Protecting against insider threats is something all businesses have to manage and is an ongoing process. Shareth Ben, Insider Threat SME at Securonix, discusses a best practice approach for detecting and protecting against insider threats, as well as bringing awareness to the different types.
One of the biggest threats organisations currently face is from those already lurking on their network. Insider threats are difficult to detect as they are already in your network and traditional security techniques, such guarding the network perimeter, will not work. Any enterprise that cares about protecting its brand or reputation needs to pay attention to the threat caused by malicious and/or careless insiders. The damage they can cause, due to the risks created by loss of confidentiality or theft of intellectual property, cannot be ignored.
Recent high-profile cases, such as the Snowden incident and the Capital One breach, caught the attention of the media and have sent a wake up call to organisations. Incidents of insider threat are happening everyday and even those that don’t receive mass media attention risk causing financial and reputational damage to the organisation. Multiple surveys indicate that insider threats are a key source of concern for enterprises. According to Cybersecurity Insiders’ 2019 Insider Threat Report, 68% of organisations feel vulnerable to insider threats – with 73% confirming insider attacks are becoming more frequent.
Types of insider threat
There are three main types of insider, each poses a potential risk to the organisations. The negligent insider is an employee or contractor who exposed data accidentally due to poor security practices. The complacent insider is an employee or contractor that intentionally ignores policies and procedures, while malicious insiders are those employees who intentionally compromise data. Organisations are far more likely to experience a cyber incident as a result of a negligent or complacent insider than a malicious one; however, malicious insiders are far more dangerous. They are typically highly motivated and will take specific precautions to avoid detection.
Protecting against insider threat
Organisations are struggling to effectively mitigate the risks posed by insiders. However, to solve any problem, firstly there needs to be a proper diagnosis. The same approach applies for organisations that want to mitigate the risks caused by insiders. It all starts with a simple, yet difficult, question – what assets, in the form of information, intellectual property, money or physical resources, does an organisation value the most; and how critical are these assets to business functionality? Determining your organisation’s appetite for risk and its most valuable assets is a critical first step.
Some customer-facing organisations will value protecting brand reputation the most, while others value protection of their intellectual property. An organisation’s answers to these questions will determine the path their insider threat programme takes.
Approach insider threat with teamwork
Once organisations identify what they want to protect, it is advisable to form an Insider Threat Working Group (ITWG). This group typically consists of representatives from various divisions within the company to drive consensus among key departments like HR, Legal, compliance, IT risk and line of business. The team then works together to define the amount of risk an organisation is willing to tolerate, or ‘risk appetite’. It is the ITWG’s mission to educate employees on the importance of good cyberhygiene, as well as recognising and protecting against insider threats.
It is crucial for organisations to realise that technology alone cannot tackle the problem of insiders; and organisations who put significant emphasis on the technical aspects alone are ultimately bound to fail. Therefore, an insider threat team must consist of both technical and non-technical staff who have a clear understanding of the organisation’s culture and operating model.
Building an effective insider threat programme involves a combination of people, processes and technology. The most successful programmes will ensure that every employee is aware of their role in preventing and reducing cyberthreats. Effective employee engagement means employees can go the extra mile in service to their organisation, they are therefore more likely to buy into the cybersecurity objectives of the organisation and avoid making any negligent or complacent mistakes that could lead to an insider breach.
Bring in supporting technology
Most medium and large organisations have limited insider monitoring in place using data loss prevention (DLP) or privileged access management (PAM) system solutions. Yet, they still struggle to effectively mitigate insider threat risks. This is because, as much as it may sound cliché, security cannot be solved using technology alone. It is a combination of people, process and the nature of your business.
Once these policies and procedures are defined, a technology that best suits the programme’s requirements should be chosen. For instance, a User and Entity Behaviour Analytics (UEBA) technology with a SIEM-like functionality has proven to be useful for effective insider threat detection and prevention. Having a strong Insider Threat Program (ITP) is critical for building insider threat resilience. However, organisations must also select the right technologies for detecting insider threat. A SIEM tool with automated threat identification, threat chains and integrated remediation capabilities is recommended for a successful Inside Threat Programme.
Other key functionalities include:
Centralised Logs that have the ability to ingest a variety of technical and non-technical indicators of use activity. This is typically done using connector and collectors of various types depending on the target system.
The tool should also have the ability to normalise, aggregate and summarise the user activity in preparation for data analysis and Machine Learning. And finally, the tool should come with the necessary out of the box content to meet the organisation’s basic insider threat monitoring needs and provide the ability to create custom content for industry specific use case requirements.
The ideal technology will be able to apply purpose-built Machine Learning algorithms to specific use cases in order to detect insider threats effectively. The detection mechanism should consist of standard rule-based violation triggers and user behaviour-based anomaly detection. It is this combination that proves to be most effective.
The most successful programmes often start small and grow over time. As the programme gains momentum, data insights gathered from the monitoring and detection of insider threats can aid in implementing both IT controls and organisational behaviour changes. It is important that this is a continuous process, informed by both the individuals that support the ITWG and the technology that underpins cybersecurity. Organisations that weave cybersecurity into the fabric of the business will stand the best chance at mitigating the threat posed by insiders.