Tackling The Insider Threat: … Where To Start?

Uploaded on 2018-02-21 in NEWS-News Analysis, FREE TO VIEW, TECHNOLOGY--Resilience

Many organisations still believe the definition of an insider threat is limited to a rogue employee purposefully leaking embarrassing information, or nuking a couple of systems when he or she quits and walks out the door with internal or customer data to take to a new job. 

But not all insider threats have to be malicious to cause an incident

Perhaps someone on your marketing team wasn’t aware of their regulatory obligations in handling customer information and handed over a large dataset to a third party processor. In some regions, if the company didn’t get an explicit opt-in from the customer to allow that third party to handle the data, it could be considered a security incident. Or what if someone on the HR team left a flash drive in the lunch room containing personal health information, and that info gets disclosed to other employees? Sure, it may not have been intentional, but it was still an incident caused by an insider.

Taking the threat seriously
Insiders have been behind several significant data breaches, yet many CISOs are still solely focused on keeping the bad guys out, instead of looking within their own company. Richard Henderson, global security strategist at Absolute, a security company offering endpoint visibility and control, believes that this disconnect is due to human nature and behavior.

“No one wants to presume that the people they work with on a daily basis can intentionally or unintentionally cause significant harm to their company,” he says.
“And while building a fortified, walled perimeter and patrolling for signs of attack is an easy decision, it’s not so easy to pivot to newer ways of thinking, like the zero-trust model, or continuous monitoring tools like user/entity behavior analytics. 
“It’s not uncommon to assume that something bad is likely going to happen, but it’s rare to assume it’s because of something someone on your side did.”

Neutralising the Threat
As storage and processing costs continue to plummet on a per-unit basis, it has become more attractive for both malicious and non-malicious insiders to use these technologies to their benefit, Henderson notes. 
“With Internet/Intranet ‘pipes’ larger than they’ve ever been, it can be simple for a malicious insider to hide their goals inside the torrent of traffic that companies have to monitor. 

“At the same time, those very same technologies make it very tempting for employees without nefarious intentions to send data to the cloud, send jobs outside the company for processing, or to merely store confidential information in personal cloud storage so they can easily work from home.”

Neutralising or minimising the insider threat requires a robust and evolved security strategy, he says, but even before that, companies need to gain visibility into all endpoint devices.

If you can’t randomly pick an endpoint device and query it to determine what its current patch status is, what sensitive data resides on it, what software is installed, and where it is physically located, how can you move on to more advanced things like building out a mature insider threat strategy? 

The answer is: you can’t. 
“Everything starts with visibility,” Henderson says. “Visibility into how employees use corporate resources and into how and where data is stored. 

“Visibility into how employees connect to your infrastructure and into the current risk profile of their endpoints. Are they current on patching? How long has a device been outside of the network? Do you have actual visibility of where all your data in your organisation has moved to? Has some of it migrated to the cloud? All of these questions can be addressed with comprehensive asset management and data discovery toolkit.”

Henderson also notes that attempting to spot future malicious insiders during the hiring process is mostly a waste of time.

“We only need to look at the case studies of double-agents or turncoats in the history of intelligence agencies to see that even with the most in-depth, comprehensive, and probing background investigations, there are always going to be insiders that will decide to do something bad,” he notes.
“Circumstances and motivations change for people all the time. We may be able to potentially screen out riskier candidates with larger and more involved background checks, but it will never be able to give a definitive yes or no on someone causing an incident. 
“Those resources would be much better used as investment in other tools that can monitor how employees handle and consume sensitive information.”

Preparing for the Future
It’s difficult to predict the situation we’ll face five years from now. “We could see some organisations make a complete and total move to both virtualised and cloud infrastructures, and we could see others retreat entirely from the cloud,” Henderson points out. But enterprises thinking about security that far ahead should have a plan in place now to actively monitor every single endpoint device in their organization, and that includes contractors they allow to access their internal resources. 

“That monitoring technology needs to look for potential compliance and regulatory violations as well as the movement and storage of important data, whether it be customer or internal data. Knowing what important info exists on your computers allows you to quantify the risks inside your organisation better,” he believes.

Help Net Security

You Might Also Read:

Employees Are Still The Cause Of Most Cyber Breaches:

Businesses Get Better At Detecting Insider Threats:

 

« AI In Conflict: Cyberwar & Robot Soldiers
AI Will Underpin Cybersecurity »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

AhnLab

AhnLab

AhnLab provides a range of information security solutions including network security, endpoint security, antivirus and consulting services.

6cure

6cure

The 6cure Threat Protection solution eliminates malicious traffic to critical services in real time and protects against DDoS attacks.

Assured Enterprises

Assured Enterprises

Assured Enterprises provides comprehensive cyber risk identification, management and mitigation across all platforms.

Custodio Technologies

Custodio Technologies

Custodio Technologies was established as a Singaporean R&D Centre of Israel Aerospace Industries (IAI) in order to spearhead R&D activities in the field of cyber early warning.

Cyber Security Challenge UK

Cyber Security Challenge UK

Cyber Security Challenge UK is a series of national competitions, learning programmes, and networking initiatives designed to identify, inspire and enable more people to become cybersec professionals.

Cellopoint

Cellopoint

Cellopoint is a leading manufacturer of information security and email lifecycle management (ELM) products.

Global Cyber Alliance (GCA)

Global Cyber Alliance (GCA)

Global Cyber Alliance is an international, cross-sector effort dedicated to eradicating cyber risk and improving our connected world.

ACM-CCAS

ACM-CCAS

ACM is a UKAS-accredited certification body helping businesses around the world perform to a higher standard. Our certifications include ISO 27001 and ISO 22301.

Czech Accreditation Institute

Czech Accreditation Institute

Czech Accreditation Institute is the national accreditation body for the Czech Republic. The directory of members provides details of organisations offering certification services for ISO 27001.

ITProTV

ITProTV

ITProTV is part of the ACI Learning family of companies providing Audit, Cyber, and IT learning solutions for enterprise and consumer markets.

Celebrus

Celebrus

Celebrus Fraud Data Platform, by D4t4 Solutions, works with existing fraud structures to augment functionality and turn fraud management into true fraud prevention.

Paragon Cyber Solutions

Paragon Cyber Solutions

Paragon Cyber Solutions provides specialized security risk management and IT solutions to protect the integrity of your business operations.

Nuance Communications

Nuance Communications

From revolutionizing the doctor-patient relationship to reinventing the way brands connect with their customers, Nuance technology helps organizations push the boundaries of what’s possible.

Theos Cyber Solutions

Theos Cyber Solutions

Theos Cyber provides service-first cybersecurity solutions to digital businesses in Asia.

Elastio

Elastio

Elastio's cloud-native platform safeguards cloud data from the risks posed by ransomware, application failures and storage security vulnerabilities.

ESProfiler

ESProfiler

Enterprise Security Profiler. Empowering CISOs with clarity & confidence in their security programme by visualising capabilities, usage and spend against their key threat priorities.