IT Focus Area: Security
September 17, 2015
Dealing with the Devil You Know: Cyber Security and the Insider Threat
You’ve probably heard the old English proverb, “Better the devil you know than the devil you don’t.”
Cybercrime is an exception to this advice. Outsiders such as hackers, organized crime groups, terrorists and nation-states may be the "bad guys" we don’t know and love to hate, but insider threats can be far more costly and damaging. Whether it’s through malicious intent or the inadvertent compromise of data through negligence, lost mobile devices or targeted phishing campaigns, insiders pose a tremendous threat to IT security.
And it doesn’t stop at employees. As the Target breach demonstrated, cybercriminals often use service providers, contractors, and suppliers as stepping stones to reach desired data.
The average number of days attackers are present on a network before being discovered is high—ranging from 205 to 256, depending on which report you read (FireEye’s 2015 M-Trends or Ponemon’s 2015 Cost of Data Breach). And the number of days it takes to resolve an incident is also high, averaging around 30. That number pales in comparison to how long it takes to remediate an incident when an insider is involved, which is more than double at a troubling 64 days.
The ability to quickly detect and respond to threats has never been more crucial, but many organizations do not have insider-threat programs in place and are struggling to deal with the issue. Security tools such as firewalls and access controls are designed to protect against untrusted external attackers, not trusted insiders.
So how do you know if your organization is doing enough to address insider threats?
Consider these questions:
Do you have an insider threat program in place?
Do you have the ability to define normal user behavior and/or identify abnormal behavior?
Do you automate the auditing of user behavior?
How far along are you with an effective identity and access management (IAM) program?
Do you audit the security practices of your service providers, contractors and other business partners?
Do you pay special attention to users with privileged access?
How are you auditing user policy adherence?
If you are surprised by how many of these questions you cannot answer, you are not alone.
Many organizations are so focused on the latest external threat that they overlook their own business ecosystem, and are not equipped to detect or respond to internal threats.
Specialized tools and services can help you form a strong insider threat strategy.
In addition to best practices such as robust personnel background checks, security awareness programs and policy strategies for social media and BYOD, there are tools and services available to help you mitigate insider threats.
Solutions such as data loss prevention (DLP), IAM, security information and event management (SIEM), network analytics and user behavior analytics (UBA) facilitate the detection of users with high-risk identity profiles, as well as high-risk activity, access, and events associated with insider threats.
Professional services such as security program assessments help to evaluate the overall state of your organization’s security and identify gaps exposing you to insider threats. And compromise assessments can determine whether or not malicious activity is already taking place on your network.
Developing a comprehensive insider threat strategy shouldn’t be an afterthought.
In today’s cyber-security landscape, it’s no longer enough to look outwards and focus on what's coming in; in order to effectively address insider threats, security teams should also look inwards to evaluate what's going on within the company, and what's going out.
With the right approach, you can gather the actionable insider threat intelligence you need to get visibility into the highest-risk users in your environment and the tools to monitor, report on, and investigate them. This helps you transform user data into an operational asset, and can prevent your organization from making the wrong kind of headlines.