Means, motive and opportunity are the keys to solving any crime, and cyberattacks are no exception. While all threat actors have motives, insiders have ideal means and opportunity. This places them in an optimal position to carry out damaging activities. Show The ability to quickly detect and respond to insider threats has never been more crucial. A 2020 Insider Threat Report from Cybersecurity Insiders found that 68% of organizations think that insider attacks have become more frequent in the past 12 months and 70% have experienced one or more insider attack within that same time period. Who are these people whose behavior exposes us to data loss and brand damage? There are various descriptions out there of the different types of insiders behind these threats, with labels ranging from “turncloaks” to “pawns.” The insider threat archetypes boil down to three basic descriptions:
A recent study from the Ponemon Institute showed how insider incidents break down into these categories: The impact is costlyInsider threats are among the most damaging. The Ponemon Institute 2020 Cost of Insider Threats Global Report found that incidents involving negligent employees or contractors cost an average of $307,111. The average cost more than doubles to $756,760 for insiders who intentionally steal data or conduct other malicious activity. The cost for damage done by external imposters is nearly triple at $871,686. Additionally, the study found that on average it takes more than two months—77 days—to contain insider incidents. From a defensive standpoint, it makes no difference if data loss stems from an external attacker with stolen credentials or an employee acting carelessly. Sensitive data needs to be protected, no matter who accesses it. What unifies these types as a significant threat is that they’re already inside your network. If you don’t protect your data by monitoring their activity and behavior, you’ll be unable to respond to any threats they pose, and the results can be devastating. Take Edward Snowden, for example. He was an NSA contractor working as a SharePoint administrator. He took advantage of accrued administrative access gained through various contractor positions and his colleague’s credentials to gain access to data he had no need to access in his role. With this access, he was able to copy the data to a USB drive and remove it from the site. This was accomplished without raising any red flags because his behavior as a user was not being continuously monitored and audited. Visibility into behavioral patterns was not aligned with identity and access management processes in a way that would have enabled the NSA to quickly identify his malicious activity. Many organizations are struggling to obtain the resources they need to devote to an insider threat program, and they can be restricted in the types of data they can proactively collect and analyze for insider threats for legal reasons. How do you know if your organization is doing enough to address insider threats? If you are surprised by how many of these questions you can’t answer, you’re not alone. Many organizations are primarily focused on the latest external threats, so they overlook their own business ecosystem and are not equipped to detect or respond to internal threats in a timely manner. Building your strategyIt’s important to remember that dealing with these threats—and cybersecurity in general—should be a continuous, programmatic process that combines technical and non-technical controls. In addition to best practices such as personnel background checks, security awareness programs, and policy strategies for social media, BYOD and IoT devices, here are five key steps that can help your organization address insider threats. 1. Know your assetsYou can’t protect what you don’t know. Prioritize threats by pinpointing the areas in which problems are likely to occur, and determine your organization’s risk tolerance.
Answering these questions can provide visibility into the critical pieces in your infrastructure that need attention, and the users most likely to be targeted by attackers. It will also provide insight into what normal activity looks like, which will better enable you to recognize abnormal patterns of behavior. Assess outside partnerships and business relationships to identify those who can potentially provide access to your company’s information in the event of an inside or imposter attack, and vice versa. This in-depth evaluation requires collaboration between IT, security and the business. 2. Continuously assess your security postureCareful evaluation of your organization’s security posture is critical, and it should be an ongoing process. Consider threats from insiders and partners, as well as malicious unknowns in your security assessments. Professional services such as:
Ensure that basic security practices are in place. Proper password and authentication policies, patch-management procedures, firewall and intrusion detection and intrusion prevention system (IDS/IPS) configuration, and log review procedures are among the practices that should be well-established within your organization, as well as with your partners and contractors. Ensure that the information from these tools and systems are visible and correlated between key teams and incident responders. Remember to focus appropriately on third-party relationships and deploy compensating controls if your partners are not at the level of security you desire. Identify the security tools, technologies and strategies you currently employ, and maximize their effectiveness against today’s internal and external threats.
