Effective containment: The many faces of insider threats

Ed Hammersla, president, Forcepoint Federal LLC, makes the case for agencies to have a different mindset when it comes protecting data and networks from insiders.

The term “insider threat” has garnered enough attention lately that most organizations realize the impact a malicious insider can have on their critical data, but sadly that is where their knowledge of “insiders” ends.

Typically, when people think of insider threats, they assume malicious employees that are looking to steal company secrets for profit or disgruntled employees hoping to create irreparable damage to the company. The reality, however, is that insider threats can emanate from anyone that has access to your network or data, not just highly privileged users. This includes business partners, vendors, suppliers and contractors.

In fact, more breaches occur from “accidental” or “unintentional” insiders than from those that have malicious intent. Negligent employees and other users of your network often pose the biggest risk towards the safety of your critical data. Of the firms surveyed by Forrester for their “Understand The State Of Data Security and Privacy: 2015 To 2016” report, those that had experienced a breach in 2015 indicated that internal incidents were the leading cause with more than 50 percent of those due to inadvertent misuse or error.

Ed Hammersla is the chief strategy officer of Forcepoint and president of Forcepoint Federal LLC.

Negligent users invite risk through uninformed, highly questionable behaviors, usually linked to social media and email scams. Adversaries target them in order to trick them into doing something that seems legitimate, yet actually allows the adversary to slip past external defenses and essentially become an insider. This negligent behavior is often associated with lack of education or lax security policy enforcement, and it’s these overlooked insiders that companies need to wise up to.

Understanding the many faces of insider threats, however, is just the beginning. The true challenge is maintaining a secure network that accounts for both malicious and accidental insider threats.

Singling out malicious insiders or those employees that are careless with security practices doesn’t address the whole problem. What about the employees that do not engage in questionable behavior (using business devices for personal use, sharing passwords, improperly using removable storage devices, etc.)? Where do they rank in the grand scheme of insider threats?

Unfortunately, even if you do everything by the book, you can still become an unsuspecting pawn of a clever adversary. The sophistication of today’s attacks makes it possible for employees that do not partake in questionable behavior (using company devices for personal use or being negligent in their security practices) to still become an accidental insider.

Take for example a pharmaceutical company employee that receives an invoice from an approved supplier. The invoice is not only expected, but comes through the proper channels with all the correct purchase order information. Based on all indications it seems like a legitimate correspondence so the employee processes it as usual. Unfortunately, the employee just opened a backdoor for a malicious actor to infiltrate the sensitive network.

It is so important to understand the many different faces that make up today’s insider threats in order to implement an appropriately devised layered approach to security.

Visibility into the threat

Education and training only go so far. Organizations must implement a complete insider threat program that combines technologies such as data loss prevention (DLP) as well as user behavior analytics. This combination will ensure proper context and visibility into all suspicious activity in order to immediately assess the severity of the threat, remediate the problem and create new policies to prevent it from happening again.

The human element is susceptible to making mistakes, so having constant visibility into how users behave is critical in identifying threats before they become full blown disasters. The best way to do this is focus on the endpoint and creating a baseline for normal user behavior.

Once this is achieved security personnel can then look for deviations from “normal” behavior (i.e. data access, working hours, email activity, etc.). These deviations are risk indicators that serve as warning signs leading up to a breach. Having better visibility into how users handle data provides organizations with the context needed to detect both unintentional insider threats and malicious activity, that otherwise would go unnoticed.

Implementing a successful insider threat program

Once you have the proper visibility, you need to combine that intelligence with traditional training and risk management plans. By effectively consolidating and prioritizing security alerts sent from other systems and data sources combined with actual user activity, you have an effective “early warning system” that accounts for all the potential insider threats that can negatively impact your security posture on a daily basis. Key components of any successful insider threat program should include:

  • Policies: Communicating policies on how technology should be used within the organization from appropriate devices to the handling of data and Internet use. A lack of awareness accounts for much of an employee’s negligent behavior. The majority of accidental insider threats can be avoided through simple education and training.
  • Processes: Aligning of computer/device usage according to assigned roles. By having visibility into who is allowed to be using specific devices, you can more accurately identify when those devices are being used improperly or by unauthorized personnel.
  • Technology controls: Limiting access to data and systems according to assigned roles. Setting up electronic barriers for accessing key data and systems ensures only those who have proper authorization gain access. This can be extremely helpful for remediation as you can easily track a breach back to a specific set of credentials.
  • Risk management: Identifying and developing a risk-management plan around what is mission-critical. Unless you can come to a consensus on what is important, you will never be able to assign relative importance to all the various assets you hold dear. Understanding your risk management objectives allows you to create a clear and concise plan for implementation.
  • Auditing and monitoring: Ensuring each of the above pieces are effective and properly aligned to organizational needs. Through continuous auditing and monitoring you are able to discern if things are going to plan or if things need to be realigned. Insider threats are complicated, you can’t fully address them if you make decisions in a vacuum.

Today’s insider threats cannot be categorized as simply malicious actors; there are too many factors that are at play. A different mindset must be adopted, one that does not leave protection of the network up to chance. Insiders already have the “keys to the kingdom,” accounting for their actions (whether malicious or compromised) ensures you have the needed visibility to effectively detect, deter and mitigate insider threats. Paying closer attention to actual user behavior ensures security teams are able to identify malicious activity, as well as determine if legitimate credentials have been compromised.

Remember, the sophisticated nature of today’s attacks make it easier for malicious outsiders to become an inside threat, and they count on security teams focusing on the perimeter rather than someone with the proper credentials. Deploying a layered defense that includes technologies such as DLP and email sandboxing, along with user behavior analytics is the only way organizations can guarantee that those who are already inside the perimeter are behaving as they should.Even though there are many different faces to insider threats, identifying those risks and containing them is not as daunting as it seems.

Following the guidelines outlined above allows organizations to achieve the visibility needed to ensure no matter what type of insider threat is present; it will be identified and addressed before any real harm can be done.


Ed Hammersla is the chief strategy officer of Forcepoint and president of Forcepoint Federal LLC.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Amelia Brust/Federal News NetworkFederal Acquisition, GSA

    Insider threat programs must find the right ‘trust but verify’ balance

    Read more