Detecting insider threats is easier than you think

(Image: Stockfresh)



Read More:

13 April 2017 | 0

When it came to the physical plant, it used to be easy with surveillance cameras and access badges to tell if an insider was up to no good. Now with a more virtual network, you can’t always know if the person sitting in the next cubicle is gaining access to confidential documents.

While the insider threat still connotes an employee of the company, the intruder is no longer someone located within the confines of the building. Accessing the network can happen from such public places as the local coffee shop.

“Enterprises need to adapt their policies and procedures to prevent threats by securing corporate end-point equipment and the right tools that protect and allow users to do their work,” Matias Brutti, Okta

“For companies today, where old corporate lines are disappearing more frequently, the challenges only increase. Enterprises need to adapt their policies and procedures to prevent threats by securing corporate end-point equipment and the right tools that protect and allow users to do their work,” said Matias Brutti, a hacker at Okta. “Work environments are constantly changing, so monitoring is difficult on a corporate level.”

Constraints remain
Much of the technology has changed, but the constraints are the same, and companies have to continue to be proactive about stopping malicious attacks, he said. “They must understand their threats and adapting their technologies to serve them. More than ever, hiring the right team and building the right technologies is key to success.”

Steve Mancini, senior director of information security at Cylance, said not all insider threats are the same. “How we deter those that emanate from the careless or negligent will perhaps differ from those that emanate from the intentionally malicious. The proverbial ‘carrot and the stick’ are principles that apply as much in this area of human behaviour as they do in others.”

He added that deterrence of insider threats would need to map to the type of risk you are seeking to mitigate. The question is answered based upon environmental factors about company culture, the status of the organisation (healthy, failing, layoffs, etc.), and how you treat/monitor/legally manage contractors.

Invisible threat
Security vendors chimed in on how to combat what can be the invisible threat who can virtually go anywhere within the network.

Nir Polak, Exabeam CEO and co-founder, put it succinctly: “Mini-Max”–minimise access where possible, maximise monitoring of that same access for unusual patterns.

Work environments are constantly changing, so monitoring is difficult on a corporate level.

That was the common theme among security vendors. Do not provide employees with an open door to the entire network. Make access a privilege and not a right.

Hamesh Chawla, vice president of engineering at Zephyr, said companies should provide a “need to know” access and audit all actions taken. Audits should be implemented by those with enough power to do so, such as root and administrator roles.

Geoff Webb, vice president of strategy at Micro Focus, said the single most important thing enterprises can do is to reduce the access that insiders have to sensitive data.  “Many organisations struggle to adequately manage who has access to data, even highly sensitive data, mostly because of the complexities of the modern workforce, the role of many outsiders, the rate at which information flows, and the effects of privilege creep over time for long-time employees.”

Governance practices
Beyond reducing the level of access that employees have, enterprises should enforce good governance practices in which responsibility for reviewing and certifying who has access is placed squarely with the line-of-business managers who manage that data source, he said.

“Enterprises should monitor activity around access to sensitive or valuable data, looking for anomalous behaviour that might indicate that an insider is either improperly accessing that data, or as is often the case, that an outsider is successfully impersonating a privileged user after stealing their credentials,” Webb said. “Like all good security, deterring insider threats requires a multi-layered approach. The good news is that it is often the most basic steps that provide the greatest value, and being systematic and thorough provides huge benefits in protecting sensitive data.”

An insider policy needs to be enforceable through the right technologies, for example, implementing user activity monitoring for finance and HR departments can help detect and prevent their ability to abuse access to sensitive information, said Shawn Burke, Global CSO at Sungard Availability Services.” Organisations should also perform routine security awareness and information governance training. Such training ensures employees are well advised of incident response protocol and encouraged to be proactive in reporting suspicious activity.”

Awareness training
The other common thread throughout the security pros interviewed was that security awareness training is key for employees to help spot the insider threat.

Javvad Malik, security advocate at AlienVault, said user awareness and education should be made widely available and repeated. This includes reminding what is or isn’t acceptable behaviour, what the risks are and how to report a suspected breach.

“Line managers should also receive training in providing regular reminders to staff as well as remaining vigilant to spot any untoward behaviour,” Malik said.

The biggest factor to deter insider risks is to give ongoing security awareness training to all employees, said Scottie Cole, network and security administrator at AppRiver. “This trains employees on what is expected of them and provides them the signs to identify a risk. Insider risk teams should also have ongoing assessments and auditing of company assets can help identify risks that would otherwise be ignored.”

Dottie Schindlinger, governance technology evangelist at Diligent, said training should supplement the current security training already done at the organisation. The insider risk team can take a lead role in evaluating security-focused software tools that help identify and deter insider threats, and provide security for sensitive information — especially information that is shared with external parties, such as board documents being sent to outside directors.

Regular meetings
Jo-Ann Smith, director of Technology Risk Management and Risk Privacy at Absolute, mentioned how the insider risk management team, should meet on a regular basis to update policies. “Once in place, it’s then critical to create and maintain a risk register that both qualifies and quantifies risks for remediation, and subsequent mitigating steps. To demonstrate progress, the team should create KPIs and then audit and report on risk levels to show status and improvement year over year.”

Schindilinger said the risk management team can also help ensure that the company’s “whistleblower” policy and procedures are feasible, easy-to-navigate, and able to be enacted quickly in the event that an insider threat is identified. “Most importantly, this team should work with the company’s leadership to establish a culture of transparency and accountability—ensuring that policies are rigorously enforced, and that anyone who comes forward with information regarding a potential threat is rewarded—not penalised or ostracised—for doing so.”

She added implementing risk mitigation and security software is critical to identifying, deterring and reporting incidences. However, software cannot solve the problem alone. Establishing a culture of accountability and transparency—and rigorously enforcing policies—can help stop potential threats before they become crises.

A few security pros used the term “socialising” when indicating how awareness training needed to be implemented.


IDG News Service

Read More:

Comments are closed.

Back to Top ↑