67% of organizations are not confident in their ability to uncover insider threats?
In response to new challenges, threat hunting is a developing security practice that focuses on proactively detecting and isolating advanced threats.
Detecting, preventing and mitigating “insider threats” is the most common reason for an organization to have a threat hunting program. However, in practice, what some call an “insider threat,” others may call “internal security monitoring.” Definitions of what an insider threat is can range from internal employees, to threats that originate externally and are now causing issues internally, such as successfully delivered authentication scraping malware like Mimikatz laced NotPetya – to other forms of Ransomware.
All threat hunting or internal security monitoring is only as good as the data it collects; and what our report found was that organizations were still prioritizing data sources associated with external threats (Firewall l& IPS logs) versus those that can more accurately identify insider threats. For example, only 37% were leveraging User Behavior Activity to feed their threat hunting program and only 54% were using data collected from Active Directory. Even fewer, 19% had integrated File Activity Monitoring into their threat hunting platforms.
Without visibility into how data is being used via File Activity Monitoring or how access to that data was being used via Active Directory information we begin drawing some unsettling conclusions as to why threats dwell on average of 30 days on a network.
Active Directory security is not just a hot topic, although some security professionals have made their living by uncovering vulnerabilities in directory services. Take for instance, Sean Metcalf at ADSecurity.org or Benjamin Delpy, the inventor of Mimikatz. Both have been great resources to the security community in helping uncover insider threats. What tends to be lacking, however, is an easy-to-follow Security Assessment that highlights critical areas of concern in a Microsoft Active Directory and Windows environment. Or a simple to deploy and use File Activity Monitoring solution that does not rely on native logs and can scale to over billions of events daily.
Most organizations aren’t aware they even have these problems —as issues in their Active Directory and NAS servers are not feeding their threat hunting programs with the same prevalence as their traditional data sources like anti-virus, Firewall and IPS/IDS logs. There is a very real need for organizations to have a set of Active Directory and File Activity Monitoring tools from which they can feed their threat hunting platforms.
Download the 2018 Threat Hunting Report here and then request your own risk assessment.