The insider threat has been considered one of the most formidable threats within organizations in the recent years. Rogue and disgruntled employees getting their hands on sensitive information have led to significant losses for many organizations. Some employees unknowingly or unintentionally may also cause disruptions at the workplace affecting normal day-to-day operations.
In this article, we discuss the insider threat and how certain actions at the workplace might lead to information compromise. We’ll discuss the top technologies that can be implemented to mitigate such threats and conclude with discussing best practices that can be followed to ensure insider threats are best handled.
What is an Insider Threat?
An insider threat is an entity within the organization with authorized access to the organization’s systems and functions, but who has malicious intent. Such an insider can compromise sensitive information that should not be disclosed, and thus damage the organization.
Insider threats may be employees, third-party vendors, contractors and even partners. They are normally interested in intellectual property, client information, financial information, marketing information and national security information. This is a threat that, if not adequately addressed, can cripple the entire organization. It is therefore important to determine the challenges that organizations encounter while dealing with this threat.
What Are the Challenges of Insider Threats?
Insider threats have a few characteristics that make them stand out from the common external threats. The common features of insider threats include:
- Difficult to detect. It is possible to detect various external threats, but when it comes to behavioral analysis and determining what is acceptable and unacceptable behavior at the organization, it becomes one of the most complicated things to do. For example, hundreds of thousands (if not millions) of transactions taking place within the organization will require monitoring. The question becomes “How do you assess each of these for behavior anomalies?”
- Well-informed. Insiders will often be familiar with the organization’s environment. Some of the threats result from accounts with seemingly legitimate privileges: either departing employees’ accounts that have not yet been terminated, or genuine accounts maintained by employees that are disgruntled or have since gone rogue. Combined with good intelligence gathered about the environment and the set policies, these accounts can prove dangerous in the hands of an insider threat.
- Expensive to handle. Once an insider threat has compromised an organization, the cost of dealing with reputation damage can be astronomical. Organizations will grapple with the cost of re-establishing trust with their clientele, especially in the current climate where privacy and security of user information are held in high regard.
- Modern and emerging. Over-reliance on traditional technologies such as firewalls and SOCs do not always leave the organization in a position to detect insider threats. Logs being sent to SOCs and firewalls are simply not enough to spot behavior anomalies. It’s even more difficult to determine intent to compromise the organization.
- Difficult to prove guilt. Sometimes your organization may be successful in thwarting a breach before it can take place. However, proving guilt is another story. It is very difficult to prove guilt, since employees may claim that they made mistakes which only appeared incriminating. Again, this will depend on the kind of information being collected for analysis. There is some information that can be collected, such as account login information and chat logs that might serve as strong evidence in behavior anomaly investigations.
How Do Insiders Become Threats?
According to a 2016 U.S State of Cyber Crime survey, 27% of electronic crimes were either suspected or executed by internal threats within organizations. Thirty percent (30%) of the respondents also strongly believed that the amount of damage caused by insider threats was more severe than external attacks. This means that organizations are beginning to open up to the reality of threats caused by insiders. Insider threats will largely fall within the following categories:
The Disgruntled Employee
Some employees simply disagree with various parts of the organization and end up exposing them. This might be due to certain beliefs, whether moral, religious or political.
The Rogue Employee
Rogue employees may seek to exploit an opportunity for their own selfish gains. The good news is that such actions are normally never well-thought-through and often result in the culprits being arrested and charged.
Third-party companies are normally onboarded to execute certain functions within organizations. These may include electricians and technicians, cleaners, security guards and other individuals or companies. These may seem like your everyday workers, but not all of them are as harmless as they look.
The Ignorant Employee
Employees might be interested in bringing their devices to work, oblivious of the threat these pose. For instance, a worker bringing an infected laptop to the work network might introduce ransomware that ends up damaging the entire organization. It is due to this that organizations are now embracing policies prohibiting employees from bringing their own devices to work.
There are also some technologies that, when correctly implemented, helps in mitigating the risk of insider threats. Let’s discuss a few.
What Are the Top 5 Technologies for Mitigating Insider Threats?
Organizations have historically implemented external-facing technologies such as firewalls and proxies to deal with external threats, but with the emerging prominence of insider threats, technologies are being developed to deal with these new problems. Imagine the threat posed by disgruntled IT personnel with full understanding of the organization’s network structure, systems, vulnerabilities, policies and procedures. It is thus important that organizations put in place measures to mitigate insider threats. The following are the most commonly-used technologies.
