The Imperva Defense Center conducted the research by using a combination of machine learning-based behavioral analysis and deception technology to live production data and networks. Machine learning was used to analyze detailed activity logs of the data accessed by insiders. Deception technology added context to the analysis by identifying anomalies indicative of compromised end-points and user credentials. This deeper level of insight proved critical for finding true insider threats within a sea of anomalies.
Based on the studied environments and follow-on analysis, the researchers found:
- Insider threat events were present in 100 percent of the studied environments, confirming suspicions that insider abuse of data is routinely undetected.
- Deception technology, deployed to complement behavioral analysis, positively identified insider threats.
- Insider threat incidents were not identified by any existing in-place security infrastructure.
- Identified insider threats spanned malicious, compromised and careless insiders.
- In most cases, insiders took advantage of granted, trusted access to data, rather than trying to directly hack in to databases and file shares.
“Just finding anomalies in user behavior will not solve the insider threat problem,” said Amichai Shulman, Co-founder and CTO of Imperva. “Enterprises need to have granular visibility into which users are accessing data, and more importantly, the actual queries and data accessed by each user. This deep level of insight proved critical to separating actual incidents from anomalies. Imperva CounterBreach allows customers to apply machine learning and deception technology to both user behaviors and the data that users have accessed, which is the key to pinpointing insider threats.”