Insider Threats Are a Fact of Life and Are Not Going Away.
The continuous headlines of data breaches and leaks caused by insiders, in both the private and public sectors, starts to feel like a broken record. Combatting insider threats is one of the greatest cyber challenges facing organizations today. They are stuck between a rock and a hard place, needing to give people access to valued information and systems to do business but also making the organization vulnerable to a potential compromise if any one of those people missteps. Access implies an inherent level of trust between employer and employee, or client and vendor. The written or unwritten contract between the parties is that access is being provided for the individuals to do their jobs, and they in turn will not use it for anything outside those boundaries. It is also explicitly stated or implicitly implied that the employee or contractor will not intentionally or negligently expose critical assets which would elevate the risk of loss.
A few questions regarding this setup present themselves right off the bat. Does the insider understand their responsibilities when it comes to protecting the information and systems they are accessing? Do they understand what is required to live up to those responsibilities? Are they provided with the tools to execute their jobs while still living up to those responsibilities? Are they working in a protected environment, like an office, or in an exposed environment, like at a coffee shop? What is the inherent risk of the person being provided access? Are they committed to the company? Do they have any personal characteristics that would drive them to compromise the company?
There are also ongoing operational challenges such as making sure that everybody only has the level of access required to do their jobs, and that privileged access is limited and monitored. Finally, how do you detect an insider threat and stop them before they do damage?
Before we approach answering these questions, it is important to step back and define what is included in the scope of insider threat. In the old days, it was focused entirely on the classic malicious insider profile – employees intentionally taking action for spite or profit. As the insider threat domain has evolved, it has grown to refer to any credential based threat – intentional or accidental, employee or contractor, executed by the real owner of the ID or by a bad actor who has compromised the account. The reason it has expanded in this way is because it has been recognized that from a detection point of view, they all follow a similar profile and elevate risk to the organization. Of course, no two insider threats are exactly alike, and more importantly, source and motive will often define the level of potential impact.
Unfortunately, it takes time and effort to minimize exposure to insider threats. Here are some tips to make the process a bit easier and more efficient:
• Create well defined, concise policies and procedures that govern access, user responsibilities and what to do if an incident occurs.
• Create a culture that embraces cyber security by (over) communicating and highlighting the importance of security at every possible opportunity. We all know the “if you see something, say something” mantra, because we’ve seen it and heard it repeatedly. The same principle applies for corporate environments.
• Provide security awareness education for all users that’s relatively short and targeted based on the policy each user violated.
• Build cyber security into business processes. Many of us consider cyber security when building applications, but often overlook how our employees and contractors are doing their jobs. Incorporate cyber security into everyday business processes for all parties who interact with your valuable assets to reduce non-malicious but risky behavior.
• Actively manage access, especially privileged access. The access provided to users is the attack surface that insiders (and bad actors when compromised) go after to do damage. Minimize access to valued assets for those individuals to the least privileges required and closely manage privileged accounts. Access control management is not a onetime shot. It needs to be reviewed and reduced regularly, based on changes in the organization and in people’s roles.
• Know your crowned jewels and mission critical systems. Managing the attack surface, including user access and vulnerabilities in general, is even more critical when it comes to your most important assets. However, before you can take extra measures to protect these very important corporate assets, you need to know what they are and where they reside.
• Implement active and passive controls that block sensitive data from leaving the organization and monitor user behavior to identify anomalies. Anomaly detection is the only way to identify when a user, who is not necessarily setting off any policy alarms, is doing something unusual and is therefore a risk. However, anomaly detection alone is not enough. To prioritize the most critical threats and minimize false positives, correlate behavioral analytics with other elements of risk including associated vulnerabilities that could enable the threat to succeed, financial or mission impact to the organization if the asset were compromised, and asset value. Also, get qualification from application owners who govern the assets under attack to provide input into whether unusual activity is in fact business justified. Pay extra attention to higher risk populations like third parties.
Insider threats are a fact of life and are not going away. Careless users, who create most of the noise in detection tools, all too often don’t have the education or the means to securely do their jobs. Malicious insiders and compromised accounts can be tricky to identify and stop because they often get lost in the noise. However, with the right cyber hygiene up front in addition to tools and processes utilized on an ongoing basis, the impact of insider threats can be greatly reduced and mitigated.
Upcoming Webcast April 13 at 1PM ET: