Looking at insider threats from the outside
Cybersecurity is a never-ending battle requiring around-the-clock attention. From malware to DDoS to APT attacks, front-line IT security teams are being constantly bombarded. With all this attention on external actors, many businesses do not take seriously enough the risk of insider threats – those acting from within the company.
Employees going rogue is not uncommon; oftentimes after a data breach occurs, it is revealed that John Doe from accounting or IT had carried out the act. Thus begins a tremulous relationship between employer and employee that balances healthy suspicion with trust. No business wants to admit its own employees are potential threats, and not all employees deserve to be considered suspects. But when it comes to securing IT assets, preparation is key.
When it comes to insider threats, there are two distinct groups: malicious insiders and compromised victims. Those in the latter group likely clicked on a link they weren’t supposed after being targeted by a sophisticated email phishing campaign or watering hole attack from an external agent, unknowingly giving up access to their network user credentials. Now able to mimic the employee’s behavior, the agent can move throughout the IT network undetected. To prevent user credentials from being compromised, businesses implement rigorous cybersecurity awareness training and protocols to educate employees on common attack tactics. However, all it takes is one employee opening up the wrong attachment for these efforts to go to waste.
Malicious insiders, on the other hand, are much harder to ferret out. For any number of reasons, be it dissatisfaction with current management, a poor review or competitive espionage, to name a few, these are employees who are well-attuned to the corporate network and perfectly capable of carrying out the attack themselves. Not only that, but malicious insiders can target a co-worker’s credentials and frame that person for executing an attack.
The problem is that giving employees access to company assets is mission critical and can’t be avoided, but you can’t treat all employees like potential criminals. Being suspicious of every employee creates a culture of distrust, which could ironically create more malicious inside threats. Businesses are finding that conventional approaches to cybersecurity just aren’t cutting it.
The latest buzzword in cybersecurity circles is people-centric security (PCS), which places greater emphasis on personal accountability and trust, and less on restrictive security controls. While this is certainly a noble exercise, the potential fallout of a single data breach is just too great a risk.
No business can anticipate when an inside threat will result in a data breach, and so IT security teams shell out billions of dollars per year on network protections. But as cybersecurity technology evolves, attackers immediately get to work to find new ways around it. It’s a vicious cycle that shows no signs of slowing down, given the high price tag attached to a business’ precious data.
So how do companies get off this merry-go-round? If there’s one common denominator when it comes to insider threats both malicious and unintentional, it’s suspicious user behavior. Businesses already have the infrastructure in place through SIEM and log management systems that are designed to trigger alerts whenever a potential threat is detected.
The challenge lies in being able to filter out the viable threats amid the thousands of alerts triggered per day. IT security teams can do this in a way that’s non-intrusive to employees by first establishing normal user behavior – knowing which IT assets and systems workers and their teams should be accessing on a regular basis.
It is only when the user credentials of an employee show a pattern of anomalous behavior do they raise suspicion. For example, does John normally use Bob’s credentials to connect to the source control over the weekend and download all the information? Does he usually work such long hours? Even malicious insiders, who are harder to detect, will reveal themselves through suspicious activity.
As businesses continue to invest in defensive tools to protect against external threats, it is too risky to ignore the potential risk of insider threats. However, businesses must walk a fine line of being able to trust employees with sensitive data while also preventing breaches from occurring behind security perimeters.
Not every instance of anomalous user behavior is a sign of an inside threat, but being able to establish a pattern of suspicious activity will arm IT security teams with the information they need without making employees feel like they’re constantly being monitored.