IT Focus Area: Security
February 12, 2016
5 Keys to Addressing Insider Threats
Means, motive and opportunity are the keys to solving any crime, and cyber attacks are no exception. While all attackers have motives, insiders enjoy ideal means and opportunity. This places them in a much better position to carry out malicious activities.
Insider threats are among the most difficult for enterprises to address. The 2016 Cost of Cybercrime Study by Ponemon found that insiders were the most costly source of attacks. Incidents involving insiders cost an average of nearly $145,000 each and took 51 days to resolve, the longest of any type of attack.
The ability to quickly detect and respond to insider threats has never been more crucial, but many organizations are failing to deal with the issue. A recent insider threat report from Crowd Research Partners found that while seventy-four percent of organizations feel vulnerable to insider threats, less than half (42 percent) have the appropriate controls in place to prevent an insider attack.
Organizations may be tempted to overlook risks from within their own business ecosystem. Managers tend have faith in their own employees, partners, contractors and suppliers, and it’s easy for them to believe that the lack of a known insider incident means everything is OK. Unfortunately, it’s more likely that they’re simply blind to what’s going on – many companies don’t have controls in place that would enable them to pick up on anomalous behavior and data exfiltration by authorized users.
When an insider incident does come to light, it is often handled internally in order to avoid publicity. Many organizations do not involve law enforcement or bring legal charges against insiders involved in compromises. By not doing so, they are putting other companies that may hire those individuals in the future at risk.
Who are these people whose behavior threatens us with data loss and brand damage? There are various descriptions out there of the different types of insiders behind these threats, with interesting labels ranging from “turncloaks” to “ringleaders.” They boil down to three basic types:
1. Outsiders Posing as Insiders
These impostors are malicious external attackers that have breached an organization’s defenses and manage to emulate an authorized user with real credentials. They can then leverage that user’s tools and access for their own purposes. The outcome is usually a behavioral pattern in which privileges are escalated, and critical data is either exfiltrated or disclosed to the public.
2. Malicious Insiders
Current and former employees, contractors or other business partners who have authorized access and intentionally abuse that access out of bitterness, a desire for personal gain, financial desperation, or an intent to compete. While their behavioral patterns may seem normal, their intentions are not and the outcome may be data loss or disclosure.
Current employees, contractors, or other business partners who fall for phishing schemes and become pawns for external attackers, or otherwise make a mistake and inadvertently misuse or expose critical data.
From a defensive standpoint, it makes no difference if data loss stems from an external attacker with stolen credentials or an employee acting carelessly. Sensitive data needs to be protected, no matter who accesses it. What unifies these types as a significant threat is that they’re already inside your network. If you don’t protect your data by monitoring their activity and behavior you’ll be unable to respond to any threats they pose, and the results can be devastating.
Take Edward Snowden, for example. He was an NSA contractor – working as a SharePoint administrator – who took advantage of the fact that his behavior as a user was not being continuously monitored and audited. He used elevated privileges to reach sensitive data he had no need to have access to, and removed it via a USB drive without raising any red flags. Visibility into behavioral patterns was not aligned with identity and access management processes in a way that would have enabled the NSA to quickly identify his malicious activity.
How do you know if your organization is doing enough to address insider threats?
Consider these questions:
Do you have a (cyber) threat management program in place?
Have you identified and/or classified critical data and educated users on handling procedures?
Do you have the ability to define normal user behavior and/or identify anomalous behavior?
Do you have auditing capabilities in place that facilitate an understanding of users’ access and authorization needs?
How far along are you with an effective identity and access management (IAM) program?
Do you audit the security practices of your service providers, contractors and other business partners, specifically their identity governance and data handling processes?
Do you pay special attention to users with privileged access?
How are you auditing user policy adherence?
If you are surprised by how many of these questions you cannot answer, you’re not alone.
Many organizations are so focused on the latest external threat that they overlook their own business ecosystem, and are not equipped to detect or respond to internal threats in a timely manner.
Building Your Strategy
It’s important to remember that dealing with these threats – and IT security in general – is a continuous, programmatic process. In addition to best practices such as robust personnel background checks, security awareness programs and policy strategies for social media, BYOD and IoT devices, five key steps can help your organization address insider threats.
1. Know Your Assets
You can’t protect what you don’t know. Prioritize threats by pinpointing the areas in which problems are likely to occur, and determining your organization’s risk tolerance.
What are your most valuable information assets?
Where are they?
Who has access to them and why?
When are they being accessed?
Are the security controls in line with your risk tolerance?
Answering these questions can provide visibility into the critical pieces in your infrastructure that need attention, and the users most likely to be targeted by attackers. It will also provide insight into what normal activity looks like, which will better enable you to recognize abnormal patterns of behavior. It is important to think of your organization not only as an ultimate target, but as a stepping stone. Assess your partnerships and business relationships to identify which might provide access to your company’s information in the event of a breach, and vice versa. This in-depth evaluation requires collaboration between IT, security and the business.
2. Continuously Assess Your Security Posture
Careful evaluation of your organization’s security posture is critical, and should be an ongoing process.
Consider threats from insiders and partners, as well as malicious unknowns in your security assessments. Professional services such as security program assessments help to evaluate the overall state of your organization’s security by providing an objective view of your organization’s policies, controls and processes. The development of an effective vulnerability and threat management program will identify vulnerabilities exposing the organization to malicious activity. Compromise assessments can determine whether or not malicious activity is already taking place on your network. They should be regularly scheduled as a part of your vulnerability management practices, and integrated with incident-response capabilities.
