Profile of an Insider Threat
Employees, contractors, suppliers and even trusted business partners who have authorized, yet uncontrolled, access to systems and/or sensitive information all have the opportunity to do irrevocable harm to a company.
The repercussions of any data breach is costly. Juniper Research predicts that data-breach losses will reach $2.1 trillion globally by 2019, with an average cost per incident to exceed $150 million by 2020. Perhaps those costs are a reason why, according to the 2014 U.S. State of Cybercrime Survey, 28 percent of companies identified insiders as a major source of their cybersecurity threats over the past year.
Insider threat profiles fall into one of three categories:
- Negligent Employees – Employees that may accidentally delete or modify critical information or unwittingly share sensitive information. Unintended disclosure comes in the form of posting information on public-facing websites or social media sites, sending information to the wrong party or posting proprietary data to unapproved cloud providers and applications.
- Exploited Employees – Employees are exploited when an external adversary finds their way into the network with compromised user credentials. User credentials can be stolen in many ways, including phishing, malware and web-based attacks.
- Malicious Insiders – These are employees with the willful intent to deliberately steal critical company information typically for selling or profiting from the information. Cases also include sabotage of facilities, equipment and IT systems. These cases are the most challenging to identify and can cause some of the greatest harm to an organization.
Employee negligence is being addressed through improved IT security training on the handling of sensitive material, acceptable use policy enforcement and various IT monitoring tools. There has been a lot of focus on exploited employees whose credentials were compromised and resulted in an adversary gaining access inside the perimeter. User and Entity Behavior Analytics (UEBA) applications using advanced machine learning techniques have been effective at identifying these cyber IT-centric activities that exhibit behaviors that are out of the norm. For example, a typical use case for these applications is to identify when an HR employee’s credentials are compromised by an attacker and they begin to access and download Customer, Engineering or other data critical to the organization.
In the case of the malicious insider, these individuals are the most difficult to catch because they already know their way around the IT network and know what are the critical assets of the organization. In many cases, they themselves created the information or use valid application credentials abusing their authoritative privileges. In most cases their IT user behavior doesn’t indicate anything out of the ordinary. An insider with the right technical skills can rather easily thwart IT-centric monitoring applications. Past cases have shown that malicious insiders exfiltrate critical information over a long period of time across several different mediums. They typically don’t start out at a company doing something bad, but due to many different circumstances (e.g. financial hardship, disgruntlement) will start down the path of being a malicious insider. These are the reasons that most malicious insiders are identified after the fact by law enforcement outside of the organization’ internal security operations.
5 Steps to Mitigating the Threat
Companies can take prudent steps to be effective in mitigating the threat of a malicious insider. These include th™e following:
- Perform a baseline vulnerability assessment across your organization (not only IT-systems) to determine your preparedness to prevent, detect and respond to malicious insider threats
- Understand what are your critical assets you are trying to protect
- Perform continuous and long-term monitoring of risk indicators with context across the entire enterprise complemented with IT-centric user behavior monitoring applications
- Provide training and awareness to employees
- Have qualified analysts with an investigative background that understand the broader security aspects of the malicious insider
Use Technology as an Enabler
Most organizations have invested in various types of cyber and information-security solutions. Additional technology solutions including data loss prevention, host- and network-based monitoring, and decision support tools can be integrated to provide another level of support. However, the overwhelming amount of information these tools produce provide little insight if not complemented with an analytical tool tuned to identify potential malicious insiders.
The latest insider threat detection tools analyze both network and nontechnical, behavioral risk indicators from other business functions such as HR and corporate security. The type of big data analytics found in the Arena ITI™ insider threat identification solution provides context and insight, proactively alerting security teams of at-risk employees. This latest technology helps organizations prioritize and drive security operations and investigations, reducing the resource requirements and time commitment necessary to execute an effective program.
8 Components to Develop a Successful Insider Threat Detection Program
Not all Insider Threat Detection Programs are built the same. Technology is just one of several ingredients that make a successful ITDP. Download the whitepaper to learn more about insider threats and the other ingredients that make ITDP successful.