​Insider Threats – The Human Firewall

As security professionals, we spend a lot of time focussing on external threats. Mega-breaches such as Target and Ashley Madison put the spotlight on threat actors seeking to steal and cause mayhem. But the actions of our own staff, whether intentional or not, is a significant issue.

According to recent research by Mimecast, 40% of businesses say they are ill-equipped to cope with the threat of malicious insiders and more than 90% say malicious insiders a major threat to the organisations’ security. But just 12% of security decision makers view malicious insiders as their number one threat. And that threat often starts in our inboxes.

Ed Jennings, Mimecast’s COO, says “Email security is about protecting individuals that get duped into clicking a link, an attachment”.

A significant element of securing against these kinds of threats, perhaps be exemplified by the rising tide of ransomware attacks we see in Australia, is not just educating users through training programs but actively intervening when they click on links or open attachments.

Mimecast is addressing this through a recently announced partnership with PhishMe. When users click on a potentially dangerous link, a pop-up appears, bringing the potentially dangerous activity to their attention. This also delivers metrics to admins so they can focus attention on helping users who are either being specifically targeted through spear-phishing campaigns or who are particularly vulnerable to these kinds of attacks.

Part of the challenge, says Jennings, is the sheer volume of email people receive and that they often read them on mobile devices, scanning quickly and clicking links.

“There is no way security is a system-alone endeavour,” says Jennings.

Part of the reason attackers are increasing their effectiveness is the widespread availability of personal information. Jennings noted that a recent demonstration at BlackHat in Las Vegas showed how data collected in real-time during a presentation could be used to create highly personalised attacks. Information about an executive was found on a company website. A social media search of that executive revealed the name of their administrative assistant and some other personal information. A domain was registered during the demonstration, that bore a strong resemblance to the company’s actual domain, and used to send a carefully crafted email to the assistant purporting to be from the executive.

“This is why we like the word ‘resilience’. It’s not about pure defence. This stuff will happen because there’s always a human in the loop. And we’ll make a mistake or won’t pay attention. You will get breached. It’s a matter of how quickly you can get up and how much damage was done,” says Jennings.

When it comes to inside threats, it goes beyond traditional threat actors, personified by the likes of Edward Snowden. Jennings says there’s another issue to consider.

“We also see systems that are owned. With some consumer brands, they [threat actors] get control of an email system and start blasting messages from that system. Global brands are terrified of someone taking over an email exchange and manipulating it for their own purpose”.

One of the defensive measures many companies have taken is the use of DLP, or data loss prevention, tools.

“The challenge is,” says Jennings, “they require a lot of effort, and tweaking, documents need to be categorised and classified. It’s a hard thing to do at scale and be diligent about”.

This is where machine learning and artificial intelligence can be used. Rather than looking for specific data being exfiltrated, you look for patterns of movement, such as messages being sent to private email accounts. So, unlike the traditional approach of looking at message content, the analysis is done on network traffic and user behaviour.

“We’re looking at the pattern of the traffic itself, not what is in the material being exchanged,” says Jennings.

In order for security to be effective it needs to avoid “compliance friction” says Jennings. Whenever a security measure impedes a user, they find ways around it. So, finding ways to work with users is critical. This is why sandboxing techniques, that execute files in safe environments are unpopular with users.

Jennings says analysis of what people actually do with attachments reveals in over 80% of cases, people just want to view file contents, rather than actually launch them for editing. So, by making it easier for users to view content, you can reduce the security risk as far fewer files are actually executed.

Users need to be seen as both a potential point of vulnerability but also as an important security asset. They can, given the opportunity and education, help secure your company’s precious data.

Join the CSO newsletter!

Error: Please check your email address.

Tags security professionalsblackhatdata securityDLPinsider threatsIT Securitycyber security

More about DLPMimecast

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place