Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/10/2015
10:30 AM
Daniel Velez
Daniel Velez
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

Insider Threats: Focus On The User, Not The Data

Global cybersecurity spending will hit almost $77 billion in 2015, so why are there more high-profile leaks than ever?

People are more connected than ever. Everyone uses email, social media, the web and instant messaging. Some channels are for business purposes, so IT governs and monitors them. Others are for personal use, even if they’re not sanctioned by the organization. A lot of that personal activity is innocent—parents communicating with children at school or making plans for later that day. It consumes some network resources, and most businesses are willing to write that off, but it brings with it the risks associated with the untrained or careless user.

On the other side of the equation are a very small number of people who present a serious insider threat. They intentionally engage in hostile or malicious activities, often working hard to cover their tracks. Their aim is clear: to inflict pain on IT systems and cause damage to the bottom line and reputation of an organization. Financial reports can easily show a price tag for IT systems and the hours it takes employees and consultants to fix them in the wake of an attack. It’s simple dollars and cents. But damage to the reputation of an organization and the toll it takes on customer goodwill is incalculable.

Gartner research shows that 50% of enterprises were using some type of data loss prevention (DLP) solution in 2014. DLP has made great strides and traditional security products are omnipresent. Gartner also forecasts that global cybersecurity spending will reach $76.9 Billion in 2015. It’s clear that organizations are not skimping on security.

It’s not about the data
Nonetheless, even with numerous safeguards in place, why are there so many high-profile breaches? The reason is because the solutions most organizations employ focus on the wrong thing—data. Data is obviously important, but organizations struggle to identify all their data, classify its importance, tag it, store it in certain containers, and wrap DLP around it. Even so, IT departments rely on DLP to control the movement of important documents and information exiting the company firewall. Unfortunately, DLP is often too restrictive or inadequate.

For example, with DLP standing in the way of sharing an Excel spreadsheet with the latest sales goals or a Word document with product plans, employees often turn to unauthorized (and even riskier) ways—maybe their own laptop, a thumb drive, personal email or cloud storage. Or, worse than that, some employees throw their hands up in frustration—stopping the flow of business-critical information entirely. DLP’s “stop block and tackle” approach just isn’t very effective, so it can often end up as another piece of expensive shelfware that does little to stop the insider threat.

We all know there are other methods, such as content monitoring and filtering, but they also lack the context necessary to identify, analyze, and react to threatening insider behavior, so they, too, end up back on the shelf with DLP. In the end, organizations will be able to do very little about insider threats if they keep the narrow focus on data. However, there is something very concrete an organization can do if it thinks more broadly and realizes that the insider threat is a user behavior issue.

Focus on the user
A better approach is to look at the activities of the user rather than employing the blunt force of limiting or rejecting an action. A close examination of user behavior can spot trends so an analyst can cut through the cacophony of alerts, determine the situation, and immediately take action to stop an insider threat.

An effective breach mitigation program should help analysts answer these questions:

  1. Is trust misplaced? 
  2. Is a technical control not working as expected? 
  3. Are employees following policies? 
  4. Are policies too rigid?

Effectively detecting, responding to, and remediating the range of threatening user behaviors requires a contextual view of user behavior that comes from combining the best of network activity monitoring technologies with endpoint monitoring. By applying the right remediation, implementing effective security policies, improving employee training, and targeting high-risk insiders, user activity monitoring can provide the visibility organizations need to counter the risks of inappropriate behavior.

 

Daniel Velez is the senior manager for insider threat operations at Raytheon Cyber Products. He is responsible for the delivery and support of insider threat monitoring, investigation solutions and services to Raytheon's customers. Prior to joining Raytheon, he served as a ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
rnellis
50%
50%
rnellis,
User Rank: Apprentice
4/20/2015 | 1:30:26 PM
Insider Threats: Focus On The User, Not The Data
Great article! It is refreshing to finally see articles that address the true root of the security problem. The more we educate your uses the safer our companies will be. I have always believed that the more you educate a user on security the more eyes and ears you have throughout the company you have looking for security issues. I know that this works because I have seen it in action and anyone who does not think that user education is worth the time or money is losing out on a valuable security resource.
Franois Amigorena
50%
50%
Franois Amigorena,
User Rank: Author
4/15/2015 | 3:36:33 AM
2015 is the year for tackling insider threats

Great article Daniel. Nearly all networks have authenticated users with access and rights, who carry out the kind of malicious or careless behavior that often leads to security breaches. 2015 does seem set to be a huge year for tackling the insider threat, as we've seen from our recent research report of 500 IT professionals. More and more organizations are now planning to launch an insider threat program and within that program they are looking to take a joined-up approach of better user education and enhanced user technology solutions. The good news is that the technology is available today to help secure user access to company resources and protect users from their own casual behavior.

COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-8033
PUBLISHED: 2020-08-14
In Textpattern 4.5.7, the password-reset feature does not securely tether a hash to a user account.
CVE-2020-15692
PUBLISHED: 2020-08-14
In Nim 1.2.4, the standard library browsers mishandles the URL argument to browsers.openDefaultBrowser. This argument can be a local file path that will be opened in the default explorer. An attacker can pass one argument to the underlying open command to execute arbitrary registered system commands...
CVE-2020-15693
PUBLISHED: 2020-08-14
In Nim 1.2.4, the standard library httpClient is vulnerable to a CR-LF injection in the target URL. An injection is possible if the attacker controls any part of the URL provided in a call (such as httpClient.get or httpClient.post), the User-Agent header value, or custom HTTP header names or values...
CVE-2020-15694
PUBLISHED: 2020-08-14
In Nim 1.2.4, the standard library httpClient fails to properly validate the server response. For example, httpClient.get().contentLength() does not raise any error if a malicious server provides a negative Content-Length.
CVE-2015-8032
PUBLISHED: 2020-08-14
In Textpattern 4.5.7, an unprivileged author can change an article's markup setting.