Should you upgrade your current vendors’ products, or invest in new technologies? Many organizations fail to optimize their existing tools and technologies, and programs and processes often have gaps that can be exploited. Focus on what currently exists within the organization, and perform programmatic gap assessments to enhance your efforts. Many companies leverage a vendor-independent technology partner to test additional solutions and find the right fit for their organization. How strong is your existing identity management infrastructure? It’s important to monitor employee roles carefully as they change, as well as the accessibility of information by partners and outside consultants. Your IAM controls should ensure only those who require access to sensitive information have it. If an employee leaves the organization or moves to another department, your identity-management system should make appropriate changes to access or wipe data on mobile and other devices as necessary. Privilege management should be a key area of focus. Ensure controls are in place to cross-reference identities with data protection strategies. The development of an insider threat program that synchronizes people, policies, processes and technology will help you understand and deter the threats that insiders in your organization pose.
4. Enforce separation of duties and least privilegeTwo key controls for reducing the potential for malicious or unintended insider activity are separation of duties and least privilege. Separation of duties—requiring more than one person to complete a high-risk task—reduces the risk of malicious behavior by a single actor. Least privilege—restricting use and system access to only the resources required to perform the necessary role or function—reduces the surface area in which a malicious actor can operate. In the case of Edward Snowden, requiring two-person access to sensitive data (separation of duties) and/or blocking write access to removable media (least privilege) would have likely prevented this NSA breach. These controls should also extend to business partners and contractors. Consider the Target breach: an external HVAC contractor was unnecessarily given access to Target’s point-of-sale system. Contractors shouldn’t be allowed to operate on the same logical network layer as sensitive data. Ensure that service level agreements (SLAs) account for connectivity that is separate from corporate data. You need to be aware of what contractors and third parties have access to and monitor their activities. 5. Continuously monitor user behaviorPerhaps the most important step you can take to address insider threats is to learn what’s normal, and what’s not. The way to accomplish this is through improved behavior monitoring and analytics capabilities. Tools that are already embedded in the network such as DLP, IAM controls and SIEM are a foundational part of the effort to address threats—ensure that they are working effectively. Many SIEM vendors are incorporating user and entity behavior analytics (UEBA) for advanced analytics, user behavior analysis, and cognitive computing-based (i.e. smarter) orchestration and response. There’s a good chance that if several organizations that fell victim to high-profile attacks had continuous monitoring via context-aware UEBA at the time of their breach, abnormal behavior coming from authorized users, contractors, partners, or suppliers could have been quickly identified. UEBA solutions offer profiling and anomaly detection based on a variety of analytics approaches that combine basic analytics methods (e.g., rules that leverage signatures, pattern matching and simple statistics) with advanced analytics (e.g., supervised and unsupervised machine learning). They help to establish baselines of normal user behavior and facilitate the detection of users with high-risk identity profiles as well as high-risk activity, access, and events associated with insider threats. Through these tools, organizations can quickly identify threats based on actions that stray from normal patterns and address them through manual or automated remediation. Integrating UEBA with IAM enables proactive remediation based on real-time user behavior. The volume of IAM data that organizations already collect provides valuable context for behavior and facilitates preventive control for potential security incidents. Bridge the gap between prevention and resistanceTraditional preventive controls can have a negative impact on the user’s experience as they are doing their jobs. Be careful to link security awareness training to employee monitoring and build transparency and trust into the process. People are among the best alerting mechanisms in any organization; awareness training should run the gamut from overall education to phishing exercises. It’s critical for businesses to reiterate to employees that although there will be monitoring for security purposes, their privacy will be considered. Outsiders such as hackers, organized crime groups and nation-states may be the “bad guys” we don’t know and love to hate, but insider threats can be just as costly and damaging. Insiders—and the malicious outsiders who emulate them—have the means and opportunity to access our most critical data. A comprehensive approach to mitigating the threats they present crosses people, process and technology. By enabling a detailed understanding of your assets and security posture, a clear separation of duties, continuous monitoring, and a cross-organizational insider threat program, you can gain visibility into the highest-risk users in your environment and the tools to monitor, report on and investigate them. This will help you transform user data into an asset and prevent your organization from making the wrong kind of headlines. |