Departing employees and the risk to corporate data [Q&A]
New research into insider threats from security automation platform Securonix shows that 60 percent of data exfiltration incidents are carried out by employees identified as 'flight risk', in other words that are about to leave the business.
We spoke to Shareth Ben, director of insider threat and cyber threat analytics with Securonix, to find out more about insider threats, flight risks and how companies can protect themselves.
BN: What type of organizations are most at risk from insider threats and what type of information are insiders typically looking to obtain?
SB: Organizations that experience the highest number of insider data exfiltration incidents tend to be in the pharmaceutical, financial and IT industries, as these types of companies tend to have the most valuable intellectual property. Larger companies, like Fortune 500 enterprises, are at the greatest risk and have the most to lose. Fortunately, these companies also typically have dedicated insider threat programs focused on mitigating risk. Smaller and midsize companies, however, often do not have the same luxury due to smaller budgets.
In the past several years, we have seen an uptick in intellectual property data theft for a variety of reasons. One of the primary motivators for these actors is personal financial gain. This is particularly true in pharmaceutical and life sciences organizations. In financial service companies, we most often see rogue insiders going after personally identifiable information or banking customer data. Due to the decentralized nature of storing sensitive data combined with failed data classification initiatives, it is often harder to detect theft of IP or trade secrets. However, it is possible with the right tools and approach.
Perhaps not surprisingly, malicious insiders are more inclined to take IP that they have worked on, as they feel entitled to it. This is why companies should have mandatory monitoring in place on departing or flight-risk employees.
We are also noticing a shift in insider threat where compromised third parties gain access to target organizations' systems and applications that ultimately allow them to impersonate true insiders resulting in data theft.
BN: What tactics are insiders using most often to obtain sensitive information, and how have they changed recently?
SB: Insiders use multiple egress vectors to exfiltrate data that is deemed sensitive. We often see this carried out through email forwards or web uploads to cloud storage services such as Box and Dropbox. Employees are also known to steal corporate information using unauthorized USB and portable devices. Printing and screen captures are also used to move sensitive data out of the network.
Pre-COVID, many organizations had strict controls over internet-based services. However, recently they have been forced to remove restrictions so that employees can operate on home networks and use their personal, non-corporate devices to perform tasks. For example, corporate documents printed on a home printer may escape notice by security monitoring tools designed to secure corporate networks. It is crucial to understand that data is often leaked due to complacency and ignorance, not always malicious intent. Organizations must adopt technologies to ensure that they can differentiate malicious behavior from less threatening data exfiltration, based on the value of the data taken.
BN: What constitutes a 'flight risk' and how can they be identified?
SB: A flight risk is an employee who is exhibiting behaviors of leaving the organization for various reasons such as work dissatisfaction, low performance, better job offers, etc.
In most cases, this employee is yet to notify the organization regarding their employment termination or resignation from a company. Flight risk employees often take data with them, some being sensitive, and the impact it has depends on the value of the data taken. For example, consider an employee who takes an Excel sheet they worked on that has macros enabled, compared to one who takes source code to an innovative technology -- the former will not impact the organization they are leaving, however, the latter will result in loss of competitive advantage in the marketplace. We typically see changes in behavior with these threat actors anywhere from two weeks to two months prior to their termination.
There are two key ways to identify flight risks. The first is to examine browsing activity, such as employees who are actively researching job opportunities or emailing resumes externally. Another way is to monitor the movement of sensitive information, whether via email, USB or collaboration tools. Repeated behavior of emails forwarded or sent to a single recipient (the user’s personal email account) is often more alarming, as it is unlikely these actors would involve several people in an exfiltration scheme.
BN: What detection techniques are most effective in identifying insider threats?
SB: Traditional technologies are not cutting it anymore in today’s highly dynamic cloud environments. DLP tools, privileged access management (PAM) solutions and other point solutions are no longer the most efficient methods of detecting insider threat behavior. The rapid adoption of cloud in recent years, combined with acceleration in the virtual workforce due to COVID-19, has complicated the threat environment. As a result, organizations need to expand and adopt advanced security analytics, such as purpose-built algorithms, to effectively detect insider threats. Solution vendors are forced to be as precise as possible when applying detection techniques to certain use cases in order to derive the desired outcome. This curated content is essential for organizations to get right or they end up being inefficient in detecting nefarious insider threat behavior.
Algorithms can be useful in monitoring and detecting rogue behavior from employees. Not only can an effective algorithm flag behavioral anomalies, it can also measure data volume and transfers to determine a baseline and identify any deviation from that norm. Looking for circumvention of existing controls by users is a key pre-emptive indicator, as it shows intent. For example, a user disabling an endpoint monitoring solution or going offline to perform the data transfer, shows they want to perform an activity under the radar. In addition, it is crucial to stitch together key indicators of threat behavior, such as pre-exfiltration indicators with the actual exfiltration events to form a 'threat kill-chain'. Focusing on inherent risk tied to a user such as low-performance indicators, HR and ethics violation, provides a complete and holistic view of threats, demonstrating the way to effective detection, response and threat mitigation.
BN: How has the practice of identifying and combating insider threats changed in today’s remote workforce environments?
SB: The expanding remote workforce in conjunction with increased adoption of cloud services fueled by digital transformation initiatives, has created several blind spots for security operation teams.
Lack of visibility in some areas has made it much more difficult for security teams to monitor user activity compared to how they were able to monitor activity within the perimeter on-premise. With an increase of data leaving the enterprise perimeter; employees, contractors and third parties operating on remote networks; and discontent that has arisen as a result of the unstable job market, the threat of insider threat has never been greater.
As it is, many employees take data with them when they leave a company. In the COVID-19 era, this is further exacerbated, as large percentages of the workforce are being laid off. Companies are seeing tremendous amounts of data leaving the network with layoffs. They need to be able to sift through these activities and differentiate the harmless innocuous transfers from the malicious.
One of the greatest tools organizations can use at this time is education. While companies trust their employees have the right intentions, often, there is a need to operate with a 'trust but verify' mindset. By educating employees on proper security hygiene and reminding employees about what is permissible and what is not when it comes to data leaving the network, companies can greatly reduce instances of negligence or complacency, which can lead to data breaches. Without a doubt, there are employees with malicious intent. Hence, there is a need to monitor them, especially if they are inherently risky. Security teams are already stretched thin, so by educating the organization as a whole as to how they can avoid costly mistakes, companies can be better prepared to protect their brand and reputation.
Organizations should also take measures to allow only authorized users access to sensitive information. This can be enforced through multi-factor authentication and following IAM principles like adopting least privilege to ensure users only have access to what they need to effectively carry out their work.