Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/10/2015
10:30 AM
Daniel Velez
Daniel Velez
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

Insider Threats: Focus On The User, Not The Data

Global cybersecurity spending will hit almost $77 billion in 2015, so why are there more high-profile leaks than ever?

People are more connected than ever. Everyone uses email, social media, the web and instant messaging. Some channels are for business purposes, so IT governs and monitors them. Others are for personal use, even if they’re not sanctioned by the organization. A lot of that personal activity is innocent—parents communicating with children at school or making plans for later that day. It consumes some network resources, and most businesses are willing to write that off, but it brings with it the risks associated with the untrained or careless user.

On the other side of the equation are a very small number of people who present a serious insider threat. They intentionally engage in hostile or malicious activities, often working hard to cover their tracks. Their aim is clear: to inflict pain on IT systems and cause damage to the bottom line and reputation of an organization. Financial reports can easily show a price tag for IT systems and the hours it takes employees and consultants to fix them in the wake of an attack. It’s simple dollars and cents. But damage to the reputation of an organization and the toll it takes on customer goodwill is incalculable.

Gartner research shows that 50% of enterprises were using some type of data loss prevention (DLP) solution in 2014. DLP has made great strides and traditional security products are omnipresent. Gartner also forecasts that global cybersecurity spending will reach $76.9 Billion in 2015. It’s clear that organizations are not skimping on security.

It’s not about the data
Nonetheless, even with numerous safeguards in place, why are there so many high-profile breaches? The reason is because the solutions most organizations employ focus on the wrong thing—data. Data is obviously important, but organizations struggle to identify all their data, classify its importance, tag it, store it in certain containers, and wrap DLP around it. Even so, IT departments rely on DLP to control the movement of important documents and information exiting the company firewall. Unfortunately, DLP is often too restrictive or inadequate.

For example, with DLP standing in the way of sharing an Excel spreadsheet with the latest sales goals or a Word document with product plans, employees often turn to unauthorized (and even riskier) ways—maybe their own laptop, a thumb drive, personal email or cloud storage. Or, worse than that, some employees throw their hands up in frustration—stopping the flow of business-critical information entirely. DLP’s “stop block and tackle” approach just isn’t very effective, so it can often end up as another piece of expensive shelfware that does little to stop the insider threat.

We all know there are other methods, such as content monitoring and filtering, but they also lack the context necessary to identify, analyze, and react to threatening insider behavior, so they, too, end up back on the shelf with DLP. In the end, organizations will be able to do very little about insider threats if they keep the narrow focus on data. However, there is something very concrete an organization can do if it thinks more broadly and realizes that the insider threat is a user behavior issue.

Focus on the user
A better approach is to look at the activities of the user rather than employing the blunt force of limiting or rejecting an action. A close examination of user behavior can spot trends so an analyst can cut through the cacophony of alerts, determine the situation, and immediately take action to stop an insider threat.

An effective breach mitigation program should help analysts answer these questions:

  1. Is trust misplaced? 
  2. Is a technical control not working as expected? 
  3. Are employees following policies? 
  4. Are policies too rigid?

Effectively detecting, responding to, and remediating the range of threatening user behaviors requires a contextual view of user behavior that comes from combining the best of network activity monitoring technologies with endpoint monitoring. By applying the right remediation, implementing effective security policies, improving employee training, and targeting high-risk insiders, user activity monitoring can provide the visibility organizations need to counter the risks of inappropriate behavior.

 

Daniel Velez is the senior manager for insider threat operations at Raytheon Cyber Products. He is responsible for the delivery and support of insider threat monitoring, investigation solutions and services to Raytheon's customers. Prior to joining Raytheon, he served as a ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
rnellis
50%
50%
rnellis,
User Rank: Apprentice
4/20/2015 | 1:30:26 PM
Insider Threats: Focus On The User, Not The Data
Great article! It is refreshing to finally see articles that address the true root of the security problem. The more we educate your uses the safer our companies will be. I have always believed that the more you educate a user on security the more eyes and ears you have throughout the company you have looking for security issues. I know that this works because I have seen it in action and anyone who does not think that user education is worth the time or money is losing out on a valuable security resource.
Franois Amigorena
50%
50%
Franois Amigorena,
User Rank: Author
4/15/2015 | 3:36:33 AM
2015 is the year for tackling insider threats

Great article Daniel. Nearly all networks have authenticated users with access and rights, who carry out the kind of malicious or careless behavior that often leads to security breaches. 2015 does seem set to be a huge year for tackling the insider threat, as we've seen from our recent research report of 500 IT professionals. More and more organizations are now planning to launch an insider threat program and within that program they are looking to take a joined-up approach of better user education and enhanced user technology solutions. The good news is that the technology is available today to help secure user access to company resources and protect users from their own casual behavior.

COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness
Robert Lemos, Contributing Writer,  7/28/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16271
PUBLISHED: 2020-08-03
The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 generates insufficiently random numbers, which allows remote attackers to read and modify data in the KeePass database via a WebSocket connection.
CVE-2020-16272
PUBLISHED: 2020-08-03
The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 is missing validation for a client-provided parameter, which allows remote attackers to read and modify data in the KeePass database via an A=0 WebSocket connection.
CVE-2020-8574
PUBLISHED: 2020-08-03
Active IQ Unified Manager for Linux versions prior to 9.6 ship with the Java Management Extension Remote Method Invocation (JMX RMI) service enabled allowing unauthorized code execution to local users.
CVE-2020-8575
PUBLISHED: 2020-08-03
Active IQ Unified Manager for VMware vSphere and Windows versions prior to 9.5 are susceptible to a vulnerability which allows administrative users to cause Denial of Service (DoS).
CVE-2020-12739
PUBLISHED: 2020-08-03
A vulnerability in the Fanuc i Series CNC (0i-MD and 0i Mate-MD) could allow an unauthenticated, remote attacker to cause an affected CNC to become inaccessible to other devices. The vulnerability is due to improper design or implementation of the Ethernet communication modules of the CNC. An attack...