Looking at insider threats from the outside

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://net-security.org/article.php?id=2084

Cybersecurity is a never-ending battle requiring around-the-clock
attention. From malware to DDoS to APT attacks, front-line IT security
teams are being constantly bombarded. With all this attention on external
actors, many businesses do not take seriously enough the risk of insider
threats – those acting from within the company.

Employees going rogue is not uncommon; oftentimes after a data breach
occurs, it is revealed that John Doe from accounting or IT had carried out
the act. Thus begins a tremulous relationship between employer and employee
that balances healthy suspicion with trust. No business wants to admit its
own employees are potential threats, and not all employees deserve to be
considered suspects. But when it comes to securing IT assets, preparation
is key.

When it comes to insider threats, there are two distinct groups: malicious
insiders and compromised victims. Those in the latter group likely clicked
on a link they weren’t supposed after being targeted by a sophisticated
email phishing campaign or watering hole attack from an external agent,
unknowingly giving up access to their network user credentials. Now able to
mimic the employee’s behavior, the agent can move throughout the IT network
undetected. To prevent user credentials from being compromised, businesses
implement rigorous cybersecurity awareness training and protocols to
educate employees on common attack tactics. However, all it takes is one
employee opening up the wrong attachment for these efforts to go to waste.

Malicious insiders, on the other hand, are much harder to ferret out. For
any number of reasons, be it dissatisfaction with current management, a
poor review or competitive espionage, to name a few, these are employees
who are well-attuned to the corporate network and perfectly capable of
carrying out the attack themselves. Not only that, but malicious insiders
can target a co-worker’s credentials and frame that person for executing an
attack.

The problem is that giving employees access to company assets is mission
critical and can’t be avoided, but you can’t treat all employees like
potential criminals. Being suspicious of every employee creates a culture
of distrust, which could ironically create more malicious inside threats.
Businesses are finding that conventional approaches to cybersecurity just
aren’t cutting it.

The latest buzzword in cybersecurity circles is people-centric security
(PCS), which places greater emphasis on personal accountability and trust,
and less on restrictive security controls. While this is certainly a noble
exercise, the potential fallout of a single data breach is just too great a
risk.

No business can anticipate when an inside threat will result in a data
breach, and so IT security teams shell out billions of dollars per year on
network protections. But as cybersecurity technology evolves, attackers
immediately get to work to find new ways around it. It’s a vicious cycle
that shows no signs of slowing down, given the high price tag attached to a
business’ precious data.

So how do companies get off this merry-go-round? If there’s one common
denominator when it comes to insider threats both malicious and
unintentional, it’s suspicious user behavior. Businesses already have the
infrastructure in place through SIEM and log management systems that are
designed to trigger alerts whenever a potential threat is detected.

The challenge lies in being able to filter out the viable threats amid the
thousands of alerts triggered per day. IT security teams can do this in a
way that’s non-intrusive to employees by first establishing normal user
behavior – knowing which IT assets and systems workers and their teams
should be accessing on a regular basis.

It is only when the user credentials of an employee show a pattern of
anomalous behavior do they raise suspicion. For example, does John normally
use Bob’s credentials to connect to the source control over the weekend and
download all the information? Does he usually work such long hours? Even
malicious insiders, who are harder to detect, will reveal themselves
through suspicious activity.

As businesses continue to invest in defensive tools to protect against
external threats, it is too risky to ignore the potential risk of insider
threats. However, businesses must walk a fine line of being able to trust
employees with sensitive data while also preventing breaches from occurring
behind security perimeters.

Not every instance of anomalous user behavior is a sign of an inside
threat, but being able to establish a pattern of suspicious activity will
arm IT security teams with the information they need without making
employees feel like they’re constantly being monitored.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!