Insiders are biggest security problem for companies today: Cyber security expert

Saryu Nayyar, CEO of Gurucul Saryu Nayyar, CEO of Gurucul

Saryu Nayyar is the CEO of Gurucul, a company that specialises in user and entity behavior analytics, identity analytics, fraud analytics and cloud security analytics. Nayyar is an internationally recognised cyber security expert, author, speaker and member of the Forbes Technology Council. She has more than 15 years of experience in the information security, identity and access management, IT risk and compliance, and security risk management sectors. She has held leadership roles in security products and services strategy at Oracle, Simeio, Sun Microsystems, Vaau (acquired by Sun) and Disney. Nayyar also spent several years in senior positions at the technology security and risk management practice of Ernst and Young. She is passionate about building disruptive technologies and has several patents pending for behavior analytics, anomaly detection and dynamic risk scoring inventions. She talks to THE WEEK about how critical insider security threats are and also about the importance of fraud analytics in controlling them.

What are the latest trends with regard to the insider security threats in an organisation? How easy is it detect such threats?

Insider threats are the biggest cyber security problem for companies today because they can cause the most damage and are much harder to detect and prevent. Insiders are just that—insiders with keys to the kingdom. They know where the sensitive company or customer data is and who has access to it, so they know exactly where to strike if they decide to take action. Cyber criminals use automated hacking tools continuously to attempt to breach an organisation. And, when they do break in, they still need to surveil the network to find the data worth exfiltrating. Insiders are already in the network and know where the proverbial gold bars are stored and who has the keys. All they need to do is find a way to access those keys or use the ones they have.

Earlier companies would put in Data Loss Prevention (DLP) systems and web proxies. These restrict users from being able to email attachments, use USB drives and from going to cloud based file sharing sites. Unfortunately, security officers found out that applying these controls to every employee would have catastrophic impact to their business. Imagine not being able to send wire information between banks, or sharing a list of new employees with your insurance provider. We would have to go back to FAX machines or the USPS, and business would be slowed to a snails pace. Our organisation has worked on a behaviour and risk analytics solution that allows you to apply different controls to different risk profiles within your organisation and automate front line security controls.

Despite so much foolproof security, breaches still do happen? Do you feel that organisations need to do something extra in order to make their systems secure?

Yes, organisations need to triage: they need people, processes and technology to fight the cyber criminals. People need to be aware of the pitfalls and provide insight into their own behaviours. There is one capability that uniquely provides for insider threat and detection and deterrence: the self-audit. Users are provided a self-audit much like a credit card statement to view their own risk-ranked anomalous activities, identities, access, devices and other key data points in an easy to use web portal.

What kind of frauds are happening of late which are difficult to catch and are resulting in heavy financial losses for the customers?

We see cyber criminals recruiting insiders to execute fraudulent tactics. Insiders already have access to the 'keys to the kingdom'. Criminals prey on vulnerable insiders to get them to provide privileged access to financial systems or data, and to execute fraudulent transactions on their behalf. They may get insiders to execute small transactions that fly under the radar since the amounts are not enough to set off alarms with the legacy fraud detection systems. However, Fraud Analytics will flag these high volume, low amount transactions as anomalous and risky, thereby triggering an investigation. One needs to be able to marry legacy fraud detection solutions with machine learning based fraud analytics to detect and stop cross channel fraud attempts by cyber criminals or insiders.

As they say there is no end to human greed which despite all the security systems in place will surely result in financial or online frauds? Does technology have an answer to this?

Sadly, there is no single answer, no silver bullet. There is no single solution. You absolutely need to use multiple technologies to address the fraud problem. We recommend combining legacy fraud solutions with machine learning based fraud analytics for detecting fraud across siloed channels. In addition, you need to detect and stop insider threats as insiders can perform the most damage. We like to say you can steal an identity, but you can’t steal behaviour. Behaviour is the tell. We have developed machine learning models that detect the intent for an insider to commit fraudulent activity. Our models look for the smallest change in behaviours and start monitoring anomalous activities by insiders to stop fraud before it happens. You need machine learning and security analytics to be able to detect and stop such fraudulent behaviour at scale.

How vulnerable are the new connected systems such as IoT, Machine Learning and AI? Will more digitization result in more security threats in the future?

The future use cases we are discussing with our customers are on the IoT (Internet of Things) side. Threat intelligence feeds need to be integrated with other monitoring systems to detect anomalies in a better, more effective way. With User and Entity Behaviour Analytics (UEBA), you can detect threats or vulnerabilities around the IoT platforms since IoT devices are entities. We have developed and deployed machine learning models around detecting IoT-related vulnerabilities or threats. Prior to that it was almost manual.

What kind of new security threats which we may see in the near future that may prove to be detrimental to organisations and the general public?

There will always be new ways of breaching organisations. However, they will all be based on security threat vectors we have already seen: ransomware, zero day threats, account compromise, malware, phishing schemes, malvertisements, call center fraud, insider threats and the like. We anticipate there will be a greater volume of security threats being delivered at an exponential pace since criminals will be leveraging machine learning to execute their campaigns. With this in mind, one absolutely needs to be fighting machine-based threats with machine-based defenses. Behaviour based security analytics is at the forefront of machine-based defenses. Cyber criminals are continuously trying to breach your defences. You need to put in place technologies that deliver continuous defence.