External threats garner most of our attention and, consequently, the majority of our security resources but industry analysis demonstrates that cyber-crime incidents perpetrated by insider threat actors are trending up and to the right.
On May 4, 2016 my colleague, Kevin Shewbridge, and I were joined by Forrester Research Senior Analyst and guest speaker Joseph Blankenship for a discussion about the very real threat that malicious insiders pose to organizations around the globe.
Understanding the insider threat – how real is it?
Blankenship kicked off the broadcast with an African proverb, “When there is no enemy within, the enemies outside cannot hurt you.” So true. Blankenship went on to explain that because we universally believe we shouldn’t air our dirty laundry – we universally believe we’re alone in our fight to keep our house in order and combat insider threats. “We don’t want to admit we have a problem,” the Forrester Analyst confirms, “but you are not alone.” During the broadcast Blankenship shared statistics that illustrate internal incidents are receiving the highest attribution and “malicious insiders” are being identified as the largest internal threat actor. During the broadcast Blankenship shared statistics that illustrate internal incidents are receiving the highest attribution among risk and security professionals and “malicious insiders” are being identified as the largest internal threat actor.
“We at Forrester believe that all data theft is an inside job – whether it be an employee turned malicious insider or an outsider exploiting insider credentials to act as a malicious insider.”
– Joseph Blankenship, Senior Analyst Forrester Research
Defining “malicious insiders” as those who work within the organization and for whatever reason have chosen to work against the organization, Blackenship adds, “We want to trust the people we hire and the people we work with […] but we at Forrester believe that all data theft is an inside job – whether it be an employee turned malicious insider or an outsider exploiting insider credentials to act as a malicious insider.” That said, the following webcast excerpts pose some though-provoking questions:
- Why do people become “agents”? There are financial motivators and psychological reasons that insiders become malicious agents. The CIA methodology for recruiting agents focuses on four recruitment motivators: Money, Ideology, Coercion/Compromise, and Ego/Excitement (MICE). Additionally the acronym “RASCALS” is used to identify psychological factors that can be exploited to create a malicious insider; Reciprocation, Authority, Scarcity, Commitment/Consistency, Liking, Social proof. Blankenship made the connection to the commercial sector referencing this year’s Verizon data breach report which identifies the top two cyber-crime motivators as financial (34%) and espionage (25%). Can you afford to believe your organization is immune?
- How much is your password worth to your employer? In his comments, Blankenship related that employees may be financially motivated by as little as $150 to share their corporate login credentials. Corporations with high-value intellectual property (IP) such as Apple, have reportedly seen hackers offer employees upwards of $20,000 for their corporate login credentials. Why the price tag? Access. Is this happening to you? If it was happening to you, would you know about it?
- Should you implement a zero-trust architecture? Traditional network architecture dictates that everything outside the network is “untrusted” and everything inside the network is “trusted”. Given what we know about the root cause of the majority of cyber-crime, is that an assumption we can afford to make? Forrester Research believes that a zero-trust architecture that treats all traffic as “untrusted”, both inside and out, offers a better defensive lens to evaluate employee behavior when it comes to accessing valuable information.
Identifying Insider Threat
Blankenship wrapped up his comments with an anecdotal reference to his past life working in the security camera industry. Reflecting on his pre-Forrester profession, Blankenship draws some striking parallels between physical security within a casino and the task of monitoring cyber-threats from within the Fortune 1000. It’s about behavior analytics. What are casino cameras looking for? People stealing slot machines? No – they’re looking for behaviors that identify maliciously motivated patrons and employees.
What behaviors should corporations be looking for in employees?
- Changes in working hours
- Remote access from unusual locations
- Unexplained affluence
- Unreported/un-useful international travel
“If you’re making money today – you’re a target.”
After offering a seven-step checklist to establishing an insider threat detection program and some closing thoughts on tactical and strategic considerations for success, Blankenship passed the baton to Leidos Intelligence Analyst, Kevin Shewbridge.
Roadmap to Implementing a Holistic Solution
Before revealing the four-phased approach Leidos has successfully built for their internal insider threat program, Shewbridge reminded the audience that “incident threat detection is a team sport.” Each phase touches on key stakeholder considerations and tactical steps needed to deploy a successful strategy organization-wide.
Additionally, Shewbridge reviewed a use case, ripped from the headlines, mapping the scenario to tangible data points that companies can monitor to manage up-to-date profiles of suspicious behavior in-house.
“Many data points needed to build a program already exist in tools your org is leveraging today.”
– Ollie Luba, Principle Systems Engineer Leidos
The use case led the discussion seamlessly into the question of “how?” Although technology alone cannot solve the insider threat problem, technology is really what brings it all together. It’s not about adding more analysts but rather it’s about empowering the analysts you have to manage the detections you need. I closed out the broadcast by reviewing how people and technology come together for a holistic solution.
To effectively meet the challenge organizations must implement a holistic solution to gain a continuous, effective and sustainable approach to detecting insider threats. We’ve certainly found this to be true in our case.
Reach out to our insider threat detection team to review strategic roadmap considerations that will protect your company’s critical assets and information, employees and clients from malicious insiders.