How To Detect and Mitigate Malicious Insider Threats With NextGen SOAR

Cybersecurity is not just about protecting the organization from external threats, but also about securing it from insider threats. Yet, the latter can be a blind spot for many organizations. Large, mature organizations usually have an insider threat mitigation program in place, and with good reason. Insider threats can pose a significant problem for organizations of any size and vertical. As per the 2022 Ponemon Cost of Insider Threats: Global Report, insider threat incidents have risen 44% over the past two years, with costs per incident up more than a third to $15.38 million.

Of course, such numbers cannot quantify the harm they can potentially cause. Studies have shown that the larger a company is, the more financial risk it faces from insider threats. Aside from financial risk, insider threats can expose an organization to intellectual property (IP) theft, damage to infrastructure, disruptions to services or operations, breaches of privacy, loss of brand reputation, and even injury or loss of life. As this article with three real-world insider threat examples concludes, organizations need to have an insider risk playbook in place.

In this blog post, we’ll point you to some resources that can help you build your own insider threat program, and explore potential insider threat indicators and the different types of insider threats. Speedy incident response can prove crucial when it comes to mitigating insider threats, so we’ll also show you how NextGen SOAR helps improve collaboration between DLP, HR, and SOC teams and provides swift and critical analysis to help them respond to incidents faster.

Not all Insider Threats Are Malicious

There are two types of insider threats: intentional and unintentional.  While this blog focuses on malicious insiders, keep in mind that not all insider threats are intentional. Insiders can unwittingly expose the company to dangers through unintentional mistakes.

According to CISA’s Threat Mitigation Guide, which tells you everything you need to know about managing an insider threat program, unintentional insider threats can be of two types: negligent or accidental. Some examples of that include downloading unauthorized software (negligent), theft of a company laptop or phone (accidental), or letting a stranger tailgate through the entrance (negligent). You can also have collusive threats, where insiders collaborate with an external threat actor and/or third-party threats such as contractors or vendors. These can be either intentional or unintentional.

Why Malicious Insider Threats Can Be Difficult to Detect

Privacy, legal, and labor relations challenges aside, investigating an insider threat also presents technical challenges, as it involves personnel with legitimate access to an organization’s data and infrastructure. Their activities may not trigger security alerts, especially if they are stealthy and know how to cover their tracks. Detecting insider threats goes outside of the digital realm, and also requires monitoring employees’ behavior. This can be challenging from both a technical and an ethical standpoint.

Given the sensitivity of their work, insider threat teams are generally a separate silo from the security operations center (SOC). They may be part of a larger security team that works with personnel from HR, physical security, risk management, general counsel, and other trusted insiders. Coordinating and collaborating across these different silos can add delays to response times. All of these factors make it difficult for organizations to detect insider threats and take appropriate actions to prevent them. That said, scenarios that may indicate a reportable insider threat include:

  •       Accessing classified info that is unrelated to their job responsibilities.
  •       Sharing usernames and passwords with others or accessing another user’s account
  •       Transfer of massive volumes of data to external storage devices or online storage services.
  •       Access to the organization’s systems from unusual locations.
  •       Behavioral changes, such as increased stress or isolation.
  •       Aggressive behavior towards coworkers or the organization.
  •       Unauthorized attempts to gain access to restricted areas or systems
  •       Attempts to bypass security protocols or policies.
  •       Revealing sensitive information to unauthorized individuals or organizations.

NextGen SOAR’s Malicious Insider Playbook

Insider threat teams rely on access logs, network traffic logs, user activity logs, security incident reports, employee records, and physical security logs to conduct their investigations. They typically keep an eye on network activity through a data loss prevention (DLP) tool.

Using NextGen SOAR as a connective tissue to bring all these data points together can help enrich and validate DLP alerts.  NextGen SOAR integrates with leading data loss prevention (DLP) tool vendors including Forcepoint DLP, Symantec DLP, Digital Guardian DLP, and a host of other DLP solutions to help analyze and orchestrate response actions to these alerts. Our Malicious Insider playbook also leverages integrations with HR tools like OneTrust, and identity management tools like Microsoft Active Directory and Okta. This significantly improves the speed and efficiency of response actions to insider threat investigations, such as blocking accounts, notifying the employee’s manager, firewall actions, and more.

For a detailed, step-by-step walkthrough of the malicious insider SOAR playbook, download our recent whitepaper, The Top 3 SOAR Playbooks You’ll Need In 2023. The whitepaper also covers two other interesting use cases that showcase the versatility of NextGen SOAR in dealing with use cases that go beyond the SOC.

Whitepaper - The Top 3 SOAR Playbooks You'll Need in 2023

How NextGen SOAR’s Case Management Helps Investigate Insiders

If you have made it this far, it’s quite likely that you are looking to protect your organization from insider threats. Look no further. NextGen SOAR’s case and investigation management features include customizable, role-based access controls, allowing you to assign up to 10 levels of security to user groups. This helps define and manage your security operations center team’s hierarchy, ensuring that only authorized individuals have access to sensitive information. With NextGen SOAR, you can confidently safeguard against unauthorized browsing of sensitive investigations and protect your organization’s most valuable assets. Schedule a one-on-one demo with us to talk to us about the challenges faced by your SOC team and get a walkthrough of NextGen SOAR’s next-generation capabilities.

Social Icon
Shriram Sharma

Shriram is a Marketing Content Writer at D3. A former journalist, he chronicled high-profile data breaches, cyber-attacks, and conducted interviews with white and grey hat hackers. He likes to share his fascination for the field of cyber security by creating accessible and engaging content.