An Extra Pair of Eyes

Security tools alone won't always protect you from the insider threat or a targeted attack

12:07 PM -- By the time you discover that your organization has suffered a big-time data compromise courtesy of an insider threat you were unknowingly harboring, or that you're under a targeted attack from the outside, it’s usually too late. All you can do is lock down, do some damage control, and clean up the mess.

If traditional security tools can't necessarily detect a insider bent on revenge or seduced by dark-side profits, nor stop a determined black hat intruder in his tracks, you're toast, right?

Maybe not.

Security is more than just checking logs and monitoring alarms. There's the human factor, too, and "counterintelligence" may be the new mantra for protecting against the insider threat. (See Insider Attacks Put IT Security on the Offensive.) It's a combination of technology and good old-fashioned elbow grease: At least one person in the organization is responsible for keeping an eye on the hot spots in the network to pick up where the firewall, IPS, and even the latest data leakage tools aimed at detecting insider troubles, leave off. This person would act as a sort of perpetual pen tester, pinging your systems regularly for vulnerabilities and watching out for unusual activity, like after-hours outbound connection attempts over ports you don't usually use, in order to seek out threats before they morph into a breach from the inside.

Some companies are even recruiting their employees to serve as extra eyes and ears in the trenches, providing them with an online form to report any suspicious activity of their co-workers.

Protecting yourself from a targeted attack from the outside world, meanwhile, also requires some proactive, manual sleuthing of unusual activity on the network by you -- and in some cases, your end users. There are some key clues that an intruder has infiltrated your network, or is about to, like a user receiving a seemingly authentic-looking email that's a little "phishy" because it comes with an attachment they wouldn't expect from the known "sender"; suspicious requests to your company Website (think lots of Google searches for corporate email addresses); and a distributed denial-of-service attack, which is usually meant as a distraction for a more sinister attack that's doing the real damage in the background. (See Five Signs That You're Under a Targeted Attack.)

Sure, a DDOS attack is pretty darn obvious. But that doesn't mean that once a DDOS hits, you or your ISP can stop it right away. ISPs and security researchers are finding that some of the more powerful DDOSes are so cloaked in layers of bots and controllers that they can't halt them by just shutting down the bots that are bombarding you with packets. To stop these more persistent DDOSes, they have to ferret out the source of the attack. (See How to Trace a DDOS Attack.)

In the end, even channeling your best Hardy Boy or Nancy Drew may not be enough. Some determined bad guys will still find a way to sneak a hard copy of a sensitive document out the door in their briefcase, or to plant some nasty code onto your client machines that ultimately entrenches them in your network. But you've got a better shot at protecting yourself if you enlist some warm bodies as another layer of your security architecture.

— Kelly Jackson Higgins, Senior Editor, Dark Reading