Data breaches caused by ransomware attacks, phishing scams, and state-sponsored hacker groups tend to grab the headlines. However, the reality is that insider threat activity causes 60% of these breaches. Moreover, while these threats are becoming more frequent – up 47% over the latest two-year period – and costly to organizations, it still takes organizations more than two months to discover and contain the average insider threat incident (an average of 77 days). And the longer an insider incident lingers, the more costly it becomes.
A primary reason for the lengthy discovery time is that it is difficult to distinguish between regular user activity and the kind of user behavior indicating an insider attack. Complicating discovery further is that the insider in question usually has authorized access to the ERP system and knows how to bypass controls and violate security policies.
How can a company become more proactive at detecting insider threat activity rather than waiting (up to 77 days) to discover that an incident occurred? One solution is to continuously monitor user activity around data access and usage inside the ERP.
When companies monitor for outlier and abnormal behavior patterns, they are more likely to detect possible malicious activities or compromised accounts, reducing the discovery and containment time and costs. Here are six user behaviors to monitor that could indicate potential insider threat activity.
1. Making Unauthorized Changes To Master DataThe exponential growth in data volume and usage in companies has led to storing sensitive master across multiple siloes. Any changes to master data, such as changes to payroll or adjusting a PO amount beyond limits, are worth paying attention to as possible indicators of insider threat activity. It is critical to know precisely who is accessing master data and how frequently.
2. Unusual Login Times And Off-Peak Activities
Watch out for users trying to log in outside of their regular working hours without proper authorization or a valid need to access the network at odd hours or from an unknown IP address. Of course, there could be a legitimate reason for this access, but this behavior is worth investigating. For example, does the employee genuinely need to access payroll information outside of office hours?
3. Repeated Failed Attempts At Logging Into Critical Applications
Organizations typically have a fixed set of users and roles that have access to sensitive data. Repeated failed attempts to access data, or complete transactions could be a warning sign that an insider is trying to access privileged information (e.g., PII, compensation data of others).
4. Erratic Behavior Of Privileged Accounts
Privileged users in companies have elevated access to sensitive data and transactions. Watch out for these users accessing particularly sensitive fields, including compensation data and executive payroll, and how frequently. These behaviors are usually a violation of a company’s security policies and protocols and can indicate behavior with malicious intent.
5. Questionable Query Running and Data Downloads
A key indicator of insider threat activity is running queries and downloading sensitive data to unauthorized devices. Companies should monitor instances of query running and download attempts of sensitive data onto unauthorized devices, from suspicious locations, or outside business hours. Additionally, when employees use unapproved workarounds for transferring potentially sensitive information to cloud storage accounts for easy access, it leaves vulnerable data and resources unsecured and vulnerable to hackers.
6. Unnecessary or Excessive Vendor Creation and PO Approvals
Employees using their credentials to create new vendors, purchase orders, requisitions, etc., are likely engaging in fraudulent activity that leads to data or financial theft. In addition, without proper internal controls in place, employees can use their credentials to violate segregation of duties for financial gain.
An essential first step to tackling insider threats is closely monitoring user behavior around data access and usage. With continuous monitoring, security and compliance leaders can drill into specific activity and know exactly the context of data access and usage: who is doing what, where, and why. With that level of in-depth, contextual information, any red flag incidents can undergo a rapid response plan.
The next step is to prevent insider threat activity by adopting a layered, data-centric security model that includes –
We have helped several organizations detect and defend against insider threats by applying continuous data access and usage monitoring at a granular level combined with a data-centric security approach. Contact us to chat with our Pathlock expert today.
Related Reading: These behaviors usually align with one of these five categories of insider threats.
Share