Opinion: Rick Orloff, CSO at Code42, looks at how to categorise and detect insider threats.
Due to a series of data breaches suffered by high-profile companies such as Talk Talk, Home Depot, Target, and Ashley Madison in the last few years, it is no secret that data security is a top priority in the enterprise. With the list of data breach victims steadily growing, and the severe financial and reputational damage faced by affected companies, the C-Suite should understand what their overall security strategy is and how effectiveness is being measured.
Some CIOs and CISOs may believe they have already done everything reasonable to mitigate threats — but that is based on the "threat vectors" they choose to address. There is still a greater emphasis on traditional external threats that often leaves internal networks vulnerable. For example, a study by Forrester showed that 70% of data breaches can be traced back to employee negligence, whether intentional or unwitting.
Defining the insider threat
Despite this statistic, and the growing threat of new data breaches, many organisations are hesitant to address the issue of insider threats, due to concerns that monitoring employee behaviour implies a lack of trust in the workforce. There are plenty of techniques and new technologies that aren’t intrusively focused on only employee behaviours — they’re focused on identifying actionable threats to the corporation and/or its precious data. In reality, the majority of employees today are unintentional victims, and are being used by external attackers to give up access to valuable corporate data.
For instance, sophisticated cybercrime entities frequently target employees with phishing attacks and credential theft, because this effectively allows them to bypass critical security layers and significant investments including firewalls, authentication, access controls and encryption.
Furthermore, 50 percent of company data is now available away from the data centre, and on employees’ endpoint devices such as tablets and laptops. This means that if an external intruder does manage to steal an employee’s account details, there are fewer infrastructure hoops to jump through, and they are far more likely to gain access to mission-critical data.
Analysing employee behaviour
While it is important to differentiate between a known attacker with a motive and an employee who is used as a conduit, best practice involves taking an approach that defends against both scenarios. If there is a situation where user-credentials become suspect, then swift detection and response is critical. A CISO must therefore have the requisite tools in place to be able to build up a profile of ‘normal’ employee data usage patterns, in order to detect any suspicious deviations.
The majority of data breaches are caused by simple human error, rather than malicious activity on the part of employees. Mistakes such as clicking suspicious links, failing to implement strong passwords or connecting to unsecured public Wi-Fi can all cause user credentials or data to fall into the wrong hands.
A realistic example of how a data breach might occur as a result of human error
For example, if a database administrator accidentally clicks on a spear-phishing link, their account could immediately be compromised. If the administrator usually logs into the network between 9am and 5pm each day, and then suddenly they start logging in at 3am, this should be a red flag. While that’s a rather simple alerting example, there are many new tools and techniques for security organizations to leverage in an attempt to drive real-time situational awareness with alerts that are meaningful and actionable.
Containing malicious activity
It is an unfortunate truth that sometimes critical business data is compromised intentionally, following malicious employee activity. One of the most common instances of this occurs when employees leave an organisation, taking sensitive data with them — often following an acrimonious departure.
While some of the work documents departing employees leave with can be innocuous, data such as customer details, credit card information, or health information is classified and should never leave the confines of the business. Unfortunately, one of the issues caused by the rise of (Bring Your Own Device) BYOD policies is that employees are potentially able to leave an organisation with fully stocked devices that they already own. This creates another headache for CISOs — how can they identify all the data an employee has accessed or retained upon his or her departure?
The answer lies in visibility with a comprehensive endpoint data protection strategy. Organisations should be able to track and audit when and where data has been accessed by a particular employee. Once a security event is detected, the ability to examine user archives and metadata adds to an organisation ability to identify and remediate incidents. Not only does endpoint data protection give the enterprise the ability to protect its intellectual property, it increases security awareness among employees and provides real-time feedback at times of risky behaviour.
Threats often manifest themselves through blind spots left behind due to not validating the completeness of the threat vectors an organization chooses to mitigate. The mitigation strategy and tactics may look great when they’re being reported during traditional Quarterly Business Reviews (QBR’s), but executives need to assess if the overarching strategy is properly scoped.