IT Focus Area: security
January 29, 2019
5 Keys to Addressing Insider Threats
Means, motive and opportunity are the keys to solving any crime, and cyber attacks are no exception. While all threat actors have motives, insiders enjoy ideal means and opportunity. This places them in a much better position to carry out damaging activities.
The ability to quickly detect and respond to insider threats has never been more crucial. A 2018 Insider Threat Report from Crowd Research Partners found that 90 percent of organizations feel vulnerable to insider threats.
Who are these people whose behavior exposes us to data loss and brand damage? There are various descriptions out there of the different types of insiders behind these threats, with labels ranging from “turncloaks” to “ringleaders.” They boil down to three basic types:
The Impact is Costly
Insider threats are among the most damaging. The Ponemon Institute 2018 Global Cost of Insider Threats Study found that incidents involving negligent employees or contractors cost an average of $283,281. The average cost more than doubles to $607,745 for insiders who intentionally steal data or conduct other malicious activity, which is almost the same as the damage done by external imposters, at an average cost of $648,845. Additionally, the study found that it takes more than two months—73 days—to contain insider incidents.
Insiders are incredibly difficult to protect against. They know more about your organization and if they really want to do some damage, they can do it very quickly and very efficiently. —Brian Vecci, Field CTO, Varonis
From a defensive standpoint, it makes no difference if data loss stems from an external attacker with stolen credentials or an employee acting carelessly. Sensitive data needs to be protected, no matter who accesses it. What unifies these types as a significant threat is that they’re already inside your network. If you don’t protect your data by monitoring their activity and behavior you’ll be unable to respond to any threats they pose, and the results can be devastating.
Take Edward Snowden, for example. He was an NSA contractor—working as a SharePoint administrator—who took advantage of the fact that his behavior as a user was not being continuously monitored and audited. He used elevated privileges to reach sensitive data he had no need to have access to, and removed it via a USB drive without raising any red flags. Visibility into behavioral patterns was not aligned with identity and access management processes in a way that would have enabled the NSA to quickly identify his malicious activity.
Find out how to mature your organization's security posture. Get your guide to transforming enterprise cybersecurity.
Developing an Insider Threat Program
Many organizations are struggling to obtain the resources they need to devote to an insider threat program, and they can be restricted in the types of data they can proactively collect and analyze for insider threats for legal reasons.
How do you know if your organization is doing enough to address insider threats?
Consider these questions:
- Have you identified and/or classified critical data and educated users on handling procedures?
- Do you have the ability to define normal user behavior and/or identify anomalous behavior?
- Do you have auditing capabilities in place that facilitate an understanding of users’ access and authorization needs?
- How far along are you with an effective identity and access management (IAM) program?
- Do you audit the security practices of your service providers, contractors and other business partners, specifically their identity governance and data handling processes?
- Do you pay special attention to users with privileged access?
- How are you auditing user policy adherence?
- Does your incident response plan contain provisions to address insider threats?
If you are surprised by how many of these questions you can't answer, you’re not alone.
Many organizations are primarily focused on the latest external threats, so they overlook their own business ecosystem and are not equipped to detect or respond to internal threats in a timely manner.
Building Your Strategy
It’s important to remember that dealing with these threats—and cybersecurity in general—should be a continuous, programmatic process that combines technical and non-technical controls. In addition to best practices such as personnel background checks, security awareness programs and policy strategies for social media, BYOD and IoT devices, here are five key steps that can help your organization address insider threats.
1. Know Your Assets
You can’t protect what you don’t know. Prioritize threats by pinpointing the areas in which problems are likely to occur, and determining your organization’s risk tolerance.
What are your most valuable information assets?
Where are they?
Who has access to them and why?
When are they being accessed?
Are the security controls in line with your risk tolerance?
Answering these questions can provide visibility into the critical pieces in your infrastructure that need attention, and the users most likely to be targeted by attackers. It will also provide insight into what normal activity looks like, which will better enable you to recognize abnormal patterns of behavior. Assess outside partnerships and business relationships to identify those who can potentially provide access to your company’s information in the event of an inside or imposter attack, and vice versa. This in-depth evaluation requires collaboration between IT, security and the business.
2. Continuously Assess Your Security Posture
Careful evaluation of your organization’s security posture is critical, and should be an ongoing process.
Consider threats from insiders and partners, as well as malicious unknowns in your security assessments. Professional services such as security program assessments help to evaluate the overall state of your organization’s security by providing an objective view of your organization’s policies, controls and processes. The development of an effective threat and vulnerability management program will identify vulnerabilities exposing the organization to malicious activity. Compromise assessments can determine whether or not malicious activity is already taking place on your network. They should be regularly scheduled as a part of your vulnerability management practices, and integrated with incident-response capabilities.
- Ensure that basic security practices are in place. Proper password and authentication policies, patch-management procedures, firewall and intrusion detection and intrusion prevention system (IDS/IPS) configuration, and log review procedures are among the practices that should be well-established within your organization, as well as with your partners and contractors. Ensure the information from these tools and systems are visible and correlated between key teams and incident responders. Remember to focus appropriately on third-party relationships and deploy compensating controls if your partners are not at the level of security you desire.
- Identify the security tools, technologies, and strategies you currently employ and maximize their effectiveness against today’s internal and external threats. Is your security information and event management system (SIEM) properly logging, monitoring and auditing employee actions and activity? Do you have data loss prevention (DLP) and analytics technology implemented and integrated to provide visibility into data movement? Do you have risk-based multi-factor authentication (MFA) to limit potential damage if credentials are lost or stolen? What technologies and solutions exist to fill gaps in your existing security infrastructure?
