Last year’s reports showed that insider threats are increasing in frequency and volume and require a significant amount of time, effort, and expense to contain on average. In the following years, these threats will further increase due to the consolidation of a shift to more distributed working models – a world heritage from the pandemic era – BYOD policies and exponential growth of cloud-related technologies.

Today, the working area is highly dispersed and scattered. Personnel and devices are lying heavily distributed in many physical and digital places. Within such an elastic, kinetic, and rapidly transformed environment, neither our data remains at rest. It moves from and to the cloud at an unprecedented rate and speed. The above facts and negligent and malicious insider acts make unusual changes and anomalies challenging to monitor and detect. Nowadays, the need for advanced technology and data detection and response (DDR) tools to detect data movement on the fly and respond to incidents asap is more than necessary. It is imperative if we want our businesses to maintain their posture and cybersecurity hygiene.

The impact of insider threats

No matter the insiders’ motivation or security unawareness level, an incident caused by trusted humans is disruptive and significantly impacts any business. Negligent workers, disappointed and disgruntled staff, or vendors with bad intentions can put their organization at risk from the comfort of their homes, using legacy, obsolete, and not updated devices in many cases.

These insider incidents, apart from the common root cause, human nature, do have a common target: the data. Data breaches that lead to financial losses, compromise of sensitive data, and theft of intellectual property result in severe consequences for the revenue and reputation of the affected industry. The magnitude of the underlying insider risk is presented by the Bravura Security report, which highlights that bad actors have approached 65% of employees to assist in ransomware cyberattacks.

In the cloud era, where we all experience extremely high-speed data transfer rates, data breach incidents become more frequent, violent, and full-scale. As insider operations are concealed by typical workplace behaviour, security personnel are not alerted to a threat or “abnormal spike” by these activities. The result is that malicious or irresponsible insiders need only a fraction of the time to compromise a whole database of critical data and information.

Data security in the cloud and consolidated hybrid work world has to be a top priority. Every cybersecurity professional must monitor users’ activities using modern advanced tools, employ behaviour analytics to track behavioural anomalies, and use data detection and response (DDR) tools that can be integrated into existing SIEM solutions as a mitigation approach to potential insider threats, as soon as, and wherever they occur.

DDR in a nutshell

Data detection and response (DDR) is an emerging approach, often referred to as the new cloud data loss prevention (DLP) solution. It introduces dynamic monitoring to cloud environments and can monitor cloud data in real-time and secure them from exfiltration. It uses known threat models and attack patterns revealed in previous attacks, as well as AI and machine learning from historical data algorithms, to predict and prevent insider risks.

A wide range of incident types falls into DDR’s detection range:

• Snapshots and shadow backups that take place outside of approved procedures,
• Moving data to insecure storage
• Moving data to geographical locations that are not compliant with the law.

DDR is dynamic. It sits on top of the static and posture-focused defense layer provided by Data Security Posture Management (DSPM) and Cloud Security Posture Management (CSPM) tools. It keeps an eye on cloud environments where data is stored and employs real-time log analytics to spot data risks as soon as they arise.

To do so, DDR – opposed to other systems that focus on configurations and data at rest – focuses on real-time data events that trigger alarms and allow security personnel to take reactive actions before the incident occurs or at its birth stage.

How DDR works – pros and cons

Nowadays, data is stored across a wide cloud area; PaaS, DBaaS, and IaaS are places where one can find data of a mid-sized company. At first, DDR uses DSPM capabilities to create the foundation for finding and categorizing data assets. Detected risks, such as unencrypted sensitive data, are flagged and prioritized before being remediated by IT professionals or data owners.

When all data assets are mapped, DDR monitors their activity via cloud-native event logging. DDR parses the log and applies a threat model to identify anything suspicious. If an anomaly is detected, DDR immediately issues an alert and suggests security professionals with the best response to that.

The benefits of data detection and response in mitigating insider risk are numerous:

• Early warning helps businesses prevent insider risk from escalating.
• Identify and analyze the insider threats’ root cause, to address them proactively and efficiently.
• Comply with standards and regulatory requirements.
• Enables dynamic data security in highly distributed hybrid and multi-cloud environments.
• Protect data across any exfiltration channel, such as removable drives, emails, and cloud applications.
• The use of a single threat model across environments removes the need for ad-hoc solutions per data service.

However, there are challenges in implementing DDR. These are:

• Significant investment in technology, sophisticated tools, and the need for cybersecurity experts.
• A high volume of alerts can generate alert fatigue. Alert prioritization to reduce alerts’ false alarm rate is imperative.
• DDR can raise ethical concerns as it dives deep within user data. Organizations must comply with legal and ethical standards and respect employees’ privacy rights.

Protect data with a solid DDR solution

Businesses shall realize how insiders may threaten their sensitive data and follow best practices to maximize the benefits of data detection and response solutions. They should adopt a risk-based data detection and response approach, focusing on the highest insider risk areas and the most critical assets and data. Organizations should also establish precise data detection and response procedures, including ethical policies, to eliminate the chance of becoming a “big brother” for their insiders.

Lack of knowledge and experts’ shortage shall not be an obstacle or an excuse. There are numerous cybersecurity experts with whom businesses can work closely to implement a proper DDR solution to protect their data and assets and mitigate insider threat risk.

About the Author: Christos Flessas is a Communications and Information Systems Engineer with more than 30 years of experience as an Officer of the Hellenic Air Force (HAF). He is an accredited NATO tactical evaluator in the Communication and Information Systems (CIS) area and the National Representative (NatRep) at Signal Intelligence CIS and at Navigation Warfare (NavWar) Wrking Groups. Christos holds an MSc in Guided Weapon Systems from Cranfield University, UK. He has also attended numerous online courses such as the Palo Alto Networks Academy Cybersecurity Foundation course. His experience covers a wide range of assignments including radar maintenance engineer, software developer for airborne radars, IT systems manager and Project Manager implementing major armament contracts. 

Christos is intrigued by new challenges, open minded, and excited for exploring the impact of cybersecurity on industrial, critical infrastructure, telecommunications, financial, aviation, and maritime sectors.