The term “insider threat” has garnered enough attention lately that most organizations realize the impact a malicious insider can have on their critical data, but sadly that is where their knowledge of “insiders” ends.
Typically, when people think of insider threats, they assume malicious employees that are looking to steal company secrets for profit or disgruntled employees hoping to create irreparable damage to the company. The reality, however, is that insider threats can emanate from anyone that has access to your network or data, not just highly privileged users. This includes business partners, vendors, suppliers and contractors.
In fact, more breaches occur from “accidental” or “unintentional” insiders than from those that have malicious intent. Negligent employees and other users of your network often pose the biggest risk towards the safety of your critical data. Of the firms surveyed by Forrester for their “Understand The State Of Data Security and Privacy: 2015 To 2016” report, those that had experienced a breach in 2015 indicated that internal incidents were the leading cause with more than 50 percent of those due to inadvertent misuse or error.
Negligent users invite risk through uninformed, highly questionable behaviors, usually linked to social media and email scams. Adversaries target them in order to trick them into doing something that seems legitimate, yet actually allows the adversary to slip past external defenses and essentially become an insider. This negligent behavior is often associated with lack of education or lax security policy enforcement, and it’s these overlooked insiders that companies need to wise up to.
Insight by Carahsoft: Learn how the FedRAMP PMO and its partners believe the end result of many of ongoing initiatives is a better, faster and cheaper cloud security program by downloading this exclusive ebook.
Understanding the many faces of insider threats, however, is just the beginning. The true challenge is maintaining a secure network that accounts for both malicious and accidental insider threats.
Singling out malicious insiders or those employees that are careless with security practices doesn’t address the whole problem. What about the employees that do not engage in questionable behavior (using business devices for personal use, sharing passwords, improperly using removable storage devices, etc.)? Where do they rank in the grand scheme of insider threats?
Unfortunately, even if you do everything by the book, you can still become an unsuspecting pawn of a clever adversary. The sophistication of today’s attacks makes it possible for employees that do not partake in questionable behavior (using company devices for personal use or being negligent in their security practices) to still become an accidental insider.
Take for example a pharmaceutical company employee that receives an invoice from an approved supplier. The invoice is not only expected, but comes through the proper channels with all the correct purchase order information. Based on all indications it seems like a legitimate correspondence so the employee processes it as usual. Unfortunately, the employee just opened a backdoor for a malicious actor to infiltrate the sensitive network.
It is so important to understand the many different faces that make up today’s insider threats in order to implement an appropriately devised layered approach to security.
Visibility into the threat
Education and training only go so far. Organizations must implement a complete insider threat program that combines technologies such as data loss prevention (DLP) as well as user behavior analytics. This combination will ensure proper context and visibility into all suspicious activity in order to immediately assess the severity of the threat, remediate the problem and create new policies to prevent it from happening again.
The human element is susceptible to making mistakes, so having constant visibility into how users behave is critical in identifying threats before they become full blown disasters. The best way to do this is focus on the endpoint and creating a baseline for normal user behavior.
Once this is achieved security personnel can then look for deviations from “normal” behavior (i.e. data access, working hours, email activity, etc.). These deviations are risk indicators that serve as warning signs leading up to a breach. Having better visibility into how users handle data provides organizations with the context needed to detect both unintentional insider threats and malicious activity, that otherwise would go unnoticed.
Implementing a successful insider threat program
Once you have the proper visibility, you need to combine that intelligence with traditional training and risk management plans. By effectively consolidating and prioritizing security alerts sent from other systems and data sources combined with actual user activity, you have an effective “early warning system” that accounts for all the potential insider threats that can negatively impact your security posture on a daily basis. Key components of any successful insider threat program should include:
Today’s insider threats cannot be categorized as simply malicious actors; there are too many factors that are at play. A different mindset must be adopted, one that does not leave protection of the network up to chance. Insiders already have the “keys to the kingdom,” accounting for their actions (whether malicious or compromised) ensures you have the needed visibility to effectively detect, deter and mitigate insider threats. Paying closer attention to actual user behavior ensures security teams are able to identify malicious activity, as well as determine if legitimate credentials have been compromised.
Remember, the sophisticated nature of today’s attacks make it easier for malicious outsiders to become an inside threat, and they count on security teams focusing on the perimeter rather than someone with the proper credentials. Deploying a layered defense that includes technologies such as DLP and email sandboxing, along with user behavior analytics is the only way organizations can guarantee that those who are already inside the perimeter are behaving as they should.Even though there are many different faces to insider threats, identifying those risks and containing them is not as daunting as it seems.
Following the guidelines outlined above allows organizations to achieve the visibility needed to ensure no matter what type of insider threat is present; it will be identified and addressed before any real harm can be done.
Ed Hammersla is the chief strategy officer of Forcepoint and president of Forcepoint Federal LLC.