Governance & Risk Management , Insider Threat

How Machine Learning Can Strengthen Insider Threat Detection

Panel: Better Algorithms Can Help Mitigate the Risks
How Machine Learning Can Strengthen Insider Threat Detection
(From Left:) Dawn Cappelli, Sujeet Bambawale, Solomon Adote, Tony Pepper and ISMG's Tom Field

As companies continue to grapple with the challenges of insider threats, machine learning coupled with behavioral analytics can assist in predicting and detecting potential threats from employees and contractors, according to a panel of security experts at RSA 2020.

See Also: Building Your OT Security Business Case

While enterprises have gotten better at predicting and responding to external security attacks, mitigating the risk of insiders threats remains a challenge for CISOs and their teams because much of this depends on interpreting the intentions of employees.

"It is a complex problem because you have to look at human behavior and have to predict in real time when someone is about to make the error of judgement," Tony Pepper, CEO of security firm Egress, said in a panel discussion hosted by Information Security Media Group.

"Currently, the cybersecurity community focuses on issues which actually represent only 1 or 2 percent of the challenges that every business faces," Pepper said. "The overwhelming majority of [insider] cases are accidental, and to detect this is much more difficult. This is where technology needs to catch up, and machine learning will be helpful here."

Machine Learning and Threat Detection

To mitigate insider threats, experts suggest that enterprises develop their own risk algorithms by coupling machine learning capabilities with behavioral analytics to understand discrepancies in employee activities.

Companies can use human resources data to help create these new algorithms, said Dawn Cappelli, CISO of Rockwell Automation. "The key is having HR data. You can build your risk models by taking the contextual employee data along with their online activity and create risk algorithms."

But the real challenge is refining and contextualizing this data in order to correctly identify potential threats, said Solomon Adote, CISO for the state of Delaware.

"Data without context might not tell you the full story," Adote said. "It has to be about identifying what is abnormal about a particular activity."

Once the data is contextualized, Adote noted, enterprises then can use this information to create alerts, advise employees about their activities and make them aware that the company is aware of what's happening internally.

"That's sometimes all you need to prevent a significant catastrophe," Adote said.

The insider threat problem cannot be solved by IT or security teams alone, Pepper said. Rather, he suggests that enterprises should engage with employees and end-users to help them create more context for their data.

Insider Threats on the Rise

According a study published this month by the Ponemon Institute, insider threat incidents increased by 47 percent between 2018 and 2019. Researchers also found that companies paid out an average of $11 million in 2019 in annual clean-up costs associated with these incidents - a 31 percent increase from the $9 million firms spent in 2018.

The study also points out that insider threats are more likely to be caused by negligent employees or contractors, rather those intending to do harm. A recent report found that data breaches within Canadian government agencies exposed the personal information of approximately 144,000 citizens over a two-year period, with human error cited as a major cause (see: Canadian Government Breaches Exposed Citizens' Data: Report)


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.