The Insider Threat: What do our leading vendors have to say?
Competitor? Fraudster? Internet Troll? … Or is your cyber attacker a lot closer than you think?
In this exclusive collaborative article, industry experts from leading vendors Tripwire, Nuix, BeyondTrust and Guidance Software each discuss the growing awareness around insider threats and the practical strategies and technologies available to detect and prevent against them.
Answers credited to:
Keith Lowry, Senior Vice President, Business Threat Intelligence & Analysis, Nuix
Neil Davis, Senior Solutions Consultant, Guidance Software
Brian Chappell, Director of Technical Services, EMEAI & APAC, BeyondTrust
Paul Norris, Senior Systems Engineer, Tripwire
Q: How big is an insider threat relative to an external one?
KL: “Insider threats should be taken at least as seriously as external ones simply because insiders represent an equal, if not greater risk when compared to external hackers, viruses, ransomware etc. Many studies out there back this up; for example, IBM’s 2015 Cyber Security Intelligence Index pinpoints 55% of all cyberattacks on insiders. And it’s not just about corporate spies or disgruntled employees to be concerned with; it’s the people who have legitimate access to an organisation’s resources who make simple, unintentional mistakes which could result in major data breaches.”
ND: “The insider already has access to the network therefore has already overcome many of the obstacles which may deter an external threat. Quantifying the threat is of course complex and in many ways external threats can be more easily assessed. However much like a retail store takes steps to prevent staff theft, organisations must move from denial and recognise the realities of the insider threat and assign appropriate efforts against it.”
BC: “A highly privileged disgruntled user within the organisation may have easy access to large volumes of sensitive material which could be damaging to a company if exposed, particularly if their reputation or finances are at stake. With regards to how big the threat is, this is largely dependent on what’s already been done to address insider threats. For instance, has there been a handle on users with direct privileged access? Or users who can easily access unauthorised systems?”
Q: What are the emerging trends in insider threats?
KL: “It’s hard to say if the rate of insider threats is increasing or if we’re just getting better at identifying them, but there are a few facts which cannot be ignored: insiders can access data more easily now than ever before, defensive postures tend to be more outward facing and insider activities have been at least partially responsible for some of the more recent big data breaches”
ND: “The insider threat has been increasing for a while but has accelerated in recent years as technology has become more complex. The BYOD trend of using personal devices for work and the use of social media not only facilitates the exfiltration of data but also provides an easy opportunity for criminal gangs to recruit insiders. Whilst the revelations from Panama or Snowden make news headlines and expose the potential posed by the insider threat, the majority of insider breaches go unpublished due to their very nature.”
PN: “Trends show that insider threats aren’t just from malicious individuals looking to compromise an organisation, but also those who intend no malice. This could be a result of misconfiguring a system’s controls or a lack of awareness training which leads to employees unintentionally compromising an organisation. However, more recently, as more valuable information is being stored, those who may have been influenced by an external threat actor may be encouraged to steal sensitive data for financial gain. We see this more in off-shore countries where salaries are low and 3rd party employers offer a large sum of money in exchange for personal data. As a result, organisations must ensure their customer data is held securely and appropriately to prevent its loss.”
Q: Insider threats are an enterprise risk, but defending them is often bundled out between departments such as IT, HR or physical security. What are the best ways to manage the risk of responsibilities getting lost?
BC: “As with any cross-cutting concern in an organisation, educating key stakeholders and getting their buy-in is the first priority. You have to make sure everyone needed joins and is on the right track. Clarity around what is currently in place and where the holes are will help to ensure the strategy is sound and comprehensive. The strategy in place must focus on “needs” as oppose to “wants”. Most people don’t want change, but need to have a safer environment to enhance productivity.“
KL: “There is no doubt the insider threat is an enterprise risk, but some organisations blindly treat it as an IT or HR problem. They are doomed to failure with this approach – they need to break down the walls between departments and overcome the egos that initially formed these walls. Most importantly, this is a dynamic threat and categorizing it as an IT or HR problem solves it with a static response, a recipe for failure.”
ND: “Exactly how often does HR communicate to IT when an employee has received a lower than expected bonus? To properly defend against insider [and other cyber] threats, more cross-functional co-operation is required. This has been achieved in the past when organisations aligned themselves closer to their customers as part of an overhaul of customer relationship management. A similar approach needs to be applied as part of a holistic cyber defence strategy with clear responsibility at the board level” PN: “It’s good practise to maintain risk registers for the different departments so such weaknesses can be tracked and remediated. Change control on critical assets and systems that contain company sensitive information is important and must be adhered to at all times without exception.”
Q: What are the best technology solutions available to defend against insider threats?
KL: “Digital forensic technology allows us to understand the actions taken by users on work devices and to make connections between events. It’s one thing to find an email sent from a work account to a personal account containing sensitive data, but that doesn’t give the whole story. For all we know, they could be sending themselves documents just so they can work from home and that is all. However, combined with say increased job searches or indications of dissatisfaction drawn from web history or online conversations you see a different story.
Our current technology allows organisations to sift through heaps of electronic data quickly and with forensic precision. Once data is processed, analysts can see connections in a manner which is unmatched in our field. We are also set to release our Nuix Insight product line which gives defenders even more tools in their repertoire to foil insiders and hackers alike. It combines the power of our current engine with real-time endpoint monitoring and data collection alongside even more advanced analytics and visualisation capabilities.”
PN: “Vulnerability management is a must for all organisations. Internal scans of critical systems should be conducted regularly to identify weak controls and vulnerabilities, preventing malicious code that could be introduced by an employee. Integrity monitoring of systems and detecting changes is key to any security model as it could be an early indication of compromise. Good SCM vendors will monitor not just the file systems but network devices such as: firewalls to detect unauthorised or misconfigured changes, databases for data modification or directory services which can monitor users on privileged groups, all to defend against insider threats.”
ND: “The role played by digital forensics is key as the insider will always attempt to cover their tracks. Our EndPoint Security technology builds up a pattern of endpoint behaviour. Whilst this can be used to identify known malware, the real power is our ability to highlight unusual behaviour. For example a commercial FTP client may well be on the approved software list and its use in another department may not be detected by other tools. Our interactive Analytics visualizations highlight anomalies whereby a piece of software is running on a machine for the first time, or where that process has not been observed before. If such unusual activity requires further investigation, our EndPoint Investigator tool gives an in-depth visibility of the endpoint, revealing deleted files and other traces of malicious behaviour. These traces and other artefacts can then be collected in Encase.”
BC: “The vast majority of well-known exploits over the past few years have shown common themes emerging; the initial foothall is obtained through a vulnerability followed by exploit of a privileged user account. At BeyondTrust, we believe in the concept of Intelligence Privileged Access Management (iPAM); consider vulnerability and privilege together. Don’t just fix vulnerabilities and remove privileged access accounts, but ensure the tools used to elevate privilege create awareness of the vulnerabilities that could be exploited.”