and Thwarting Insider Threat

You've undoubtedly seen all the fuss lately about insider threats. Is it overblown or should you be concerned?

Insider Threat: The Danger from Within

Could your employees be putting the most valuable information assets at risk?
Survey results, stories in the media, and the growth in the market for enterprise threat management platforms all certainly suggest a consensus of opinion that the insider threat is both real and urgent. But a simpler way to determine whether your organization should be concerned about insider threats is to answer “yes” or “no” to the questions below. Remember that “insider” includes not only your company’s staff, but anyone inside your defined enterprise network security perimeter, such as contractors, suppliers, business partners or resellers.
Could organized cyber criminals, individual hackers, competitors or state-sponsored spy groups use social engineering schemes to mislead your company’s insiders and steal their identities?
Could a disgruntled or resigning employee or a former staff member obtain a colleague’s credentials and then use those false credentials to commit outside attacks while disguising their true personality?
Can trusted insiders with a security clearance use their broad privileges to gain access to protected databases or shares and then steal sensitive information, degrade system performance or disrupt operations?
Can insiders use rootkits or other sophisticated hacker tools to illicitly access company data and critical systems and thereby steal or damage proprietary information or other critical assets?
Can any insider, including your current and former employees and partners, know about back doors into your systems and either use that information maliciously themselves or provide to external malefactors?
Can any insider unwittingly aid cyber criminals?
Is it possible that any of these scenarios has already been happening in your environment for months or even years?
More than likely, you answered “yes” to at least several of these questions in this informal threat assessment. If so, the odds are ten to one that your organization is at risk from insider threats. What can you do?

Insider Threat: Three Key Factors

The first step is to understand the roots of the insider threat problem.
There are three key factors at play:
technological, human and organizational.
The technological
One reason insider threats are increasing is that people have the means. Simply put, technological advances create many avenues for attacks on businesses. In particular, computing resources are increasingly powerful and available; the workforce is becoming more mobile and smart devices are proliferating; and social communication channels and internet use in general continue to increase. All of these technological trends contribute to the growing complexity and ubiquity of computer threats.
The human

A second important factor at play is human nature. Insiders become attackers, or the unwitting tools of attackers, for a variety of reasons. Human beings tend to neglect training and ignore established information sharing protocols and data protection procedures, especially those that seem arbitrary or inconvenient. So they write down their passwords, leave their workstations unattended, share information impudently and insert potentially infected flash drives into company workstations — any of which is a clear security threat. People make errors — such as misconfiguring system settings or access permissions — that can result in information security breaches and intellectual property theft.

Other people are actively malicious. They may be motivated by ideology, personal convictions, unresolved ambitions, greed, thrill-seeking or (real or imagined) grievances. Or they may be living in difficult conditions and be susceptible to bad influences from the outside out of financial need. And people have varying levels of acceptance of responsibility — some will confess to or even boast about their wrongdoing, while others will camouflage their destructive activity as best as they can, making them harder to catch.

The organizational

Third, organizations often fail to protect themselves to the full extent possible. Any of the following can push insiders to counterproductive behavior and increase your risk of an insider attack:

  • Easy access to sensitive business information
  • The perception that internal IT security is not sufficiently strict — for example, that complying with the requirements is not obligatory and that failure to comply will not have any serious consequences
  • Escalated access to sensitive information to those who do not need it to perform their business roles, and insufficient oversight of privileged users
  • Lack of a comprehensive network security policy regarding access to non-public information through remote connections by employees working from home
  • Lack of proper security policy regarding access to unauthorized networks
  • Intense working conditions that keep people from having time to think about their actions from a security perspective
  • Inadequate training
  • Improper, unclear or missing labeling of proprietary or sensitive data
  • An uncertain organizational climate – for example, during volatile periods of mergers and acquisitions

Key Figures about Insider Threat

Do organizations understand how serious insider threats are, and are they prepared?
Do organizations tackle the risk of insider threats? They try to. Are they successful at mitigating the risk? All the new insider threat examples reported in the media suggest that while many organizations acknowledge the problem, few have a clear vision for implementing an effective insider threat program that enables them to identify outliers and mitigate risk. And insider threat statistics surveys generally bear out this vulnerability assessment:
51% of respondents did not have a plan for responding to insider threats, and 32% of respondents said that insider crimes were more costly or damaging than incidents perpetrated by outsiders, according to PWC’s 2014 US State of Cybercrime Survey
89% of respondents felt their organizations were vulnerable to an insider misuse, with 34% feeling very or extremely vulnerable, in the 2015 Vormetric Insider Threat research
Corroborating this, 67% of respondents believed their business would experience a serious information breach resulting from employee behavior in the next 24 months, reports Clearswift’s 2015 Insider Threat Index
Only 40% of organizations in the Ponemon’s 2014 Privileged User Abuse & The Insider Threat study had dedicated budget for an insider threat program
Verizon’s 2016 Data Breach Investigations Report found that insider incidents are the hardest and take the longest to detect, with 70% of all detected insider incidents taking months or years to discover
55% of all cyber attacks in 2014 were carried out by either a malicious insider or a negligent insider, according to the 2015 IBM Cyber Security Intelligence Index

