When it came to the physical plant, it used to be easy with surveillance cameras and access badges to tell if an insider was up to no good. Now with a more virtual network, you can’t always know if the person sitting in the next cubicle is gaining access to confidential documents.
While the insider threat still connotes an employee of the company, the intruder is no longer someone located within the confines of the building. Accessing the network can happen from such public places as the local coffee shop.
“For companies today, where old corporate lines are disappearing more frequently, the challenges only increase. Enterprises need to adapt their policies and procedures to prevent threats by securing corporate end-point equipment and the right tools that protect and allow users to do their work,” said Matias Brutti, a hacker at Okta. “Work environments are constantly changing, so monitoring is difficult on a corporate level.”
Much of the technology has changed, but the constraints are the same, and companies have to continue to be proactive about stopping malicious attacks, he said. “They must understand their threats and adapting their technologies to serve them. More than ever, hiring the right team and building the right technologies is key to success.”
Steve Mancini, senior director of information security at Cylance, said not all insider threats are the same. “How we deter those that emanate from the careless or negligent will perhaps differ from those that emanate from the intentionally malicious. The proverbial ‘carrot and the stick’ are principles that apply as much in this area of human behavior as they do in others.”
He added that deterrence of insider threats would need to map to the type of risk you are seeking to mitigate. The question is answered based upon environmental factors about company culture, the status of the organization (healthy, failing, layoffs, etc.), and how you treat/monitor/legally manage contractors.
Security vendors chimed in on how to combat what can be the invisible threat who can virtually go anywhere within the network.
Nir Polak, Exabeam CEO and co-founder, put it succinctly: “Mini-Max” – minimize access where possible, maximize monitoring of that same access for unusual patterns.
Matias Brutti, a hacker at Okta
That was the common theme among security vendors. Don’t provide employees with an open door to the entire network. Make access a privilege and not a right.
Hamesh Chawla, vice president of engineering at Zephyr, said companies should provide a "need to know" access and audit all actions taken. Audits should be implemented by those with enough power to do so, such as root and administrator roles.
Geoff Webb, vice president of strategy at Micro Focus, said the single most important thing enterprises can do is to reduce the access that insiders have to sensitive data. “Many organizations struggle to adequately manage who has access to data, even highly sensitive data, mostly because of the complexities of the modern workforce, the role of many outsiders, the rate at which information flows, and the effects of privilege creep over time for long-time employees.”
Beyond reducing the level of access that employees have, enterprises should enforce good governance practices in which responsibility for reviewing and certifying who has access is placed squarely with the line-of-business managers who manage that data source, he said.
“Enterprises should monitor activity around access to sensitive or valuable data, looking for anomalous behavior that might indicate that an insider is either improperly accessing that data, or as is often the case, that an outsider is successfully impersonating a privileged user after stealing their credentials,” Webb said. “Like all good security, detering insider threats requires a multi-layered approach. The good news is that it is often the most basic steps that provide the greatest value, and being systematic and thorough provides huge benefits in protecting sensitive data.”
An insider policy needs to be enforceable through the right technologies, for example, implementing user activity monitoring for finance and HR departments can help detect and prevent their ability to abuse access to sensitive information, said Shawn Burke, Global CSO at Sungard Availability Services.” Organizations should also perform routine security awareness and information governance training. Such training ensures employees are well advised of incident response protocol and encouraged to be proactive in reporting suspicious activity.”
The other common thread throughout the security pros interviewed was that security awareness training is key for employees to help spot the insider threat.
Javvad Malik, security advocate at AlienVault, said user awareness and education should be made widely available and repeated. This includes reminding what is or isn’t acceptable behavior, what the risks are and how to report a suspected breach.
“Line managers should also receive training in providing regular reminders to staff as well as remaining vigilant to spot any untoward behavior,” Malik said.
The biggest factor to deter insider risks is to give ongoing security awareness training to all employees, said Scottie Cole, network and security administrator at AppRiver. “This trains employees on what is expected of them and provides them the signs to identify a risk. Insider risk teams should also have ongoing assessments and auditing of company assets can help identify risks that would otherwise be ignored.”
