Attacks/Breaches

4/10/2015
10:30 AM
Daniel Velez
Daniel Velez
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

Insider Threats: Focus On The User, Not The Data

Global cybersecurity spending will hit almost $77 billion in 2015, so why are there more high-profile leaks than ever?

People are more connected than ever. Everyone uses email, social media, the web and instant messaging. Some channels are for business purposes, so IT governs and monitors them. Others are for personal use, even if they’re not sanctioned by the organization. A lot of that personal activity is innocent—parents communicating with children at school or making plans for later that day. It consumes some network resources, and most businesses are willing to write that off, but it brings with it the risks associated with the untrained or careless user.

On the other side of the equation are a very small number of people who present a serious insider threat. They intentionally engage in hostile or malicious activities, often working hard to cover their tracks. Their aim is clear: to inflict pain on IT systems and cause damage to the bottom line and reputation of an organization. Financial reports can easily show a price tag for IT systems and the hours it takes employees and consultants to fix them in the wake of an attack. It’s simple dollars and cents. But damage to the reputation of an organization and the toll it takes on customer goodwill is incalculable.

Gartner research shows that 50% of enterprises were using some type of data loss prevention (DLP) solution in 2014. DLP has made great strides and traditional security products are omnipresent. Gartner also forecasts that global cybersecurity spending will reach $76.9 Billion in 2015. It’s clear that organizations are not skimping on security.

It’s not about the data
Nonetheless, even with numerous safeguards in place, why are there so many high-profile breaches? The reason is because the solutions most organizations employ focus on the wrong thing—data. Data is obviously important, but organizations struggle to identify all their data, classify its importance, tag it, store it in certain containers, and wrap DLP around it. Even so, IT departments rely on DLP to control the movement of important documents and information exiting the company firewall. Unfortunately, DLP is often too restrictive or inadequate.

For example, with DLP standing in the way of sharing an Excel spreadsheet with the latest sales goals or a Word document with product plans, employees often turn to unauthorized (and even riskier) ways—maybe their own laptop, a thumb drive, personal email or cloud storage. Or, worse than that, some employees throw their hands up in frustration—stopping the flow of business-critical information entirely. DLP’s “stop block and tackle” approach just isn’t very effective, so it can often end up as another piece of expensive shelfware that does little to stop the insider threat.

We all know there are other methods, such as content monitoring and filtering, but they also lack the context necessary to identify, analyze, and react to threatening insider behavior, so they, too, end up back on the shelf with DLP. In the end, organizations will be able to do very little about insider threats if they keep the narrow focus on data. However, there is something very concrete an organization can do if it thinks more broadly and realizes that the insider threat is a user behavior issue.

Focus on the user
A better approach is to look at the activities of the user rather than employing the blunt force of limiting or rejecting an action. A close examination of user behavior can spot trends so an analyst can cut through the cacophony of alerts, determine the situation, and immediately take action to stop an insider threat.

An effective breach mitigation program should help analysts answer these questions:

  1. Is trust misplaced? 
  2. Is a technical control not working as expected? 
  3. Are employees following policies? 
  4. Are policies too rigid?

Effectively detecting, responding to, and remediating the range of threatening user behaviors requires a contextual view of user behavior that comes from combining the best of network activity monitoring technologies with endpoint monitoring. By applying the right remediation, implementing effective security policies, improving employee training, and targeting high-risk insiders, user activity monitoring can provide the visibility organizations need to counter the risks of inappropriate behavior.

 

Daniel Velez is the senior manager for insider threat operations at Raytheon Cyber Products. He is responsible for the delivery and support of insider threat monitoring, investigation solutions and services to Raytheon's customers. Prior to joining Raytheon, he served as a ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
rnellis
50%
50%
rnellis,
User Rank: Apprentice
4/20/2015 | 1:30:26 PM
Insider Threats: Focus On The User, Not The Data
Great article! It is refreshing to finally see articles that address the true root of the security problem. The more we educate your uses the safer our companies will be. I have always believed that the more you educate a user on security the more eyes and ears you have throughout the company you have looking for security issues. I know that this works because I have seen it in action and anyone who does not think that user education is worth the time or money is losing out on a valuable security resource.
Franois Amigorena
50%
50%
Franois Amigorena,
User Rank: Author
4/15/2015 | 3:36:33 AM
2015 is the year for tackling insider threats

Great article Daniel. Nearly all networks have authenticated users with access and rights, who carry out the kind of malicious or careless behavior that often leads to security breaches. 2015 does seem set to be a huge year for tackling the insider threat, as we've seen from our recent research report of 500 IT professionals. More and more organizations are now planning to launch an insider threat program and within that program they are looking to take a joined-up approach of better user education and enhanced user technology solutions. The good news is that the technology is available today to help secure user access to company resources and protect users from their own casual behavior.

Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18643
PUBLISHED: 2019-04-25
GitLab CE & EE 11.2 and later and before 11.5.0-rc12, 11.4.6, and 11.3.10 have Persistent XSS.
CVE-2018-19359
PUBLISHED: 2019-04-25
GitLab Community and Enterprise Edition 8.9 and later and before 11.5.0-rc12, 11.4.6, and 11.3.10 has Incorrect Access Control.
CVE-2019-11488
PUBLISHED: 2019-04-25
Incorrect Access Control in the Account Access / Password Reset Link in SimplyBook.me Enterprise before 2019-04-23 allows Unauthorized Attackers to READ/WRITE Customer or Administrator data via a persistent HTTP GET Request Hash Link Replay, as demonstrated by a login-link from the browser history.
CVE-2019-11489
PUBLISHED: 2019-04-25
Incorrect Access Control in the Administrative Management Interface in SimplyBook.me Enterprise before 2019-04-23 allows Authenticated Low-Priv Users to Elevate Privileges to Full Admin Rights via a crafted HTTP PUT Request, as demonstrated by modified JSON data to a /v2/rest/ URI.
CVE-2019-3720
PUBLISHED: 2019-04-25
Dell EMC Open Manage System Administrator (OMSA) versions prior to 9.3.0 contain a Directory Traversal Vulnerability. A remote authenticated malicious user with admin privileges could potentially exploit this vulnerability to gain unauthorized access to the file system by exploiting insufficient san...