- Ensure that basic security practices are in place. Proper password and authentication policies, patch-management procedures, firewall and IDPS configuration, and log review procedures are among the practices that should be well-established within your organization, and that of your partners and contractors. Ensure the information from these tools and systems are visible and correlated between key teams and incident responders. Remember to focus appropriately on third-party relationships and deploy compensating controls if your partners are not at the level of security you desire.
- Identify the security tools, technologies, and strategies you currently employ and maximize their effectiveness against today’s internal and external threats. Is your security information and event management system (SIEM) properly logging, monitoring and auditing employee actions and activity? Do you have data loss prevention (DLP) and analytics technology implemented and integrated to provide visibility into data movement? What technologies and solutions exist to fill gaps in your existing security infrastructure?
- Should you upgrade your current vendors’ products, or invest in new technologies? Many organizations fail to optimize their existing tools and technologies, and programs and processes often have gaps that can be exploited. Focus on what currently exists within the organization, and perform programmatic gap assessments to enhance your efforts. Many companies leverage a vendor-independent technology partner to test additional solutions and find the right fit for their organization.
- How strong is your existing identity management infrastructure? It’s important to monitor employee roles carefully as they change, as well as the accessibility of information by partners and outside consultants. Your identity management system should ensure only those who require access to sensitive information have it. If an employee leaves the organization or moves to another department, your identity-management system should be make appropriate changes to access or wipe data on mobile and other devices as necessary. Privilege management should be a key area of focus. Ensure controls are in place to cross-reference identities with data protection strategies.
3. Develop a Formal Insider Threat Program
The development of an insider threat program that synchronizes people, policies, processes and technology will help you understand and deter threats the insiders in your organization pose.
Security executives will need to gain boardroom buy-in. Highlight the value the program would bring to the business through the detection and mitigation of threats.
Identify internal and external stakeholders, and form a team that understands the information needs of employees, contractors and service providers, as well as the assets that need to be protected.
A thorough assessment of existing vulnerabilities and threats that focuses on the flow of data in and out of the organization, weighed against overall risk appetite is essential.
Take a programmatic approach that is not exclusive to the security team. Human resources, legal and business groups should be involved along with IT.
Planning, design and baselining should be considered a continuous process, and include a fluid playbook and drills that test the efficacy of the program.
Consider the lifecycle of an employee—from interview to exit—and determine areas of risk. Access rules should be enforced from day one, and activity outside of access rights flagged.
Continuously review privileged access to sensitive information and remove it when deemed unnecessary or high-risk.
Maintain insider incident-response plans that define response, which should include an extended team (legal, human resources and departmental management) if an employee is involved.
Be careful not to implement policies or procedures that degrade performance; it is important not to hinder productivity and innovation.
4. Enforce Separation of Duties and Least Privilege
Give people access to what they need in order to do their job, and nothing more. This includes partners. Consider the Target breach – the HVAC contractor had access to the entire point-of-sale system, which they did not need in order to do their job. Contractors shouldn’t be allowed to operate on the same logical network layer as sensitive data. Ensure that service level agreements (SLAs) account for connectivity that is separate from corporate data. You need to be aware of what contractors and third parties have access to, and monitor their activities.
5. Continuously Monitor User Behavior
Perhaps the most important step you can take to address insider threats is to learn what’s normal, and what’s not by increasing your behavior monitoring capabilities. When asked what the NSA could have done differently to prevent Snowden’s malicious access creep and data exfiltration, former Deputy Director Chris Inglis has said one of the things he would have done was move to continuous monitoring solutions rather than rely on traditional controls. And there’s a good chance that if several organizations that fell victim to recent high-profile attacks had continuous monitoring via context-aware user and entity behavior analytics (UEBA) at the time of their breach, abnormal behavior coming from authorized users, contractors, partners, or suppliers could have been quickly identified.
Tools that are already embedded in the network such as DLP, IAM controls and SIEM are a foundational part of the effort to address threats; ensure that they are working effectively. The integration of specialized tools such as network analytics and UBA can advance your efforts. They help to establish baselines of normal user behavior to work from, and facilitate the detection of users with high-risk identity profiles as well as high-risk activity, access, and events associated with insider threats. Through these tools, you can quickly identify threats based on actions that stray from normal patterns, and address them through manual or automated remediation.
Developing a comprehensive insider threat strategy shouldn’t be an afterthought.
Outsiders such as hackers, organized crime groups, terrorists and nation-states may be the "bad guys" we don’t know and love to hate, but insider threats can be far more costly and damaging. Insiders—and the malicious outsiders who emulate them—have the means and opportunity to access our most critical data. Effectively addressing the threats they present requires us to focus on the flow of that data from both sides. It’s no longer enough to simply look outwards and focus on what's coming in; security teams must also look inwards to evaluate what's going on within the company, and what's going out.
This is not just an IT issue; it’s an operational issue that crosses people, process and technology. A comprehensive approach includes a detailed understanding of the organization’s assets and security posture, clear separation of duties, continuous monitoring solutions and a formal insider threat program that includes IT, HR, legal and business groups. With the right resources in place, you can gather the actionable intelligence you need to get visibility into the highest-risk users in your environment and the tools to monitor, report on, and investigate them. This will help you transform user data into an asset, and prevent your organization from making the wrong kind of headlines.
Listen to the on-demaned Meet the Experts web event, 5 Key Elements to Building an Effective Insider Threat Strategy, and view the SlideShare.