The first part of our series on the insider threat surveyed the issues that enterprises face in dealing with both malicious and accidental leaks. From disgruntled employees stealing intellectual property to highly privileged users not following established security guidelines, the risk may take a variety of forms, making it difficult to contain. A December 2013 report from the U.S. Department of Homeland Security outlined the mounting challenges that public and private sector organizations face from within.
"Understanding and mitigating insider threat[s is] complicated by factors such as technological advances, globalization, and outsourcing," wrote the report's authors. "These factors increasingly blur the line between traditional insiders and external adversaries such as terrorists, organized crime groups and foreign nation-states, who may collude with or exploit physical insiders as vectors to do harm to a targeted asset or system."
What can enterprises do as the insider threat becomes more prominent? A 2014 Ponemon Institute survey of 693 privileged users (e.g., database administrators and network security practitioners), underwritten by Raytheon, found that most respondents had their work cut out for them:
- Nearly 90 percent expected privilege abuse to increase over the next two years.
- Sixty-nine percent asserted that their organizations could not detect and respond to insider incidents with sufficient speed.
- Half described the process of assessing privileged access as ad hoc – a figure that was virtually unchanged from 2011.
Turning the tide requires a combination of cybersecurity solutions as well as process improvements. While many organizations will certainly want to modernize their strategies for data loss prevention and network monitoring using cutting-edge tools, at the same time they must step up how they assess their employees, data and vulnerabilities. Presenting at the Black Hat USA Conference 2013, the FBI's Patrick Reidy characterized the vast majority of insider threats as non-technical and urged the audience not to confuse simple policy compliance with a holistic mitigation program.
Addressing the insider threat: The ingredients of a comprehensive strategy
Enterprises are accustomed to shoring up their perimeters against outside threats. This approach may inform similar insider threat programs that regard organizations as self-contained units. However, growing reliance on vendors and contractors has extended organizational boundaries much further than before.
More specifically, the 2010 scholarly article Insider Threats: Strategies for Prevention, Mitigation and Response drew upon the findings of a seminar held in Schloss Dagstuhl, Germany, observing that even external breaches often succeed through connections to the inside. For example, a 2008 scare involving Landesbank Berlin credit card data featured employees of a contracted courier service finishing a Christmas cake in their care and then covering their tracks by affixing its label to another package, which contained card numbers and PINs. The parcel ended up at a newspaper (the intended recipient of the cake) rather than the bank.
Reducing the risk of such incidents require a multifaceted approach. Key tenets include:
- Compiling and understanding baselines for employee behavior: To know what's anomalous, enterprises first have to grasp what's normal. It is critical to create baselines that include details such as an employee's email address, commonly used IP addresses, regular hours and privilege levels. Contextual and even psychosocial information can be used alongside network activity to assess a user's risk profile
- Leveraging network monitoring and analysis tools: Proactive monitoring has become a fixture among federal agencies, but other enterprises can benefit from it, too. Solutions may catch unusually large file transfers, emails to foreign countries and use of odd ports. In a 2012 panel discussion, Trend Micro vice president Tom Kellermann stressed the need for better system logging and file integrity monitoring to root out insiders.
- Implementing employee training to more accurately identify risks: Technical tools won't always catch insiders. Since employees may come into contact with risky peers all the time, it makes sense to train everyone to spot "red line" behaviors, as the DHS authors suggested, and report them to the appropriate parties.
- Comparing suspicious accounts to the current directory: Fake and compromised accounts are linchpins of insider attacks. While detection is difficult – and social engineering schemes can be similarly tough to thwart – enterprises can implement tight measures around account creation, requiring each to be associated with an employee, approved by a supervisor and cross-referenced against the existing account directory.
- Using dedicated staff to improve overall security posture: Defending against insider threats isn't a part-time activity. Organizations need dedicated staff, or help from consultants and cybersecurity providers, to keep tabs on risks. This way, they can get into better position to know who may be targeting their assets, what they're actually after and what attack surfaces they may attempt to exploit.
Dealing with the insider threat isn't easy, as the Ponemon-Raytheon survey indicated. Still, organizations aren't starting from square one. Many have been addressing the risks for years, and with help from security experts and other resources, they can protect themselves from both internal and external cyberattacks.