Exposing insider threats
- — 13 November, 2012 10:10
Insider threats — for example, data theft, intellectual property loss, privacy breaches and financial fraud — can be the most challenging IT risks for an organisation to address because they may or may not be happening. But if an insider threat occurs, it could no doubt hurt financially and/or publically. So how do you implement early detection to discover and expose these threats?
Reports by security experts find that malicious employees or other insiders can be responsible for more than half of the cases where data or money has gone missing. While most organisations have invested heavily in perimeter protection technologies, many pay less attention to the serious threats from within.
For those who listen to the security industry, you will know that one of the latest terms is "assumption of breach", and this has come about because security experts are accepting that it may be impossible to plug every hole. Therefore strategies for protection and mitigation have to continue inside the organisation as if someone has already broken in. In the case of an insider threat, you will consider that someone is already taking information or funds and there is a good chance they may have been doing it for a while.
If you are a CEO, CFO or board member and have just read that the risk and security team are assuming a breach has occurred, your eyebrows are probably raised and your mind has stopped to consider the impact a breach could have on your organisation. Will it cost us? Will the public find out? Will our customers be affected? Probably yes.
What you have to do is run through the processes to discover any existing threats as quickly as possible, or be satisfied that the right processes are in place to mitigate risk or discover new threats as soon as they begin. That way you will be able to sleep at night and not worry about tomorrow’s headline.
The logic of how to satisfy your risk concerns is fairly simple and can be summed up in the following four questions:
- What is your organisation’s ‘hot’ data?
- How can it be accessed?
- Which data is not being monitored?
- How do we fill the gaps and expose insider threats?
What is ‘hot’ data?
Insider threats are going to target two data types — transactions and information.
Intercepting or modifying business transactions has been a common form of fraud for more than a century. Information on the other hand has fast become the new currency of choice for thieves. The more personal and company-related information that is stored electronically, the more it can be used for illegal purposes. This now gives information a ‘street value’.
So, the first thing you need to understand is what ‘hot’ data the organisation has that could be beneficial to a thief. It is worth the investing some time to interview staff in the business units (not just IT) to ensure you know about all the information that could have potential value.
How can it be accessed?
Now that you have identified the information and transactions of value, you have to understand how it can be accessed by authorised users.
Both information and transactions have ‘standing’ and ‘in process’ states. What this means is that information and transactions may reside in a database or transaction log, which can be accessed while they are standing still. Or data could be viewed, sniffed, modified, deleted or created while it is passed between two entities such as users, systems, applications and external parties in the course of business.
Therefore, the next phase of your analysis will be to know where the ‘hot’ data resides, how it is being accessed by systems and staff and how it could be accessed.
Which data is not being monitored?
There are three commonly deployed user monitoring solutions which have their benefits but also have shortcomings:
Log File Management is the most common and relies on collecting data output produced by applications to track user activity. As an entry level solution, it is a good start but log files may not capture all the required data because the application does not output all the data needed for identifying threats. This is especially the case with legacy systems when modifying the application to suit the requirement may be difficult and costly.
A SIEM (Security Event and Information Management) solution captures security events from a broader scope but it also relies on the output and stored data of the application, and like log file management, often does not capture all the data.
DLP (Data Loss Prevention) is a strategy that’s a bit different as its focus is to use technology to trap employees trying to take information out of the business through email, USB, etc. Although this may be good solution, DLP assumes that employees have already got hold of the data they want to steal.
What all three solutions have in common is they often fail to monitor information querying activities by users which is important because before an insider threat occurs, the employee will spend time searching the system for the information or transactions they want to attack.
Therefore, you need to identify the important data that is not being monitored and the data viewing actions by users that are not being recorded.
How do we fill the gaps and expose the activities?
The “assumption of breach” concept for an insider threat works on the basis that an employee knows what information to get, where to find it and how to take it from the organisation without being detected. This means that implementing a layer of protection after traditional monitoring and before DLP is required to complete your defence.
The first step is to monitor the gaps. If the application can be changed to output all of the required data and to record user queries, then it must be done because if an information breach or insider fraud occurs, the last thing you want to hear is that the investigators don’t have all the data to perform the required analysis.
If changing the application is difficult or too costly, then consider monitoring application usage at the network layer to capture all the activity between the user and the application in a non-intrusive way.
The second step is more lateral and that is to monitor the behaviour of the authorised users.
When insider threats are intentional, their activities are going to be different to the activities of the ‘normal’ employee. For example, those who are stealing and selling personal records will be performing an abnormal amount of queries, and may be doing it at lunch time or after hours.
Therefore, implementing real-time behavioural monitoring on employees will expose insider activities that have slipped through the gaps. You do this by starting with a baseline of activity that is deemed ‘normal’ and reporting or alerting on activities that are abnormal. Then you can extend this by combining activities across one or many applications, by one or many employees to identify potential collusion.
Remember: identify 'hot data' and monitor behaviour
Knowing what employees are looking at is the first step to understanding their insider threat potential and is a more proactive approach than just recording activities or stopping data from being stolen at the point of exit.
If you have identified the ‘hot’ data that can be accessed by authorised users, those who have breached your security or taken over an identity, and you have determined that your existing monitoring solutions are not capturing what they need to, then you could consider implementing a behavioural monitoring solution.
Stuart Meyers is product manager for Attachmate, Asia-Pacific.