Managing the Insider Threat from the ‘Super Users’

BalaBit discusses how to manage the growing threat of ‘insider threats’

In a growing number of security incidents, privileged users are to blame for system compromises.  This is apparent from statistics which reveal that 88% * of insider misuse incidents occur due to ‘privileged’ abuse.

One of the most notorious examples of this was that of whistleblower Edward Snowden, whose position at the US National Security Agency (NSA), enabled him to conduct one of the biggest information leaks of all time.

Whilst this was an extreme example, the reality for many organisations today is that a growing number of security incidents can, and do, start on the inside of a business, as a result of privileged ‘misuse’. This could originate not only from the activities of malicious insiders, but also from hackers working outside of an organisation who are intent on gaining access to highly sensitive information. They will target the privileged user in order to gain access through their user name and password – in many cases the root password.  The reason being that it can be far more lucrative for external hackers to obtain the credentials of the most privileged ‘super users’ – whether it’s a C-Level executive or a systems administrator. 

Organisations must therefore protect themselves against the risks, by implementing processes to “watch the watchers”.

The security ‘blind spot’

Getting to the truth of what has actually happened when a security incident occurs, is vital. However, it’s not always a straightforward process and can involve sifting through thousands of text-based logs. The sheer scale of the task, often means that organisations need to bring in the expertise of external agencies.

To add to the challenges, it can be difficult to determine to pinpoint who is responsible when an incident occurs and several administrators could access the same privileged account, and share the same password. 

In order to manage this complexity, organisations need to re-think the way in which security is managed. Security solutions such as log management, firewalls and SIEM can leave a blind spot that allows users to compromise security from inside. This is because they usually focus on attaining compliancy and monitoring the environment at specific points in time. 

System administrators have very high or even unrestricted access rights on operating systems, databases and application layers. Once their rights are compromised, administrators can have access to the company’s most sensitive information, whether it’s financial or customer information, HR records or credit card numbers.

The digital fingerprint

How can organisations close this security gap and uncover these types of incidents? One of the key areas they need to focus is monitoring user behaviour.  This can reveal important information on user habits, such as time of day that accounts are accessed – or other anomalous behaviour – that can be an indicator of criminal activity. 

This is because most individuals work follows a recognisable pattern. Users access the same applications, or data, and even type in a characteristic way.  Interactions of this kind can leave a digital ‘fingerprint’.   It creates a profile which will pinpoint deviations from usual behaviour, for example if the user starts to probe the network and typically they have access to standard office applications, it could point to the fact that an account has been hacked.

By analysing all user activity, including malicious events, throughout IT systems, enterprises can gain a better understanding of what is really happening on the network.  It provides them with the intelligence they need to reduce investigation times, and close security gaps without adding additional layers of security controls. 

For more information, visit