Countering Insider Threat

Building an enterprise-wide program to mitigate the threat

Combating insider threats is a complex undertaking that does not rest solely on IT’s shoulders. Rather, countering the threat requires collaboration between IT, HR, legal, contracting, security and data owners. Mitigating the risk of system compromise and intellectual property violations requires a comprehensive risk management process with enterprise-wide policies, procedures and technologies that enable proper alerting, analysis and reporting.

However, even putting these multiple security layers in place does not guarantee prevention or early detection of insider attacks. Policies can be misunderstood, not properly communicated or poorly enforced, and they can become obsolete over time. Employees might not receive adequate security awareness training, or they might understand prescribed procedures but fail to comply for any of the reasons outlined earlier. Technical controls might not function as planned or might not actually support organizational needs, leaving critical holes in your data and application security. The solutions you deploy might not provide enterprise-wide granular visibility into user access or might generate too much noise to be useful. Furthermore, there is no standard profile for an insider spy, so early identification can be difficult, and some insiders possess advanced technical abilities that help them obfuscate their illicit activity.

Therefore, making the security layers in a formal insider threat program work takes additional steps. Organizations must methodologically implement auditing controls; continuously enforce policies and procedures; and regularly validate the effectiveness of their technical controls. However, a combination of good people management, strong corporate values and a positive organizational culture can be every bit as important as the most advanced detection technologies and thoroughly crafted security policies and controls. Overcoming cybersecurity challenges also requires providing proper training to employees, with the participation and collaboration of stakeholders from different business functions. The program should educate executives about which organizational and personal factors are likely to increase risk of malicious behavior and what insider threat indicators exist. Organizations should also identify and classify their key information security systems, applications and data so they can establish proper control over access to protected networks and critical data.

Choosing the right tools

Of course, the tools you choose also make a world of difference. Many organizations stick to traditional security tools such as cyber intrusion detection systems, antivirus software, firewalls, SIEMs, network security software and standard data loss prevention systems. But because these tools are focused on protecting endpoints and abstractions such as perimeters, they are increasingly ineffective against the new sophisticated insider attacks in today’s interconnected world. Furthermore, many information security teams are struggling with an arsenal of standalone tools that are hard to integrate and that do not provide a single point of visibility into all systems, users and data in use. These tools can easily overwhelm analysts with a mass of different interfaces and reports.

Even organizations that rely on user behavior analytics (UBA) tools are not immune to an insider attack and loss of sensitive data. Older products in this category, which use rule-based or threshold-based technologies, can become very expensive because they are likely to produce high numbers of false alarms. That is, they can’t isolate the signal from all the noise, which is why organizations have to add more analysts to gather the contextual information required to correctly identify threats. Furthermore, because of the large number of false-positives that these tools generate, analysts are often forced to react only to those events that are “louder” than other events. Plus, we know that not all anomalous behavior is a threat, and UBA tools can rarely distinguish a truly meaningful anomaly from something else.

Newer UBA solutions that are built around machine learning and temporal reasoning algorithms for detecting abnormal access to proprietary systems and data tend to be more accurate. But they are far from being cash-friendly and they do not guarantee your organization will always be able to detect an insider threat incident either.

While no information security technology solution can guarantee it will forestall all security incidents, by far the best choice for countering the malicious activity of insiders is a specialized security tool. Look for a solution that provides extended visibility into data activity, systems and users — without eating up your entire IT budget or dragging down system performance. Make sure it enables continuous collection of the digital trails that insiders leave to enable early detection of potentially malicious behavioral patterns. Finally, look for a solution that improves operational efficiency by eliminating the need for your skilled information security teams to sift through vast seas of cryptic data to find the nuggets of valuable and actionable information they need. Instead, find a solution that dramatically improves the signal-to-noise ratio and provides the contextual information and meaningful intelligence you need to discover compromised accounts and mitigate the insider threat.