Are insiders really threats or part of the solution? Credit: Thinkstock Most seasoned cybersecurity experts when asked will tell you the insider threat is the most serious problem they face (no, not bitcoin, yet). The insider is simply the most serious threat to any organization, they assert.I disagree. I see insiders – legitimate users and employees – as an asset to achieve the goals of the organization but also a very important part of an overall security strategy of any modern enterprise. There is indeed a POC right in your pocket, and its been there since the 1980s.Your credit card account (actually the bank’s risk and liability) is protected by what you do, not what you know. The same concept has been studied for quite some time and its time to reconsider our relationship to our users and utilize their individuality as a behavior-based security mechanism. What’s an insider, really?Insiders come in many flavors. The “real” malicious insider who has access and authority is a rare bad actor. It is far more likely an unsuspecting benign user will be socially manipulated to click a link and inject malware into their computer that hijacks a session and masquerades as the real user. Of course, credential theft is probably the most likely means of an external bad actor impersonating a legitimate user, handed the keys to do so without much effort. The ensuing losses and damage all point the finger in one direction, the legitimate sloppy insider. That’s the real threat? The real threat is insecure authentication. Behavior is uniqueThe concept of behavior-based security is not exactly what the network-based UBA vendors will tell you as the value they provide. UBA seeks to infer anomalous users by traces of what they do on the network, from network log data. They primarily seek the rare malicious insider. Many attempt to compute group norms for subsets of users and look for the outliers.Host-based UBA is different. The aim is to secure a system by evaluating a user’s actions are consistent with their past behavior to continuously verify that the user is who they say they are. Essentially, a host-based UBA agent continuously asks the user, “Are You You?” That’s no different than your credit card processor asking if your current transaction was actually initiated by You? Your transaction behavior history is the key to actively authenticating you each time you swipe, tap or plug in. (Don’t believe me? Check your last month’s transactions in 2017 to the same month in 2016. Amazing how consistent we are when we buy stuff.) How well does it work?DARPA initiated the Active Authentication program several years ago that brought together about 10 performers developing various ways of modeling and testing the authenticity of a user by a variety of different behavior modalities, from (some obvious) biometrics, such as speech, but also how you walk (the user’s gate with a mobile phone in their pocket), how the user writes prose, and how you search your computer. The key idea is to protect the last mile, the host machine and its user, by leveraging the unique behavior we each exhibit, rather than the faulty credentials we each forget. And behavior is very hard to lose. The results achieved were surprisingly excellent with some achieving near 98% detection of masqueraders with very few false rejections. Not bad. Of course, malware imposters are easy to detect, they simply don’t behave like humans.So why isn’t host user behavior analytics in our phones and in our laptops, or protecting our cloud storage services? Its only a matter of time to overcome the confusion about what network UBA is and what it isn’t, and how host-based UBA is a substantial solution.Insiders are a security assetPervasive host-based active authentication is an idea whose time has come, an idea that enterprises have not yet appreciated about their employees. Users in an enterprise are a security asset, not just a threat. Their behavior can protect their own devices and phones, and they are an important component of the security architecture of any large enterprise. Imagine that, people doing their job can also protect themselves and their company just by doing what they do! Related content feature 10 most powerful cybersecurity companies today With AI and generative AI capabilities on the rise, a shift toward consolidation and platforms over point solutions is redefining the IT security market — as well as its leading vendors. By Neal Weinberg 02 Jul 2024 14 mins Access Control Identity Management Solutions McAfee feature What is IAM? Identity and access management explained IAM is a set of processes, policies, and tools for controlling user access to critical information within an organization. By David Strom 07 May 2024 12 mins Identity Management Solutions IT Leadership Security news Frontegg releases new identity, user management solution for SaaS products Frontegg Forward delivers four fundamental user identity management innovations for SaaS vendors. By Michael Hill 07 Nov 2023 4 mins Authentication Access Control Identity Management Solutions feature What is WorldCoin's proof-of-personhood system? What does the blockchain, AI, and custom hardware system featuring a shiny, eye-scanning orb mean for the future of identity access management? By Matthew Tyson 26 Sep 2023 12 mins Cryptocurrency Authentication Identity Management Solutions PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe