Mitigating insider threats - a technical perspective

Insiders are tricky because they represent a demographic that is largely trusted; employees have presumably been vetted and gone through the HR process; they have been interviewed by managers and potential colleagues to assess their knowledge and capabilities; and if to be engaged in work in support of the government, have obtained some level of clearance for access to classified information, networks, and systems. The incidents with Chelsea Manning and Edward Snowden have revealed just how damaging an insider can be in obtaining and making public highly sensitive information.

Data leakage is but one possible consequence resulting from the efforts of these individuals. Data and network destruction, disruption, and data manipulation are all possible alternatives depending on the level of malicious intent. Given the recent events involving the use of ransomware to encrypt hospital networks, it’s easy to see how direct access to networks could enable hostile insiders to inserting this type of malware into a network and holding it for considerable ransom.

According to a 2014 presentation by Carnegie Mellon’s Computer Emergency Response Team, out of 557 respondents polled, insider threats were the cause of approximately one-third of security incidents experienced, with 46 percent believing that they were far more damaging than external events. The majority of these insider incidents resulted in private information unintentionally exposed; confidential records compromised or stolen; customer records compromised or stolen; and employee records compromised or stolen. These findings are echoed in the Verizon Data Breach Investigations Report that found that 50 percent of all security incidents were caused by individuals inside the organization.

Developing a formalized insider threat program is becoming essential for all organizations seeking to reduce their risk exposure. While I’ve previously discussed other mitigating insider activities through people and processes that can be harnessed to address the complexities of this threat, the use of specific technologies and analytics can also help proactively identify this threat before it escalates to a serious issue. Since there is no easy, one-stop shop solution to combat insider threats, layered approaches often provide the best way forward. Several technologies can provide such layered depth in countering the intentional and unintentional insider threat to include:

  • Technology that monitors user behavior. Technologies that monitor and control remote access from all endpoints are important as they provide a more comprehensive view of the organization’s enterprise, from the noise that hits against the perimeter to the individual machines within a network. A key supporting element to monitoring technology is first establishing what a “normal” baseline is for all of the users in the environment. Once this is established monitoring for anomalies provides a first “heads up” that potential malicious behavior may be occurring. Using a security information and event management (SIEM) system to log, monitor, and audit employee actions augmented with user and entity behavioral (UEBA) analytics is a good way to establish such baselines and appraise strange or inconsistent activity.
  • Technology that restricts access. Authorizing people only for those network resources required to do their job will help decrease potential data leakage by other parties. The implementation of stronger user restrictions will require individual users to request access to areas to which they may not have been privy. This will help organizations keep track of those that have regular access and those that have limited or temporary access. Observing a user try to gain access to an area in the network that they don’t have privilege to bears monitoring and further investigation.
  • Technology for restricting/monitoring removable media use.Removable media was the vehicle that facilitated the theft of classified information by both Manning and Snowden. While it is more favorable for organizations to “turn off” removable media capability, job requirements may make this unfeasible. Leaving all downloading of documents to a trusted agent is one way to reduce a flurry of activity. However, this also may be inefficient for some larger organizations. An alternative is to use technology solutions to monitor download activity, which can help identify questionable activities from employees such as volume, duration, and the time at which it occurs.
  • Technology for whitelisting. Whitelisting is a way of ensuring that only those applications and services that are authorized run on an endpoint system. If unrecognized code tries to run, it is immediately checked against the whitelist. If it’s acceptable, it is permitted to run. If not, then the code is prevented from executing. There are a variety of whitelists that range from e-mail, applications, and programs, to name a few.
  • Best practices toward mitigating data loss is to protect information at its source. Security technologies help mitigate the insider threat by monitoring and analyzing data access patterns in order to alert on those anomalous activities that fall outside accepted norms.

    It must be remembered that insiders are human beings, and as such, their thoughts and activities are constantly changing and altering. Therefore, security practitioners must always think dynamically when it comes to trying to develop solutions to counter this threat. Implementing technology solutions at different levels and overlapping functions will best cast a tight-weave security net to catch suspicious behavior prior to a major security incident.

Join the CSO newsletter!

Error: Please check your email address.

Tags insider threatsIT Securitycyber security

More about Computer Emergency Response TeamMellonTechnologyVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Brian Contos

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place