Employees’ job performance can no more predict the likelihood they pose an insider threat than it can predict their eye color. One malicious act or simple mistake could be a ground zero for a major security incident. This is what makes insider threat management so hard for security pros: Not all insiders look or act alike.
Today, it is understood that an insider threat is not necessarily a malicious person. Many insider threats involve employees’ children using their work computer and navigating to a wrong website or employees connecting to seemingly safe Wi-Fi or unwittingly downloading malware. Other common behaviors, such as opening an email attachment or leaving a laptop unattended at a coffee shop, present plenty of opportunities for compromise.
Alternately, a legitimate employee’s credentials may be used by a malicious outsider to exfiltrate sensitive data or install malware from within the organization. Or the employee could truly have malicious intent.
Insider threats may not necessarily be direct employees either. Contractors, business partners, interns and even customers can pose insider threats.
Security pros must consider the different types of insider threats and the red flags posed by each in order to build a comprehensive prevention program. In addition to knowing the threats being faced, admins must recognize and adopt both new and old means and mechanisms to combat insider threats.
Human error creates challenges to mitigation
When it comes to insider threats, it’s not about preparing for if an insider attack will happen, but when.
Insider threats are inevitable, and the definition is changing, said Deb Briggs, CSO at Netscout. “When we used to say insider threat, it was always in reference to someone who had malicious intent doing nefarious things,” she said. “Nowadays, with the amount of business email compromise that’s going around, anyone could be an insider threat.”
Dave Gruber, analyst at Enterprise Strategy Group, agreed. “It doesn’t matter if you’re the CEO or an entry-level financial clerk in an organization — you’re going to get tired, you’re going to make mistakes,” he said. “That’s exactly why we employ security controls at an organizational level that catch those behaviors.”
Gruber warned of the consequences of assuming the best and brightest employees are incapable of making mistakes. He said, when organizations make assumptions like this, that is when compromise will happen. “My position on human error is that it’s exactly that: human,” he said. “It’s something we must deal with from now until forever.”
One response to the human aspect of insider threat risk security teams can take, Gruber recommended, is to invest in human relationships. “Outside attackers depend on [insider] mistakes,” he said. “On pretext, make relationships with people. Check in at the end of the month when the finance staff is buried with last-minute payments.”
This proactive tactic will help enterprises stay ahead of predictable risks, such as workplace stress, exhaustion and burnout, which can lead to simple mistakes — especially for privileged account users who have access to sensitive business or customer data.
Using zero trust to stop insider threats
The zero-trust framework, which has enjoyed high-profile adoption at companies like Google and Cisco, would be a wise addition to insider threat management programs, Gruber said.
Dave GruberAnalyst, Enterprise Strategy Group
The basis of zero trust is that each action or function an individual performs must be validated or authenticated. Gruber used an analogy of a front door of a house: “Once somebody is already inside your house [invited in or otherwise], the locked front door won’t stop them from accessing everything inside. Somebody could walk around and pick up all the expensive things in your house and walk out the front door with them.”
In this hypothetical zero-trust scenario, the person inside the house would require verification each time they entered a new room, for example, or unplugged an appliance to remove it from the house. Similarly, zero trust in the enterprise requires each data asset be secured. Before users can transfer a file, for example, they are prompted to reauthenticate. These prompts may stop accidental shares from insiders, as well as those with malicious intent, by alerting security admins to attempts to access or share privileged information.
“Using zero trust, organizations can provide a much more effective solution against insider threat, but it still requires the organization to put controls in place as well,” Gruber said. “The good news is controls exist that can help organizations prevent insider threat. The bad news is that it requires multiple tools.”
Mitigation tools include everything from data loss prevention to privilege escalation systems to user behavior analytics, Gruber said, adding that “each of those capabilities can detect insider threat but in different ways. There’s not a silver bullet solution from a single vendor that can stop insider threat.”
Technology and training can play a preventative role
If insider threat prevention sounds like a complicated endeavor for security teams, that’s because it is. They need to be aware of the different aspects of risk management at their disposal, Netscout’s Briggs said. “Cybersecurity professionals cannot keep up with the number of bad actors and threats that are out there,” she said. “We need to get to that next level of tools.”
The “next level” includes tools to detect anomalies and flag abnormal behavior, such as when a user sends out 200 emails in an afternoon, and react to those by either blocking them or sending out alerts, she added. Security teams can then act on that alert and then investigate, Briggs said. The next step is to find out if the account has been compromised or if someone else is using it to spread malware to contacts in the account’s address book.
Companies rely on policies, processes and training to take care of the insider threat, said Sudeep Venkatesh, chief product officer at Egress Software Technologies Ltd. “[Organizations] need to raise that awareness and incorporate machine learning technology to catch these behaviors,” Venkatesh said. Only recently, he added, has AI-powered technology been introduced to the market that is designed to be part of an insider threat management program.
Machine learning technology and security awareness training can be expensive. But, Gruber said, organizations can solve both internal and external threats with the same budget and reap significant ROI in the form of an improved security posture.
Back to insider threat prevention basics
Despite the advent of zero trust in the enterprise and newly available machine learning technology to identify red flags, there is still no replacement for user education when it comes to cyber resilience. Gruber advocated for people in the security industry to bring their knowledge home with them to educate families, friends and co-workers.
“Just as we teach [children] to stop and look both ways when they get to the street to keep from being hit by [oncoming traffic], we need to instill those same values of safety and security to people of all professions about the world of cybersecurity,” Gruber said. This is in hopes that, by making cybersecurity personal and accessible to people, they can arm themselves with information on how to be cyber-smart online.
Briggs also acknowledged the importance of security awareness training in preventing insider threats. “We, as cybersecurity professionals, have to get better at training our end users,” she said. She posited a phishing test and office trainings as methods for fostering a healthy security culture in the workplace. “End users need to understand the protection they offer to the company and why it’s so important that they do not click on a link from someone they do not know,” she said.