A practical approach to combating insider threats

A practical approach to combating insider threats

Detecting an insider threat

Shareth Ben, Insider Threat SME at Securonix, discusses insider threats. He also provides recommendations on how organisations can implement insider threat programs, in order to help protect against the security risk.

With September marking Insider Threat Awareness month, it is time for organizations to wake up to one of the biggest security threats which is already lurking on their network.

Insider threats are difficult to detect. Protecting against them by guarding the network perimeter does not work. This is because they are already inside your network.

The Snowden incident in 2013 sent a wakeup call to organizations. They needed to start looking inside for risks posed by employees and contractors.

This was confirmed two years later when Galen Marsh, who was a financial advisor at a prominent Wall Street bank, damaged the bank’s reputation by stealing sensitive client data from corporate systems and uploading it to a personal server hosted at his home.

While these high-profile cases caught mass media attention, there are many insider-caused incidents happening every day. They don’t receive the same publicity but still put organizations at serious financial and reputational risk.

As a result, there is no doubt that insider threats are still a concern. So, organizations need to take preventive measures before it’s too late.

Building an effective insider threats program

Today, most organizations struggle to effectively mitigate insider threat risks. This is because, as much as it may sound like a cliché, security cannot be solved using technology alone. Rather, it is a culmination of people, process, and the nature of how a business operates.

The first step is to assess your organization’s appetite for risk and what the organization values the most.

For example, some organizations value protection of their Intellectual property the most. Meanwhile, others value preventing damage to their brand reputation as a result of confidential data theft caused by an Insider.

The next step is to build a strong understanding and consensus across the key verticals of the organization such as HR, legal, compliance, and critical lines of business’s. This is essential for an effective program outcome.

In order to accomplish this consensus, organizations should form an Insider Threat Working Group (ITWG). The ITWG’s mission is to educate the verticals on the importance of protecting the organization from such threats.

Several programs fail to fully realize their potential because the risk appetite specific to an organization is clearly not defined.

Lastly, the ITWG forms a partnership with key stakeholders to define policies and procedures. Laying down this foundation will pave the way for the future of the program.

Type of insiders to monitor

Insiders can be categorized into three main types:

  • Negligent Insider: An employee or contractor unknowingly or accidently compromises data due to bad security hygiene.
  • Complacent Insider: An employee or contractor intentionally ignores policies and procedures or bypasses them.
  • Malicious Insider: An employee who intentionally compromises data and misuses privileges in order to cause damage to the organization.

In all three cases the employee or contractor is putting the organization at risk. However, the malicious insider can result in the largest risk.

This is because of their intentionally malicious actions, which can be far-reaching. This type of insider is also harder to detect because they are often highly motivated. Also, they will typically actively work to circumvent existing controls and take other precautions to remain undetected.

Our observation in the field is that organizations deal with complacent and negligent insider cases 90 percent of the time.

The actions taken against these insiders will vary quite a lot, from warnings to termination of employment. The outcome for a malicious insider has more serious consequences. In some cases, law enforcement will need to be involved as the case is tied to corporate espionage.

Insider Threat Program: Putting the right tools in place

Insider threats are a lot more relevant for organizations today, as attacks grow more sophisticated. Establishing an insider threat program (ITP) is an important step towards building an insider threat resistant organization.

The key is to start small and grow the program footprint over time. Organizations should start with an assessment of what exactly they want to protect. They should identify the types of risks they want to mitigate, before embarking on implementation of the program objectives itself.

Selecting a technology that conforms to the insider threat team’s objectives is also a key consideration. Having a strong ITP is an essential step towards combating insider threats.

Despite this, the tools that the team uses for insider threat detection are just as important. For example, a SIEM tool with automated threat identification, threat chains, and integrated remediation capabilities is recommended for a successful

Copyright Lyonsdown Limited 2021

Top Articles

RockYou2021 data leak: 8.4 billion passwords compromised

A report shows that 100GB of data which includes 8.4 billion passwords have been recently leaked on the internet, people are being encouraged to secure their accounts.

Hackers Breach Electronic Arts & Steal Game Code

Electronic Arts, one of the world's biggest video game publishers including games such as FIFA, Madden, Sims and Medal of Honor, are the latest company to be hacked.

JBS Foods paid £7.7m in ransom to REvil ransomware gang

JBS Foods, the world’s largest processor of beef and poultry products, has admitted to paying a ransom of $11 million to cyber criminals, a week after it announced that operations…

Related Articles

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]