this is a big deal too. For most others, this is a “meh!” issue.
Blog posts related to this research: