Taming the Beast: Preventing/Detecting Insider Threat
While many companies deal with the problem of insider threat, there are some practical things that can be done to both prevent and detect insider threat. Always remember, prevention is ideal but detection is a must. By Eric ColeDark Reading
The insider threat is continually occurring, even if companies do not realize it. What makes the insider threat such a significant problem is that it cannot be prevented like an external attack. If someone is running a buffer overflow attack against your system, you can patch the system and prevent the attack from occurring. If someone is connecting to your Web server and exploiting port 80, you can close down port 80 or block it at the firewall. The problem with the insider threat is that there is no patch and it is impossible to just shut it down. In order to shut down the insider threat, an organization must remove all insiders (employees). For obvious reasons this is not a practical solution and would undoubtedly put any organization out of business.
The problem with the insider threat is that it is impossible to 100 percent prevent it from happening. While there are many steps organizations can take to minimize the insider threat, it is impossible to completely eliminate it. External attacks, such as exploiting vulnerabilities, can be 100 percent prevented by installing security patches. Unfortunately the insider threat cannot be 100 percent prevented because employees must have access to company resources in order to perform their job duties. If all company resources were to be removed, well, it is easy to see that the company would quickly fail. Organizations need to take all possible precautions to stop the insider threat, but they must also realize that prevention alone is not enough.
A key theme when dealing with the insider threat is, “Prevention is ideal, but detection is a must.” When dealing with the insider threat, prevention will take you only so far. When prevention fails, it is critical that the problem be detected in a timely manner. Think of it like this: Ideally you would like to stop a fire from occurring in your house; however, if a fire does occur you want to make sure you can detect it in a timely manner. That is why smoke detectors are installed.
This raises a critical issue with detection. Detection does absolutely nothing if no one responds to the problem being detected. A smoke detector will detect a fire, but if no one responds to the fire, it will continue to burn. A detective measure needs some type of intervention. Ideally we want to prevent problems, but if prevention is not possible, detective measures need to be deployed in such a way that someone will respond to the problem in a timely manner. If an organization detects a problem and no one responds to it, then what was the purpose of detecting the problem in the first place?
Dr. Eric Cole, Ph.D., is a security expert with more than 15 years of hands-on experience. Cole has experience in information technology with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. He is the author of several books, including Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. He is the inventor of more than 20 patents, and is a researcher, writer, and speaker. Cole is a member of the Commission on Cyber Security for the 44th President and several executive advisory boards, and is CTO of the Americas for McAfee. Cole is involved with the SANS Technology Institute (STI) and SANS working with students, teaching, and maintaining and developing courseware. He is a SANS fellow, instructor, and course author.
 |
To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy. |
Subscribe to RSSInsider Threat Reports
How to Prevent an Illicit Data Dump
There are no silver bullets when it comes to protecting company and customer data from loss or theft, but there are technological and procedural systems that will go a long way toward preventing a WikiLeaks-like data dump. Here are some tips and tricks to help protect your organization's most sensitive information.
Email and Data Loss
Email encryption, rights management, email gateways, and full-on data loss prevention systems can keep corporate data secure. Here's a look at the pros and cons of each, to help you determine what?s best for your business.
An Insider Threat Reality check
Heightened concern that users could inadvertently expose or leak -- or purposely steal -- an organization's sensitive data has spurred debate over the proper technology and training to protect the crown jewels. In this special retrospective of recent news coverage, Dark Reading takes a look at how organizations are handling the threat -- and what users are really up to.
Other reports from the Insider Threat Tech Center:
Related Content
| Sponsored by: |  |
Protection from Insider Threats
Preventing data misuse by trusted users is the most difficult information protection challenge. Insiders already have full authorization to the data, making traditional IT secure methods in effective. Learn about a more powerful security approach and proven strategies to prevent insider misuse.
Strategies for Protecting Intellectual Property
A company's intellectual property (IP) represents a significant portion of assets and a critical component of competitive differentiation, but the potential value of any IP is directly linked to its limit of acceptable use. Learn how you can put your IP to work within collaborative environments without undue risk and maximize competitive advantages.
Protecting Against WikiLeaks Type Events and the Insider Threat
The sensitive information supplied to WikiLeaks and other social justice websites comes from trusted insiders. Get the answers to the open gaps left in the WikiLeaks story and learn how you can prevent insider threats that are just as detrimental in your organization.
Insider Threat: An Inside Look at a Fortune 100 Company's Prevention Program
The ways and means by which a privileged user can successfully steal proprietary data today is staggering. One venerable company that suffered a devastating incident decided to do something about it. Find out how it built one of the most productive insider threat prevention programs in the Fortune 100.
Protection of Intellectual Property and Trade Secrets across a Global Enterprise
As a designer and manufacturer of industrial technology, this Fortune 50 company knew that securing their intellectual property (IP) and trade secret data was essential. It created a program to identify risks to their IP and trade secrets and soon caught a privileged user attempting to compromise IP. Download this case study to see a real example of intellectual property protection at work.
Insider Threat Newsfeed
- Trend Micro Pioneers Integration Of Data-Loss Prevention (DLP) Across The Enterprise
- User-Generated Content Singled Out In Military Dating Hack
- ICSA Labs Launches First Testing Program Of VPN Security For Mobile Device
- NetIQ Minimizes Risk Of Unauthorized Access And Entitlement Creep
- Shape Security Closes $6 Million Series A Funding Round
- European Online Fraud Increases 60%
MORE NEWSFEED >>>
- Analytics on Demand: A Services Approach for Increased Agility
- Unlock the Value of Your Business Data: IBM's Integration Solution for .NET Environments
- Powering your Business with IBM's New 2s General Purpose Servers
- Best Practices for Improving Database Testing: Upgrades, migrations, business growth and more - ensuring you can handle the workload!
- Insurance Workforce Optimization: How To Work Smarter To Benefit Your Customers, Employees and the Bottom Line
- Cyber Security Risk: A Conversation with Richard Clarke about Threats to Enterprise Software
- The Analytical SMB
- RHEV for Servers: Competitive Pricing whitepaper
- Enterprise Strategy Group: The Next Wave of Data Deduplication
- TDWI Monograph Series: Seven Keys to High-Performance Data Management for Advanced Analytics
