1000words - Fotolia

SANS: Enterprises overconfident in ability to detect insider threats

Enterprises may be increasingly aware of insider threats and believe they can find and stop them, but a new SANS Institute survey suggests they may be overconfident and lack the necessary insider threat-detection technology.

IT professionals are aware of the risks associated with insider threats, according to a new survey, but there appears to be a disconnect between perceived security capabilities and the number of insider threats organizations detect.

The SANS Institute, based in Bethesda, Md., surveyed 772 people between December 2014 and January 2015 across various industries and organization sizes to determine awareness levels, prevention capability, and response capability toward insider threats.

SANS found that more than twice as many respondents were concerned with negligent employees (52%) as with those who were directly malicious (22%). SANS noted that this was likely due to malicious insiders being easier to detect than those who have poor security awareness or are unknowingly manipulated into causing damage.

SearchSecurity contributor and SANS faculty fellow Dr. Eric Cole, who authored the report, noted a number of times that there was an apparent disconnect among respondents regarding security capabilities vs. the ability to detect actual attacks.

For example, 68% of respondents rated their organizations as capable of preventing an attack, but 34% also admitted to having suffered and detected an insider attack. Cole noted that this number could well be higher, assuming there have been insider attacks that were not detected, and implied this showed that even defenses considered "capable" are being compromised.

Only 9% of respondents rating their prevention measures as both "very effective" and proven against attacks, while another 42% are confident that prevention measures are "effective" although operationally unproven. Of the rest, 36% admitted that prevention measures were not effective and needed to be reevaluated.

Cole noted that the disconnect between perceived effectiveness of security and actual threat detection may be due to the processes and technologies employed to prevent and detect insider threats. SANS found that the vast majority (90%) of respondents said they employed administrative techniques, including policies and procedures, to prevent insider attacks, but only about 40% said that they implemented data loss prevention (DLP) techniques.

Respondents, though, were aware of this issue; 40% admitted that a lack of technology is a factor limiting their ability to prevent insider threats. Additionally, despite the use of administrative techniques, 32% of respondents said that the policies and procedures in place weren't appropriate for dealing with insider threats.

Other obstacles in preventing insider threats were a lack of training (51%), a lack of budget (43%), and a lack of staff (40%). Cole noted that half of all respondents were from organizations with fewer than 5,000 employees, which may have affected the survey results.

Beyond these obstacles, 28% of respondents said that preventing or deterring insider threats was simply not a priority for their organizations. This was also shown on the detection and response side of the survey in the incident response plan (IRP) results, which showed that 51.4% of respondents said they either have no IRP in place (16.9%) or that their IRP had no provisions for insider attacks (34.5%).

The majority of respondents noted that their organizations had techniques like internal audits (61%), internal network monitoring (57%), centralized log management (57%), SIEM tools (55%), and external monitoring (52%) implemented for detecting and responding to insider attacks. Even so, the time required to detect and mitigate an attack ranged from less than an hour to more than a year, with between 20-25% of respondents unsure how long detection and mitigation took.

This lack of knowledge also extended to both the potential losses from an insider attack, where 52% didn't know how much losses might be, and to budgetary issues, where nearly 45% of respondents didn't know how much was currently spent on insider threat prevention/detection or what would be spent in the next 12 months. One-fifth of respondents said that budgets were scheduled to increase 7% or more in the next year.

Overall, SANS noted a number of areas where enterprise could improve practices in order to better prevent and mitigate insider threats and attacks. SANS suggested that organizations with a "flat" network architecture could benefit from better segmentation and system isolation.

Additionally, SANS said that effective prevention policies must integrate people, processes, and technologies, while properly designed audits, monitoring, and log analysis were essential to detecting insider threats.

"It is not just a security problem," Cole wrote, "every business and area of a business has to address and deal with this problem."

Next Steps

Learn how to apply insider threat detection during the hiring process.

Dig Deeper on Security industry market trends, predictions and forecasts