When we consider the range of cyber-threats, we generally imagine external attackers -- foreign states, criminal underworlds or lone script kiddies. But the reality is that a large proportion of vulnerabilities and "threats" that organizations face today come from legitimate network users. The insider threat is still often woefully underestimated.
For all the sophistication of hackers today, insiders will always have an obvious advantage over a wannabe attacker -- they already have access. Certain privileges have to be given to employees for them to do their jobs. But that creates an inherent vulnerability in which insiders pose a constant and inescapable threat to Canadian businesses. Either through a genuine mistake or deliberate action, an employee can bring an entire company to its knees with the click of a button.
For instance, an employee working remotely may log in to a free WiFi hotspot. Not realizing the WiFi is fake, they don't give a second thought to the fact they're using a company laptop. The second they log in, a threat-actor gains access to their company credentials and uses them to infiltrate the network. From there, they can launch a ransomware or DDoS attack, or steal commercially valuable data. While setting company-wide best practices can help mitigate risk, organizations can't expect 100 per cent of their employees to make the right decision every time.
Insiders can all too easily get their hands on valuable data - whether to pass on to a competitor organization or to wield political advantage within their organizations.
Many insider threats arise from employees making innocent mistakes, or purposefully bypassing security protocols for the sake of convenience. A far more insidious type of insider threat involves deliberate, malicious action, of course. Insiders can all too easily get their hands on valuable data -- whether to pass on to a competitor organization or to wield political advantage within their organizations. Edward Snowden proved that even the most security-conscious organizations can't protect from motivated insiders.
With such a wide range of potential motivations, it can be difficult to identify high-risk users in advance. To make matters worse, insider threats aren't limited to employees. Subcontractors, third-party vendors and temporary workers all have the ability to inflict disproportionate harm. To tackle this complicated issue, businesses need to start rethinking their use of technology and security solutions.
Recent advances in machine learning technology can protect against insider threats by identifying unusual behaviour within a network in real time. At Darktrace, we refer to this as the "immune system" approach. Like the human immune system, this approach is self-learning. It develops a unique "pattern of life" for every user and device as it learns normal behaviour for the network.
The real story is that many of the most serious threats originate from the inside.
The system then detects any activity that diverges from normal behaviour. For instance, an employee sending abnormally large amounts of data to an unknown foreign server would immediately be flagged, as would suspicious Wi-Fi connections, abnormal login times and any number of other anomalous activity.
Crucially, an "immune system" approach like this doesn't look for a specific type of suspicious activity. Social engineering attacks can take any number of forms, and careful insiders can exfiltrate data slowly and cleverly to bypass traditional security systems. By using unsupervised machine learning, the system doesn't require rules, signatures or prior knowledge to detect potential insider threats. Rather, it continually learns and adapts to detect anomalous activity that indicates potential insider threats.
Immune system technology doesn't monitor certain users or certain devices in particular. Instead, it analyzes the raw traffic of every device and user on the network, simultaneously creating a holistic picture of the network and providing unprecedented visibility.
Traditional security solutions may doggedly focus on keeping external attackers out, but the real story is that many of the most serious threats originate from the inside. While firewalls and perimeter security are important, the cyber security solution for the future has to catch threats that are already alive and kicking inside organizations -- some of the most harmful threats now come from within.
Follow HuffPost Canada Blogs on Facebook
Also on HuffPost: