How Machine Learning Can Strengthen Insider Threat DetectionPanel: Better Algorithms Can Help Mitigate the Risks
As companies continue to grapple with the challenges of insider threats, machine learning coupled with behavioral analytics can assist in predicting and detecting potential threats from employees and contractors, according to a panel of security experts at RSA 2020.
While enterprises have gotten better at predicting and responding to external security attacks, mitigating the risk of insiders threats remains a challenge for CISOs and their teams because much of this depends on interpreting the intentions of employees.
"It is a complex problem because you have to look at human behavior and have to predict in real time when someone is about to make the error of judgement," Tony Pepper, CEO of security firm Egress, said in a panel discussion hosted by Information Security Media Group.
"Currently, the cybersecurity community focuses on issues which actually represent only 1 or 2 percent of the challenges that every business faces," Pepper said. "The overwhelming majority of [insider] cases are accidental, and to detect this is much more difficult. This is where technology needs to catch up, and machine learning will be helpful here."
Machine Learning and Threat Detection
To mitigate insider threats, experts suggest that enterprises develop their own risk algorithms by coupling machine learning capabilities with behavioral analytics to understand discrepancies in employee activities.
Companies can use human resources data to help create these new algorithms, said Dawn Cappelli, CISO of Rockwell Automation. "The key is having HR data. You can build your risk models by taking the contextual employee data along with their online activity and create risk algorithms."
But the real challenge is refining and contextualizing this data in order to correctly identify potential threats, said Solomon Adote, CISO for the state of Delaware.
"Data without context might not tell you the full story," Adote said. "It has to be about identifying what is abnormal about a particular activity."
Once the data is contextualized, Adote noted, enterprises then can use this information to create alerts, advise employees about their activities and make them aware that the company is aware of what's happening internally.
"That's sometimes all you need to prevent a significant catastrophe," Adote said.
The insider threat problem cannot be solved by IT or security teams alone, Pepper said. Rather, he suggests that enterprises should engage with employees and end-users to help them create more context for their data.
Insider Threats on the Rise
According a study published this month by the Ponemon Institute, insider threat incidents increased by 47 percent between 2018 and 2019. Researchers also found that companies paid out an average of $11 million in 2019 in annual clean-up costs associated with these incidents - a 31 percent increase from the $9 million firms spent in 2018.
The study also points out that insider threats are more likely to be caused by negligent employees or contractors, rather those intending to do harm. A recent report found that data breaches within Canadian government agencies exposed the personal information of approximately 144,000 citizens over a two-year period, with human error cited as a major cause (see: Canadian Government Breaches Exposed Citizens' Data: Report)