Combating insider threats: The pillars of an effective program
Insider threats can be the most dangerous threats to an organization -- and they’re difficult to detect through standard information security methods. That’s partially because the majority of employees unknowingly pose a risk while performing their regular business activities.
According to data we collected from analyzing the behaviors of more than a million insiders across organizations, in approximately 90 percent of data loss prevention incidents, the employees are legitimate users who innocently send out data for business purposes. They are exhibiting normal behavior to their peers and department, even though it might be in violation of the established business policy and a significant risk to their employer.
Adding to the challenge, IT and security teams are getting killed trying to make sense of the mountains of alerts, most of which do not identify the real problem because the insider is often not tripping a specific switch. They spot check millions of alerts, hoping to find the most pertinent threats, but more often than not end up overlooking the individual creating the actual risk. For example, a large enterprise we worked with had 35 responders spot-checking millions of data loss prevention incidents, and even with such heavy manpower, they would most often focus on the wrong employees. Their investigation and remediation efforts were not prioritized, and in turn, they couldn’t make sense of the abundance of alerts because they were looking at them one by one.
To build an effective insider threat program, companies need to start with a solid foundation. It’s critical they identify the most important assets and the insiders who have the highest level of access to those assets. Then, they should practice good cybersecurity hygiene: ensure data loss prevention and endpoint agents are in place and working; check that access controls are configured so that insiders can only access information they need; establish easily actionable security policies, such as making sure insiders use strong and unique passwords for their corporate and personal accounts; and encourage a company-wide culture that focuses on data protection through targeted security awareness training and corporate communication surrounding security.
Once the foundation is in place, monitor users’ behaviors and respond accordingly. By understanding their behavioral patterns, companies can identify when employees are acting unusually, typically an indicator that the user is up to no good -- or is being impersonated by a criminal. For example, when you go through a security checkpoint at the airport, the officers checking your identification ask you questions. They do not care about your responses; they are mainly looking at how you respond. Do you seem nervous? Are you sweating? They watch your behavior to determine if you could be a potential safety risk -- this same principal applies to insider threat programs.
When creating insider threat programs, oftentimes security teams focus on rules: they define what’s considered abnormal or risky behavior and then the team flags insiders whose actions fall into those definitions. However, this method can leave many organizations vulnerable -- chasing the latest attack, rather than preventing it. Rules are created based on something risky someone did in the past, which led to a compromise. The criminals can easily familiarize themselves with the rules and get past them. Rules do not help detect the “slow and low” breaches where insiders take out a small amount of information during a lengthy period of time so that the behavior goes undetected by security tools. And they do not combine activities across channels, such as someone accessing unusual websites and trying to exfiltrate data.
Enterprises need to understand what’s normal versus abnormal and then further analyze that behavior to determine if it’s malicious or non-malicious. By focusing on a subset of insiders -- those who access a company’s most critical data -- and how they normally behave, they can create a targeted list of individuals who need investigating. In a large enterprise, the list can be long, and organizations need to optimize how they respond. For those employees who are non-maliciously endangering the company, companies should provide targeted security awareness training that specifies exactly what each person did to put the company at risk and how they can minimize their risk. Most employees acting in good faith will be more careful once they understand the risk they pose to their employer. For third party vendor users, share information with the main vendor contact about who specifically is putting the organization at risk and what they are doing. Then, the vendor can handle the situation accordingly, reducing everybody’s risk.
An insider threat program should also focus on monitoring performance and communicating progress and challenges to C-level executives and the Board of Directors. Enterprises should show them what they are doing and the impact of their investment in security tools and programs, as well as explain any challenges they need to overcome. An effective insider threat program requires support from the highest level of individuals in an organization. With everyone on the same page, organizations can constantly reassess their program to truly understand their security alerts and reduce the likelihood of setting off false red flags—ensuring they’re catching and predicting the real threats, and removing them before they do any long-term damage.
Image Credit: Andrea Danti/Shutterstock
Steven Grossman is Vice President of Program Management, Bay Dynamics. He has over 20 years of management consulting experience working on the right solutions with security and business executives. At Bay Dynamics, Steven is responsible for ensuring our clients are successful in achieving their security and risk management goals. Prior to Bay Dynamics, Steven held senior positions at top consultancies such as PWC and EMC. Steven holds a BA in Economics and Computer Science from Queens College.