Using AI to fight the insider threat
No matter what systems and safe guards businesses and IT leaders put in place, the insider threat is constant.
Cyber security company Darktrace says 65% of early stage threats detected by them entail insiders misusing legitimate access to damage their employer, either knowingly or unknowingly.
This is according to Darktrace MEA commercial director Eleanor Weaver, who spoke about 'The future impact of AI in cyber crime', at the ITWeb Security Summit 2018, being held in Midrand this week.
Enterprise immune systems
Darktrace has a fundamentally different approach to cyber security defence systems, that it calls the 'enterprise immune system'. Weaver says it is based on the human immune system, an internal system that seeks out and kills disease-causing outsiders within a network.
"I tell CIO and CISO's the whole time that if I were in their position, if I were managing a cooperation however big or small, the employees would keep me up at night because at the end of the day they have a badge into the building and a passport onto the network," says Weaver.
She says, for the insider with malicious intent, their job is much easier say then an external threat.
Traditional tools, says Weaver are just not well suited to detect insider threats: "You cannot write a rule or signature to detect what a malicious insider will do, whether it is intentional or unintentional, there is a little bit of human phycology that comes into play here."
"Personally I think that legacy approaches are very black and white and insider threat is the furthest thing from black or white... As I said suspicious activity is a bit of a grey area for a lot of security teams trying to wrap their heads around and that really is where Darktrace excels - making that suspicious activity a bit more understandable from the security teams perspective."
Darktrace's 'enterprise immune system' is based on mathematics and machine learning, it uses artificial intelligence (AI) to detect out-of-the-ordinary behaviour within a system.
Weaver walked through a case study which illustrates how Darktrace works.
A large retail client was storing a customer database with sensitive information, such as credit card details and personally identifiable information, on the cloud. It was stored there for ease of access and select staff had full access to info and regularly downloaded or interacted with it to conduct business.
Darktrace noticed an anomaly within the system, a desktop was talking to the cloud and trying to download all information outside working hours and that same desktop was making rare connections with an outside location.
Weaver says the company was alerted to this unusual, although seen by the system as legitimate, activity.
It turned out that an IT manager was downloading the information and sending it to his residential WAN.
He didn't admit to doing anything nefarious but handed in his resignation a week later, says Weaver.
Weaver warns: "IT guys are company's biggest risks, as they have no one really looking at them and have biggest accesses."
"Typically this would have flown under the radar with most cases as we don't really watch our IT and our security folk as heavily as they are the ones defending the network."