Gartner inquiries on insider threat detection are up over 50% YOY for the last two months, and our clients are seeking solutions – both technical and non-technical – for a problem that legacy solutions are not effectively addressing.
The Many Flavors of Insider Threats
Insider threats come in many flavors as depicted below in Figure 1, and there is no magic bullet that makes them go away. Technology selection may be the simplest piece of the solution puzzle. Much harder to address are the governance, people and process issues that must be grappled with before technology can be properly used.
Technology Solutions for Insider Threat Detection
Still, there are various insider threat technology solutions that are effectively displacing legacy software as the ‘preferred’ solution. We put these alternatives into three buckets, each of which have their own limitations and issues:
- UEBA (User and Entity Behavior Analytics) solutions profile users, their peer groups and other entities, and use advanced analytics to detect anomalous transactions and behaviors. See our Market Guide for UEBA (an update to our last Market Guide for UEBA will be published soon) for more about this space as well as the vendors who compete in it. Standalone UEBA applications today sit on servers as opposed to user endpoints.
- Most of the vendor solutions in this space can aptly detect anomalous log-ins but are weak in understanding ‘off (enterprise) network’ behavior and in applying machine learning models to the problem. Most of them are also generally blind to anomalous or unauthorized access to structured and unstructured data, although that can be presumably fixed with the right data feeds.
- As already noted in January 2017 — see The Disappearing UEBA Market — the standalone UEBA market is quickly disappearing as UEBA becomes a feature of many other security domain solutions such as network traffic analysis or cloud access security. In just the past ten days, two standalone UEBA vendors have been (E8 Security) or about to be (Fortscale) acquired by VMware and RSA Security respectively. Going forward, users of the few remaining standalone UEBA solutions must be prepared for more market acquisitions and disruptions.
- Employee (or any user) monitoring applications are agent based monitoring tools have the most complete visibility into user activity in an organization, as long as – obviously – the agent is present on the user’s endpoint. Vendors like ObserveIT and Dtex are being increasingly used for insider threat detection. For the time being, these applications are still rule based (machine learning is on road-maps) and users can write their own rules and policies as to what exactly they want to detect. For example, copy and paste operations – which UEBA applications have been blind to – can be clearly detected with these products.
- This solution set probably needs a new name beyond ‘employee monitoring’ since it applies to any user and enables full visibility into data access and use. Perhaps a more appropriate name for this space is “UDBA” for ‘User and Data Behavior Analytics’?
- Data Centric Audit and Protection (DCAP) – these include solutions that monitor and analyze user privileges and data access activities, among many other data protection related functions. As noted in the DCAP market guide (see Market Guide for DCAP ), there are several limitations to the visibility enabled by these products as “activity monitoring of users and administrators may be limited to monitoring access to certain classified datasets, and some products focus on only classified datasets.”
- Further, “Products that are based in the application layer, monitor network traffic or use proxies may not be able to monitor activity by administrators in the data layer. Additionally, due to connection pooling, monitoring application users directly from the data layer may not be possible.” See the DCAP market guide for a list of vendors in this category and what they cover.
Insider threat detection is difficult. No technical solution on the market today will ever detect a trusted insider engaged in activities he or she is allowed to engage in that are nonetheless undertaken with malicious intent. For that we need an AI system that can decipher malicious vs innocent or good intent. And for that kind of AI model, we need unbiased humans to feed the model with unbiased training data. How likely is that ever to happen? I certainly wouldn’t hold your breath.
Still, there are technical solutions on the market today that can go a long way towards detecting nefarious insider activities that can cause irreparable harm to organizations. Agent based user monitoring and analytic systems like ObserveIT currently have the most visibility into user activities that take place on the managed user endpoint. They can see everything and anything suspect that the user is doing from their endpoint, assuming the applications are told what to look for by humans who manage them.
And “ayes, there’s the rub.” Clever humans will always be able to outmaneuver other humans that are simply not as clever. But that doesn’t mean we should simply give up and let them get away with it without an earnest – and potentially successful – fight.
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.
Comments are closed
Brilliant article which reinforces Forcepoints approach of integrating UEBA with DLP and other technology to provide a dynamic Risk Adaptive Protection based on behaviour of the user profile thereby protecting from both malicious insiders and trusted insiders who may have had thier credentials compromised.
What about well placed honeytokens and LI honeypots? I think they have (some) security value regarding to insider threat “No technical solution on the market today will ever detect a trusted insider engaged in activities he or she is allowed to engage in that are nonetheless undertaken with malicious intent.”