Tackling The Insider Threat: … Where To Start?

Many organisations still believe the definition of an insider threat is limited to a rogue employee purposefully leaking embarrassing information, or nuking a couple of systems when he or she quits and walks out the door with internal or customer data to take to a new job. 

But not all insider threats have to be malicious to cause an incident

Perhaps someone on your marketing team wasn’t aware of their regulatory obligations in handling customer information and handed over a large dataset to a third party processor. In some regions, if the company didn’t get an explicit opt-in from the customer to allow that third party to handle the data, it could be considered a security incident. Or what if someone on the HR team left a flash drive in the lunch room containing personal health information, and that info gets disclosed to other employees? Sure, it may not have been intentional, but it was still an incident caused by an insider.

Taking the threat seriously
Insiders have been behind several significant data breaches, yet many CISOs are still solely focused on keeping the bad guys out, instead of looking within their own company. Richard Henderson, global security strategist at Absolute, a security company offering endpoint visibility and control, believes that this disconnect is due to human nature and behavior.

“No one wants to presume that the people they work with on a daily basis can intentionally or unintentionally cause significant harm to their company,” he says.
“And while building a fortified, walled perimeter and patrolling for signs of attack is an easy decision, it’s not so easy to pivot to newer ways of thinking, like the zero-trust model, or continuous monitoring tools like user/entity behavior analytics. 
“It’s not uncommon to assume that something bad is likely going to happen, but it’s rare to assume it’s because of something someone on your side did.”

Neutralising the Threat
As storage and processing costs continue to plummet on a per-unit basis, it has become more attractive for both malicious and non-malicious insiders to use these technologies to their benefit, Henderson notes. 
“With Internet/Intranet ‘pipes’ larger than they’ve ever been, it can be simple for a malicious insider to hide their goals inside the torrent of traffic that companies have to monitor. 

“At the same time, those very same technologies make it very tempting for employees without nefarious intentions to send data to the cloud, send jobs outside the company for processing, or to merely store confidential information in personal cloud storage so they can easily work from home.”

Neutralising or minimising the insider threat requires a robust and evolved security strategy, he says, but even before that, companies need to gain visibility into all endpoint devices.

If you can’t randomly pick an endpoint device and query it to determine what its current patch status is, what sensitive data resides on it, what software is installed, and where it is physically located, how can you move on to more advanced things like building out a mature insider threat strategy? 

The answer is: you can’t. 
“Everything starts with visibility,” Henderson says. “Visibility into how employees use corporate resources and into how and where data is stored. 

“Visibility into how employees connect to your infrastructure and into the current risk profile of their endpoints. Are they current on patching? How long has a device been outside of the network? Do you have actual visibility of where all your data in your organisation has moved to? Has some of it migrated to the cloud? All of these questions can be addressed with comprehensive asset management and data discovery toolkit.”

Henderson also notes that attempting to spot future malicious insiders during the hiring process is mostly a waste of time.

“We only need to look at the case studies of double-agents or turncoats in the history of intelligence agencies to see that even with the most in-depth, comprehensive, and probing background investigations, there are always going to be insiders that will decide to do something bad,” he notes.
“Circumstances and motivations change for people all the time. We may be able to potentially screen out riskier candidates with larger and more involved background checks, but it will never be able to give a definitive yes or no on someone causing an incident. 
“Those resources would be much better used as investment in other tools that can monitor how employees handle and consume sensitive information.”

Preparing for the Future
It’s difficult to predict the situation we’ll face five years from now. “We could see some organisations make a complete and total move to both virtualised and cloud infrastructures, and we could see others retreat entirely from the cloud,” Henderson points out. But enterprises thinking about security that far ahead should have a plan in place now to actively monitor every single endpoint device in their organization, and that includes contractors they allow to access their internal resources. 

“That monitoring technology needs to look for potential compliance and regulatory violations as well as the movement and storage of important data, whether it be customer or internal data. Knowing what important info exists on your computers allows you to quantify the risks inside your organisation better,” he believes.

Help Net Security

You Might Also Read:

Employees Are Still The Cause Of Most Cyber Breaches:

Businesses Get Better At Detecting Insider Threats:

 

« AI In Conflict: Cyberwar & Robot Soldiers
AI Will Underpin Cybersecurity »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Palo Alto Networks

Palo Alto Networks

Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate.

Device Authority

Device Authority

Device Authority specialises in security automation for the Internet of Things (IoT).

Cifas

Cifas

Cifas are leaders in fraud prevention, working closely with UK law enforcement partners.

MetaFlows

MetaFlows

MetaFlows’ SaaS malware detection & prevention software passively analyzes the behavior and the content of Internet traffic.

Verlingue

Verlingue

Verlingue (formerly ICB Group) is a leading corporate insurance broker providing Insurance, Risk Management and related advice to businesses and private clients.

Secret Double Octopus

Secret Double Octopus

Secret Double Octopus offers the world’s only keyless multi-shield authentication technology for users and things.

Anglo African

Anglo African

Anglo African is an information technology firm providing end-to-end solutions to different industries, from IT Infrastructure to DataCom as well as Cloud & InfoSec services.

DAkkS

DAkkS

DAkkS is the national accreditation body for Germany. The directory of members provides details of organisations offering certification services for ISO 27001.

Cyber Covered

Cyber Covered

Cyber Covered provide complete website & data cover with market leading cyber insurance and powerful compliance software in one affordable package.

World Congress on Industrial Control Systems Security (WCICSS)

World Congress on Industrial Control Systems Security (WCICSS)

The World Congress on Industrial Control Systems Security (WCICSS) is focused on emerging trends in protection of industrial control systems.

iZOOlogic

iZOOlogic

iZOOlogic protects hundreds of the world’s leading brands, across banking, finance and government from cybercrime. We provide strong cyber defence solutions to protect client digital assets.

Barikat Cyber Security

Barikat Cyber Security

Barikat is a provider of information security solution and services including security analysis and compliance, security testing, managed security services, incident response and training.

SIA Group

SIA Group

SIA Group, an Indra company, combines Consulting, Systems Integration and Managed Services in four specialized business areas: Information Security, Storage, IT Management and IT Mobility.

Interactive

Interactive

Interactive are a leading Australian IT service provider with services in Cloud, Cyber Security, Data Centres, Business Continuity, Hardware Maintenance, Digital Workplace, and Networks.

Unosecur

Unosecur

Unosecur is a comprehensive identity security platform that addresses identity-related threats in multi-cloud and on-premise environments.

Cyberus

Cyberus

Cyberus brings together industry, business, and government to collaboratively create a secure digital future for Russia and the world.