Mitigating insider threats - a technical perspective
- 08 July, 2016 10:49
Insiders are tricky because they represent a demographic that is largely trusted; employees have presumably been vetted and gone through the HR process; they have been interviewed by managers and potential colleagues to assess their knowledge and capabilities; and if to be engaged in work in support of the government, have obtained some level of clearance for access to classified information, networks, and systems. The incidents with Chelsea Manning and Edward Snowden have revealed just how damaging an insider can be in obtaining and making public highly sensitive information.
Data leakage is but one possible consequence resulting from the efforts of these individuals. Data and network destruction, disruption, and data manipulation are all possible alternatives depending on the level of malicious intent. Given the recent events involving the use of ransomware to encrypt hospital networks, it’s easy to see how direct access to networks could enable hostile insiders to inserting this type of malware into a network and holding it for considerable ransom.
According to a 2014 presentation by Carnegie Mellon’s Computer Emergency Response Team, out of 557 respondents polled, insider threats were the cause of approximately one-third of security incidents experienced, with 46 percent believing that they were far more damaging than external events. The majority of these insider incidents resulted in private information unintentionally exposed; confidential records compromised or stolen; customer records compromised or stolen; and employee records compromised or stolen. These findings are echoed in the Verizon Data Breach Investigations Report that found that 50 percent of all security incidents were caused by individuals inside the organization.
Developing a formalized insider threat program is becoming essential for all organizations seeking to reduce their risk exposure. While I’ve previously discussed other mitigating insider activities through people and processes that can be harnessed to address the complexities of this threat, the use of specific technologies and analytics can also help proactively identify this threat before it escalates to a serious issue. Since there is no easy, one-stop shop solution to combat insider threats, layered approaches often provide the best way forward. Several technologies can provide such layered depth in countering the intentional and unintentional insider threat to include:
- Technology that monitors user behavior. Technologies that monitor and control remote access from all endpoints are important as they provide a more comprehensive view of the organization’s enterprise, from the noise that hits against the perimeter to the individual machines within a network. A key supporting element to monitoring technology is first establishing what a “normal” baseline is for all of the users in the environment. Once this is established monitoring for anomalies provides a first “heads up” that potential malicious behavior may be occurring. Using a security information and event management (SIEM) system to log, monitor, and audit employee actions augmented with user and entity behavioral (UEBA) analytics is a good way to establish such baselines and appraise strange or inconsistent activity.
- Technology that restricts access. Authorizing people only for those network resources required to do their job will help decrease potential data leakage by other parties. The implementation of stronger user restrictions will require individual users to request access to areas to which they may not have been privy. This will help organizations keep track of those that have regular access and those that have limited or temporary access. Observing a user try to gain access to an area in the network that they don’t have privilege to bears monitoring and further investigation.
- Technology for restricting/monitoring removable media use.Removable media was the vehicle that facilitated the theft of classified information by both Manning and Snowden. While it is more favorable for organizations to “turn off” removable media capability, job requirements may make this unfeasible. Leaving all downloading of documents to a trusted agent is one way to reduce a flurry of activity. However, this also may be inefficient for some larger organizations. An alternative is to use technology solutions to monitor download activity, which can help identify questionable activities from employees such as volume, duration, and the time at which it occurs.
- Technology for whitelisting. Whitelisting is a way of ensuring that only those applications and services that are authorized run on an endpoint system. If unrecognized code tries to run, it is immediately checked against the whitelist. If it’s acceptable, it is permitted to run. If not, then the code is prevented from executing. There are a variety of whitelists that range from e-mail, applications, and programs, to name a few.
Best practices toward mitigating data loss is to protect information at its source. Security technologies help mitigate the insider threat by monitoring and analyzing data access patterns in order to alert on those anomalous activities that fall outside accepted norms.
It must be remembered that insiders are human beings, and as such, their thoughts and activities are constantly changing and altering. Therefore, security practitioners must always think dynamically when it comes to trying to develop solutions to counter this threat. Implementing technology solutions at different levels and overlapping functions will best cast a tight-weave security net to catch suspicious behavior prior to a major security incident.