Dottie Schindlinger, governance technology evangelist at Diligent, said training should supplement the current security training already done at the organization. The insider risk team can take a lead role in evaluating security-focused software tools that help identify and deter insider threats, and provide security for sensitive information -- especially information that is shared with external parties, such as board documents being sent to outside directors.
Jo-Ann Smith, director of Technology Risk Management and Risk Privacy at Absolute, mentioned how the insider risk management team, should meet on a regular basis to update policies. “Once in place, it's then critical to create and maintain a risk register that both qualifies and quantifies risks for remediation, and subsequent mitigating steps. To demonstrate progress, the team should create KPIs and then audit and report on risk levels to show status and improvement year over year.”
Schindilinger said the risk management team can also help ensure that the company’s “whistleblower” policy and procedures are feasible, easy-to-navigate, and able to be enacted quickly in the event that an insider threat is identified. “Most importantly, this team should work with the company’s leadership to establish a culture of transparency and accountability – ensuring that policies are rigorously enforced, and that anyone who comes forward with information regarding a potential threat is rewarded - not penalized or ostracized - for doing so.”
She added implementing risk mitigation and security software is critical to identifying, deterring and reporting incidences. However, software cannot solve the problem alone. Establishing a culture of accountability and transparency – and rigorously enforcing policies – can help stop potential threats before they become crises.
A few security pros used the term “socializing” when indicating how awareness training needed to be implemented.
Kennet Westby, president and co-founder at Coalfire Systems, said the greatest deterrent is identifying the risk and building a program to tackle it. “Greater value than any specific policy, control or technology is getting the company’s focus and cultural commitment to address the insider threat. By raising awareness, understanding the impact of the risk, and building a team internally to take on the challenge, you can instantly shift a company culture to a team intent on protecting themselves.”
Socializing the concept that all personnel are responsible for deterring and detecting insider threats is key, said Alvaro Hoyos, chief information security officer at OneLogin. “This is similar to what a successful security awareness program strives to do. Investing in technical solutions is important as well, but no technical solution can replace an attentive end user.”
Eric Stevens, director of consulting services for Forcepoint, said from a deterrence perspective having a well-defined and socialized plan in place is a great start. Educating users that you are running an Insider Threat Program, what the intention of the program is, what proper data handling looks like and ensuring that they understand their part in protecting the enterprise can help to curb careless behavior and put the intentional wrong doer on notice. Technology controls, such as user and or endpoint behavior analytics, can then provide the necessary monitoring of the program and alert IT security to anomalous behavior while collecting the necessary forensic evidence.
Know your assets
If you don’t know what you have in your network, it makes it very difficult to determine if someone is accessing information they shouldn’t be.
Malik said enterprises should have critical assets and their owners identified, and classify data. There should be a view into both on premises as well as cloud infrastructure. This should be enhanced with reliable threat intelligence in order to identify any patterns of behavior known to be used by organized gangs as well as rogue individuals.
Steven Grossman, vice president of strategy and enablement at Bay Dynamics, said to effectively reduce insider risk, companies should understand which assets, if compromised, would cause the most damage, where those assets reside, and who governs and interacts with them. Companies should also limit access to those assets to only those employees and contractors who need it, continuously monitor behaviors and engage application owners in the business to qualify alerts as suspicious or business justified.
“That kind of business-oriented qualification significantly reduces noise and false positives, bumping the most important and imminent alerts to the top of the pile. Non-malicious policy violators should be put on notice that it is unacceptable behavior, sent to targeted security awareness training that focuses on the policy violated and be tracked post training to ensure they changed their behavior," he said.
Organizations should always be testing for insider threats, by simulating new threats and not thinking of it as a build-once-and-use policy, said Brutti. Red teams should always be performing new attacks and blue teams should be trying to detect them and build upon what they learn.
Kris Lovejoy, CEO of BluVector, takes a slightly different tact than the other security pros. She believes shutting off access will stifle innovation. She said companies should not oversecure their networks but have a balance that protects the organization with health of the business. “Like water, employees and contractors will find their way around controls where they are too locked down. They will use personal email, drop-box, other less secure data transfer mechanisms to just get the job done.”