Database Activity Monitoring
Monitoring logs within your databases allows you to keep track of every database transaction made and block unauthorized ones from being performed. Security departments monitor these logs for events that could signal an attack and fix it before any real damage is done.
For example, constant database queries being performed at odd hours of the night or off working days might be an indication that suspicious activity is taking place. Errors and invalid database requests should also be monitored. Even though having database-monitoring solutions installed is mostly achieved through compliance mandates, most organizations are deploying database-monitoring solutions to prevent insider threats.
Organizations are embracing whitelisting technologies more to handle the insider threat problem. Whitelisting allows authorized software binaries to be executed within nodes on the network. This simply means that any unauthorized program on any platform on or being introduced onto the network is blocked. For instance, organizations may only allow core applications necessary for daily work to be installed, and any other to be revoked.
The biggest challenge with this technology is managing all the executable software at the organization, deciding how risk profiles can be defined and specifying how applications can be white- or blacklisted according to the organization’s preferences.
Network Flow Analysis
Solutions that monitor data packets for malicious activity allow security teams to determine whether communication from the network is, for example, taking place between malware and a command-and-control server, and thus determine the kind of information leaving the network. This is important since insiders might set up rogue servers that communicate with the outside network, collaborating with malicious agents to siphon information away. RSA’s NetWitness platform collects traffic from the network, applying threat feeds to it and allowing security teams to perform analytics and determine the intent and context of traffic within the organization.
Security Information Management, Log Analysis
Organizations can employ SIEMs as a line of defense and also for monitoring activities within the network. This allows security departments to effectively determine where to focus while responding to insider threats. Some SIEMs employ data-analytics capabilities and threat intelligence, allowing security departments to determine points within the network that have configuration or security weaknesses and suggest methods to correct these. The ability to consume logs from multiple devices on the network means that security departments are capable of handling insider threats before they can cause damage within the organization.
Data Loss Prevention
DLP solutions are perhaps the most sought-after for managing insider threats, as they allow organizations to ensure that data is handled securely across endpoints. These solutions can determine confidential data and note the data owners, effectively preventing data leaks.
Security teams can also define policies that, for instance, prevent emails containing certain information from leaving or getting through into the organization. Flash drives can also be restricted across the organization, using DLP software. This prevents intellectual property from leaving the organization. In case there is a heavy reliance on the internet, cloud-based DLPS may be deployed to ensure that traffic leaving the network is encrypted.
What Are Some Best Practices to Prevent Insider Threats?
There are a few best practices that you can follow to ensure that your organization remains ready to fight insider threats. In order to remain ahead, you need to:
Perform a Risk Assessment
The best way to understand your security posture is to perform regular risk assessments. These allow you to determine the weak spots within the organization and determine the “crown jewels” (such as intellectual property) that attackers may be aiming for. Determining this allows you to restrict this information to only trusted individuals.
Establish an Effective Security Policy
Having outlined security rules at the organization ensures that all employees conform to the accepted regulations, from top to bottom. The policies can, for instance, prohibit employees from bringing their own devices to work, sharing credentials or using unencrypted removable media such as flash disks and external hard drives. This will prevent the sharing of confidential information.
Create Proper Termination Procedures
Most insider threats take place through privileged accounts that have not had their access to critical systems revoked. It is important that departing accounts are effectively withdrawn from systems they no longer require access to.
Conduct Background Checks
Background checks allow you to determine the character of employees before they can be onboarded into the organization. Background checks can also be used to determine moles acting from the organization. For instance, sudden changes in employee lifestyles, such as a surge in the standards of living, extravagant expenditures and trips might be a cause for concern.
Monitor Employee Activity
Monitoring employee activity allows you to determine the actions performed by privileged-access employees. This presents every employee’s actions as fully visible and transparent to you, so that you can determine whether their actions are warranted or if you need to take certain measures to contain leaks.
In this article we have explored the very real possibility of insider threats. Organizations must always consider the possibility that sensitive information (such as the crown jewels) will be attractive to competitors and insiders, and thus, that organizations need to ensure they are vigilant and adhere to the best practices that prevent insider threats. Solutions that mitigate insider threats are also being improved, and it would prove beneficial to keep ahead of the problem with the newest software and innovations that curb the insider threat.
2016 State of Cybercrime Survey, Carnegie Mellon University
Insider Threat, Carnegie Mellon University
How to Prevent Industrial Espionage: Best Practices, Ekran System Blog
Top 5 Technologies That Detect Insider Threats, CRN
Challenges of Insider Threat Detection – Whiteboard Wednesday, Imperva