A practical approach to combating insider threats
With September marking Insider Threat Awareness month, it is time for organizations to wake up to one of the biggest security threats which is already lurking on their network.
Insider threats are difficult to detect. Protecting against them by guarding the network perimeter does not work. This is because they are already inside your network.
The Snowden incident in 2013 sent a wakeup call to organizations. They needed to start looking inside for risks posed by employees and contractors.
This was confirmed two years later when Galen Marsh, who was a financial advisor at a prominent Wall Street bank, damaged the bank’s reputation by stealing sensitive client data from corporate systems and uploading it to a personal server hosted at his home.
While these high-profile cases caught mass media attention, there are many insider-caused incidents happening every day. They don’t receive the same publicity but still put organizations at serious financial and reputational risk.
As a result, there is no doubt that insider threats are still a concern. So, organizations need to take preventive measures before it’s too late.
Building an effective insider threats program
Today, most organizations struggle to effectively mitigate insider threat risks. This is because, as much as it may sound like a cliché, security cannot be solved using technology alone. Rather, it is a culmination of people, process, and the nature of how a business operates.
The first step is to assess your organization’s appetite for risk and what the organization values the most.
For example, some organizations value protection of their Intellectual property the most. Meanwhile, others value preventing damage to their brand reputation as a result of confidential data theft caused by an Insider.
The next step is to build a strong understanding and consensus across the key verticals of the organization such as HR, legal, compliance, and critical lines of business’s. This is essential for an effective program outcome.
In order to accomplish this consensus, organizations should form an Insider Threat Working Group (ITWG). The ITWG’s mission is to educate the verticals on the importance of protecting the organization from such threats.
Several programs fail to fully realize their potential because the risk appetite specific to an organization is clearly not defined.
Lastly, the ITWG forms a partnership with key stakeholders to define policies and procedures. Laying down this foundation will pave the way for the future of the program.
Type of insiders to monitor
Insiders can be categorized into three main types:
- Negligent Insider: An employee or contractor unknowingly or accidently compromises data due to bad security hygiene.
- Complacent Insider: An employee or contractor intentionally ignores policies and procedures or bypasses them.
- Malicious Insider: An employee who intentionally compromises data and misuses privileges in order to cause damage to the organization.
In all three cases the employee or contractor is putting the organization at risk. However, the malicious insider can result in the largest risk.
This is because of their intentionally malicious actions, which can be far-reaching. This type of insider is also harder to detect because they are often highly motivated. Also, they will typically actively work to circumvent existing controls and take other precautions to remain undetected.
Our observation in the field is that organizations deal with complacent and negligent insider cases 90 percent of the time.
The actions taken against these insiders will vary quite a lot, from warnings to termination of employment. The outcome for a malicious insider has more serious consequences. In some cases, law enforcement will need to be involved as the case is tied to corporate espionage.
Insider Threat Program: Putting the right tools in place
Insider threats are a lot more relevant for organizations today, as attacks grow more sophisticated. Establishing an insider threat program (ITP) is an important step towards building an insider threat resistant organization.
The key is to start small and grow the program footprint over time. Organizations should start with an assessment of what exactly they want to protect. They should identify the types of risks they want to mitigate, before embarking on implementation of the program objectives itself.
Selecting a technology that conforms to the insider threat team’s objectives is also a key consideration. Having a strong ITP is an essential step towards combating insider threats.
Despite this, the tools that the team uses for insider threat detection are just as important. For example, a SIEM tool with automated threat identification, threat chains, and integrated remediation capabilities is recommended for a successful