Most organizations don’t think twice when it comes to strengthening their security defenses against outside adversaries, but many often overlook the equally dangerous threat posed by the insider. These insiders are often personnel who currently have privileged access to confidential data and whose activities usually go unidentified by integrated security solutions, which were created to identify external hackers. Outside threats have to break in; insiders already know critical applications, networks and other touchpoints, making them even more dangerous.
Whether a staff member is exfiltrating information on purpose or unintentionally exposing security implementations, threats from malicious and negligent insiders are real. CA Technologies’ Insider Threat Report: 2018 revealed that 90 percent of companies feel vulnerable to insider threats. 53 percent also confirmed insider attacks on their organizations in the past 12 months. It’s clear that enterprises need to pay close attention to this threat and take appropriate steps to protect their integrity.
Battling Insider Attacks
The strategy for combating the growing issue of insider attacks should be multifaceted, drawing on a combination of security awareness, company policies and technical implementations. Organizations should consider the following best practices:
Limit the Number of Privileged Users
The fewer privileged staff members you have, the easier it is to protect your business against insider threats. Not only does it mean there are fewer individuals to make mistakes and fewer potentially exposed accounts, but it also means fewer people who might go rogue in the aftermath of a termination. Disgruntled ex-employees can often still access your data, either by retaining their access or via backdoors, because nobody bothered to keep an eye on their activities.
To limit the number of privileged employees, you can use the concept of the “least privileged.” This is a cybersecurity standard that says each new account in an enterprise should be set up with the least number of possible privileged accounts. This also applies to external vendors (third parties): make sure their accounts are terminated once their tasks are complete. Additionally, you should also consider limiting privileges to cloud storage and remote login applications. It is advisable to provide documentation and reasoning for this policy and ensure it is consistently enforced.
Integrate Insider Threat Awareness into Periodic Security Training
All personnel need to understand that malicious insiders don’t fit a specific mold. Their technical access ranges from basic to advanced and their ages range from late-30s to near-retirement. Therefore, organizations should update their security awareness programs to encourage employees to spot insider attacks not by stereotypical traits but by analyzing their behavior, including:
- Retrieving proprietary or sensitive information within a week of resigning
- Bragging about the level of privilege they’ve received from their organization
- Attempting to gain coworkers’ credentials through the exploitation of trusted bonds
Employees and managers should also be trained to recognize schemes in which insiders engage other members of the staff to join their attempts. Educating everyone on this possibility and potential consequences may make personnel more aware of manipulation attempts.
Moreover, organizations should train their staff to be wary of odd requests, even ones that do not ask for passwords or attachment downloads. This kind of training should be offered at least once every quarter.
Ethical Hacking Training – Resources (InfoSec)
Monitor and Analyze Users’ Actions
UBA, or User Behavior Analytics, is the crown jewel of modern insider threat-detection programs. It uses a unique analytics algorithm that goes beyond the initial login to track user activities associated with systems they use to conduct daily operations. UBA is increasingly gaining traction: for example, IBM has integrated UBA into its SIEM solution.
UBA’s anomaly-detection and behavior analytics capabilities allow the company’s security analysts to check potential incidents in their original context to see what exactly happened – whether it was an honest mistake, a malicious attempt or nothing at all.
In addition to being great monitoring tools, UBA solutions also offer concrete evidence, which can be presented in litigation trials (if needed). Moreover, physical events can also be linked to the UBA system for analytics, making for a more comprehensive set of events to access insider activity. For instance, if employee badge access records are entered into the solution’s database, it would be possible to know if unauthorized account usage happened within an organization’s facility. Likewise, it would be used to identify unauthorized remote access if the action happens from outside the organization. Leading UBA vendors like Splunk even go so far as to assign a score reflecting the intensity of an insider threat, so the organization cannot only review insiders but also take preventive action when it matters the most.
Use Content Filtering to Prevent Sensitive Information from Going Out
A significant portion of insider abuse is performed from outside the company through remote access. That’s because adversaries are less likely to be caught spoofing sensitive data when they can do it without being physically present in a privileged room. Additionally, people often post work-related communications, customer requests or blogs on the Internet, which can include attachments and sensitive details that put their respective companies at risk.
Filtering content in IM (instant messaging), email and HTTP communications enterprise-wide is the best way to stay on top of sensitive information and prevent it from going out to such channels. However, there’s always the risk that data might go out through users’ devices or in encrypted transmissions. In either scenario, filtering will at least make you aware of the fact that potentially risky communication is occurring. Moreover, managers and employees can subscribe to Google Alerts, so they can be alerted any time keywords related to their organizations show up on the web. Lastly, organizations’ HR departments should check whether outgoing employees have confidential data on their personal flash drives, smartphones, tablets or personal computers.
The frequency of insider attacks is expected to grow in 2018 and beyond. This is mainly because a growing number of organizations have an operational need to grant third parties and personnel access to their systems, increasing the number of potential hazards. The best practices mentioned above should help strengthen your organization’s overall security posture to mitigate or prevent this threat.
Insider Threat Report: 2018, CA Technologies
IBM QRadar UBA, IBM Security