- Should you upgrade your current vendors’ products, or invest in new technologies? Many organizations fail to optimize their existing tools and technologies, and programs and processes often have gaps that can be exploited. Focus on what currently exists within the organization, and perform programmatic gap assessments to enhance your efforts. Many companies leverage a vendor-independent technology partner to test additional solutions and find the right fit for their organization.
- How strong is your existing identity management infrastructure? It’s important to monitor employee roles carefully as they change, as well as the accessibility of information by partners and outside consultants. Your IAM controls should ensure only those who require access to sensitive information have it. If an employee leaves the organization or moves to another department, your identity-management system should make appropriate changes to access or wipe data on mobile and other devices as necessary. Privilege management should be a key area of focus. Ensure controls are in place to cross-reference identities with data protection strategies.
3. Develop a Formal Insider Threat Program
The development of an insider threat program that synchronizes people, policies, processes and technology will help you understand and deter threats the insiders in your organization pose.
Identify internal and external stakeholders, and form a team that understands the information needs of employees, contractors and service providers, as well as the assets that need to be protected.
Start with a risk assessment to prioritize efforts. A thorough evaluation of existing vulnerabilities and threats that focuses on the flow of data in and out of the organization, weighed against overall risk appetite is essential. However, it is important to tie business impact and an organization’s overall security strategy to the results of the assessment, enabling an understanding not only of where true business risks lie, but also of which vulnerabilities should be addressed first and how to address them effectively. A poorly conducted risk assessment can overload the security team and create paralysis.
Take a programmatic approach that is not exclusive to the security team. Human resources, legal and business groups should be involved along with IT.
Planning, design and baselining should be considered a continuous process, and include a fluid playbook and drills that test the efficacy of the program.
Consider the lifecycle of an employee—from interview to exit—and determine areas of risk. Access rules should be enforced from day one, and activity outside of access rights flagged.
Continuously review privileged access to sensitive information and remove it when deemed unnecessary or high-risk.
Maintain insider incident-response plans that define response, which should include an extended team (legal, human resources and departmental management) if an employee is involved.
Be careful not to implement policies or procedures that degrade performance; it is important not to hinder productivity and innovation.
4. Enforce Separation of Duties and Least Privilege
As Brian Vecci of Varonis points out, one of the keys to reducing the risks of insider theft is to restrict access to sensitive data. Give people access to what they need to do their job, and nothing more. This includes partners. Consider the Target breach: an external HVAC contractor was unnecessarily given access to Target’s point-of-sale system. Contractors shouldn’t be allowed to operate on the same logical network layer as sensitive data. Ensure that service level agreements (SLAs) account for connectivity that is separate from corporate data. You need to be aware of what contractors and third parties have access to, and monitor their activities.
5. Continuously Monitor User Behavior
Perhaps the most important step you can take to address insider threats is to learn what’s normal, and what’s not. The way to accomplish this is through improved behavior monitoring and analytics capabilities. Tools that are already embedded in the network such as DLP, IAM controls and SIEM are a foundational part of the effort to address threats; ensure that they are working effectively. Many SIEM vendors are incorporating user and entity behavior analytics (UEBA) for advanced analytics, user behavior analysis, and cognitive computing-based (i.e. smarter) orchestration and response.
There’s a good chance that if several organizations that fell victim to high-profile attacks had continuous monitoring via context-aware UEBA at the time of their breach, abnormal behavior coming from authorized users, contractors, partners, or suppliers could have been quickly identified.
UEBA solutions offer profiling and anomaly detection based on a variety of analytics approaches that combine basic analytics methods (e.g., rules that leverage signatures, pattern matching and simple statistics) with advanced analytics (e.g., supervised and unsupervised machine learning). They help to establish baselines of normal user behavior, and facilitate the detection of users with high-risk identity profiles as well as high-risk activity, access, and events associated with insider threats. Through these tools, organizations can quickly identify threats based on actions that stray from normal patterns, and address them through manual or automated remediation.
Integrating UEBA with IAM enables proactive remediation based on real-time user behavior. The volume of IAM data organizations already collect provides valuable context for behavior, and facilitates preventive control for potential security incidents.
Bridge the Gap Between Prevention & Resistance
Traditional preventive controls can have a negative impact on the user’s experience as they are doing their jobs. Be careful to link security awareness training to employee monitoring, and build transparency and trust into the process. People are among the best alerting mechanisms in any organization; awareness training should run the gamut from overall education to phishing exercises. It’s critical for businesses to reiterate to employees that although there will be monitoring for security purposes, their privacy will be considered.
Stop Insider Threats
Outsiders such as hackers, organized crime groups and nation-states may be the "bad guys" we don’t know and love to hate, but insider threats can be just as costly and damaging. Insiders—and the malicious outsiders who emulate them—have the means and opportunity to access our most critical data. A comprehensive approach to mitigating the threats they present crosses people, process, and technology. By enabling a detailed understanding of your assets and security posture, a clear separation of duties, continuous monitoring, and a cross-organizational insider threat program you can gain visibility into the highest-risk users in your environment and the tools to monitor, report on, and investigate them. This will help you transform user data into an asset, and prevent your organization from making the wrong kind of headlines.
Find out how to mature your organization's security posture. Get your guide to transforming enterprise cybersecurity.