and Thwarting Insider Threat
Is it overblown or should you be concerned?
Insider Threat: The Danger from Within
Insider Threat: Three Key Factors
There are three key factors at play:
technological, human and organizational.
A second important factor at play is human nature. Insiders become attackers, or the unwitting tools of attackers, for a variety of reasons. Human beings tend to neglect training and ignore established information sharing protocols and data protection procedures, especially those that seem arbitrary or inconvenient. So they write down their passwords, leave their workstations unattended, share information impudently and insert potentially infected flash drives into company workstations — any of which is a clear security threat. People make errors — such as misconfiguring system settings or access permissions — that can result in information security breaches and intellectual property theft.
Other people are actively malicious. They may be motivated by ideology, personal convictions, unresolved ambitions, greed, thrill-seeking or (real or imagined) grievances. Or they may be living in difficult conditions and be susceptible to bad influences from the outside out of financial need. And people have varying levels of acceptance of responsibility — some will confess to or even boast about their wrongdoing, while others will camouflage their destructive activity as best as they can, making them harder to catch.
Third, organizations often fail to protect themselves to the full extent possible. Any of the following can push insiders to counterproductive behavior and increase your risk of an insider attack:
- Easy access to sensitive business information
- The perception that internal IT security is not sufficiently strict — for example, that complying with the requirements is not obligatory and that failure to comply will not have any serious consequences
- Escalated access to sensitive information to those who do not need it to perform their business roles, and insufficient oversight of privileged users
- Lack of a comprehensive network security policy regarding access to non-public information through remote connections by employees working from home
- Lack of proper security policy regarding access to unauthorized networks
- Intense working conditions that keep people from having time to think about their actions from a security perspective
- Inadequate training
- Improper, unclear or missing labeling of proprietary or sensitive data
- An uncertain organizational climate – for example, during volatile periods of mergers and acquisitions
Key Figures about Insider Threat
Countering Insider Threat
Combating insider threats is a complex undertaking that does not rest solely on IT’s shoulders. Rather, countering the threat requires collaboration between IT, HR, legal, contracting, security and data owners. Mitigating the risk of system compromise and intellectual property violations requires a comprehensive risk management process with enterprise-wide policies, procedures and technologies that enable proper alerting, analysis and reporting.
However, even putting these multiple security layers in place does not guarantee prevention or early detection of insider attacks. Policies can be misunderstood, not properly communicated or poorly enforced, and they can become obsolete over time. Employees might not receive adequate security awareness training, or they might understand prescribed procedures but fail to comply for any of the reasons outlined earlier. Technical controls might not function as planned or might not actually support organizational needs, leaving critical holes in your data and application security. The solutions you deploy might not provide enterprise-wide granular visibility into user access or might generate too much noise to be useful. Furthermore, there is no standard profile for an insider spy, so early identification can be difficult, and some insiders possess advanced technical abilities that help them obfuscate their illicit activity.
Therefore, making the security layers in a formal insider threat program work takes additional steps. Organizations must methodologically implement auditing controls; continuously enforce policies and procedures; and regularly validate the effectiveness of their technical controls. However, a combination of good people management, strong corporate values and a positive organizational culture can be every bit as important as the most advanced detection technologies and thoroughly crafted security policies and controls. Overcoming cybersecurity challenges also requires providing proper training to employees, with the participation and collaboration of stakeholders from different business functions. The program should educate executives about which organizational and personal factors are likely to increase risk of malicious behavior and what insider threat indicators exist. Organizations should also identify and classify their key information security systems, applications and data so they can establish proper control over access to protected networks and critical data.
Choosing the right tools
Of course, the tools you choose also make a world of difference. Many organizations stick to traditional security tools such as cyber intrusion detection systems, antivirus software, firewalls, SIEMs, network security software and standard data loss prevention systems. But because these tools are focused on protecting endpoints and abstractions such as perimeters, they are increasingly ineffective against the new sophisticated insider attacks in today’s interconnected world. Furthermore, many information security teams are struggling with an arsenal of standalone tools that are hard to integrate and that do not provide a single point of visibility into all systems, users and data in use. These tools can easily overwhelm analysts with a mass of different interfaces and reports.
Even organizations that rely on user behavior analytics (UBA) tools are not immune to an insider attack and loss of sensitive data. Older products in this category, which use rule-based or threshold-based technologies, can become very expensive because they are likely to produce high numbers of false alarms. That is, they can’t isolate the signal from all the noise, which is why organizations have to add more analysts to gather the contextual information required to correctly identify threats. Furthermore, because of the large number of false-positives that these tools generate, analysts are often forced to react only to those events that are “louder” than other events. Plus, we know that not all anomalous behavior is a threat, and UBA tools can rarely distinguish a truly meaningful anomaly from something else.
Newer UBA solutions that are built around machine learning and temporal reasoning algorithms for detecting abnormal access to proprietary systems and data tend to be more accurate. But they are far from being cash-friendly and they do not guarantee your organization will always be able to detect an insider threat incident either.
While no information security technology solution can guarantee it will forestall all security incidents, by far the best choice for countering the malicious activity of insiders is a specialized security tool. Look for a solution that provides extended visibility into data activity, systems and users — without eating up your entire IT budget or dragging down system performance. Make sure it enables continuous collection of the digital trails that insiders leave to enable early detection of potentially malicious behavioral patterns. Finally, look for a solution that improves operational efficiency by eliminating the need for your skilled information security teams to sift through vast seas of cryptic data to find the nuggets of valuable and actionable information they need. Instead, find a solution that dramatically improves the signal-to-noise ratio and provides the contextual information and meaningful intelligence you need to discover compromised accounts and mitigate the insider threat.