Raconteur

Fighting Fraud 2019

Issue link: https://raconteur.uberflip.com/i/1178636

Contents of this Issue

Navigation

Page 5 of 15

F I G H T I N G F R A U D 06 Commercial feature apid advancements in tech- nology in recent years have given businesses far greater mobility, accessibility and intercon- nectivity. Though this has provided enormous value, it has also meant more users have the capability to commit harmful behaviour, fraudulent or otherwise. The growing popularity of remote working has compounded this risk further by enabling users to commit malicious activity from wher- ever they are in the world. Organisations are no longer just bricks and mortar. Contracting and outsourcing are also on the rise as companies are trying to keep pace in a more competitive space, leading to less human oversight and an environ- ment where insider fraud can become more prevalent and difficult to detect. Assets come and go every day, meaning they can no longer rely on perimeter security. They need complete visibility both on and off the corporate network. The 2019 Insider Threat Intelligence Report, which collects data from Dtex Systems' risk assessment findings over the previous year, found some form of undetected insider threat in every assessment, including high-risk data transfers via USB or cloud and employ- ees using personal webmail. Users were found to be bypassing security in 95 per cent of assessments and in 98 per cent of assessments Dtex found proprietary company data that was publicly accessible on the web. According to the 2018 Cost of Insider Threats Report, insider threats cost businesses an average of $8 million an incident. Yet until a few years ago, users accessing data within an organ- isation almost entirely evaded the attention of security teams. Today insider fraud is increasingly preva- lent and companies struggle to even detect it in the first place. "All businesses, no matter the industry, are at risk of malicious insiders," says Armaan Mahbod, man- ager of insider threat and cyberse- curity investigation at Dtex Systems. "These malicious actors can come from any role, not just pre-deter- mined groups of 'high-risk' job titles. Therefore, a continuous audit trail of all users, devices and applications within an organisation is critical to catch warning signs and conduct effective investigations. "Organisations are often too late and tracks have already been covered. In a recent phishing attack on an Australian university, for example, they didn't have the audit trail to effectively investigate after the incident, which severely ham- pered their recovery and response." Companies typically have some form of fraud controls in place, includ- ing thresholds and limits, to identify specific transactions. However, many offenders are high-level executives, managers or otherwise, who are fully aware of the limits and go below the thresholds to avoid detection from suspect transactions. They may steal smaller quantities of data or money over a long period, resulting in the larg- est cumulative value stolen. Most commonly, the individuals that are committing malicious insider activ- ity are people in positions of trust, who already have some level of authorised access to critical systems. This is why it is so important to understand the insider threat kill chain, says Mr Mahbod. "Methods for intrusion and exfiltra- tion are constantly evolving, but it is nearly universal that malicious insid- ers will attempt to cover their tracks, or circumvent security tools or alert- ing thresholds," he adds. "We consist- ently find that investment in detect- ing these early stages of the kill chain, like covering tracks or security bypass, gives organisations the best return and results. Just as one example, Dtex caught data theft by a foreign national at one of our customers, AMP, due to the culprit's attempts to circumvent com- pany security." There are two factors that make insiders a greater fraud threat than outside attackers. Their malicious attacks are not premeditated and they rarely act immediately after being brought into an organisation. Instead, they slowly accumulate insights on all the traps set in place. Secondly, inside attackers generally have some level of authorised access, either in their cur- rent role or a previous role within the same company. Malicious insiders, who are responsi- ble for 22 per cent of all insider threats, primarily use permitted applications to evade detection, including uploading data to online file-sharing sites sanc- tioned for business use, utilising per- sonal webmail accounts that aren't monitored and unblocked data-dump- ing websites. In Dtex's report, 95 per cent of assessments also identified employees using anonymous and private brows- ing, which was an increase from 60 per cent the year before. When there is no malicious intent, threats can be even more difficult to detect, as is the case with the 68 per cent of insider threats that are purely down to negligent users causing accidental harm. This makes the visibility of user behaviour across the entire organisation crucial. "Organisations cannot defend against attacks that they cannot see," says Mr Mahbod. "Also, placing monitors on critical systems is not enough because it only gives you less than half the full story. When a malicious insider steals data from a critical system, transfer- ring the data to their own device, what did they do next? With greater visibility comes greater certainty, which trans- lates to more efficient investigations. "On the flip side, when you don't have visibility across an organisation and look at a specific device or IP address for security incidents, you run the risk of creating too many false positives because your solution does not have all the organisational domain context it needs to determine whether an activity is high risk. You need historical activ- ity of the user, a comparison to their peers and the organisation to make a stronger determination." Dtex Systems provides the compre- hensive end-point visibility that com- panies need at scale to understand, in near real time, any abnormal user behaviours which have led to iden- tification of fraudulent behaviour. Furthermore, Dtex's data highlights the contextual information necessary to understand the bigger picture behind users' malicious actions. "Through this visibility and the eleva- tion of anomalous behaviour, Dtex ena- bles organisations to be 'left of boom', which means the organisation is build- ing and running a security posture that gets out in front of the threat, allowing security teams to act before an inci- dent, not just respond after the fact," says Mr Mahbod. "By seeing the full kill chain of events, companies are able to identify suspicious behaviour prior to events actually harming the business. This allows organisations to be proac- tive rather than reactive." For more information please visit dtexsystems.com Companies seek visibility in fight against insider threats With insider fraud threats continuing to grow in the digital age, organisations require a clear and accurate understanding of what users are doing and how they are interacting with data R of assessments found instances of high-risk data transfer via USB or cloud applications and employees accessing and using personal email accounts on corporate endpoints 100% Organisations cannot defend against attacks that they cannot see... With greater visibility comes greater certainty, which translates to more efficient investigations found customer proprietary information publicly accessible on the web 98% found instances of employees engaging in flight risk behaviour 97% found users actively attempting to circumvent corporate security policies 95% saw the use of unsanctioned portable applications, which are increasingly being used to bypass security 74% Dtex systems 2019 insider threat intelligence report

Articles in this issue

Links on this page

Archives of this issue

view archives of Raconteur - Fighting Fraud 2019