Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/10/2015
10:30 AM
Daniel Velez
Daniel Velez
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

Insider Threats: Focus On The User, Not The Data

Global cybersecurity spending will hit almost $77 billion in 2015, so why are there more high-profile leaks than ever?

People are more connected than ever. Everyone uses email, social media, the web and instant messaging. Some channels are for business purposes, so IT governs and monitors them. Others are for personal use, even if they’re not sanctioned by the organization. A lot of that personal activity is innocent—parents communicating with children at school or making plans for later that day. It consumes some network resources, and most businesses are willing to write that off, but it brings with it the risks associated with the untrained or careless user.

On the other side of the equation are a very small number of people who present a serious insider threat. They intentionally engage in hostile or malicious activities, often working hard to cover their tracks. Their aim is clear: to inflict pain on IT systems and cause damage to the bottom line and reputation of an organization. Financial reports can easily show a price tag for IT systems and the hours it takes employees and consultants to fix them in the wake of an attack. It’s simple dollars and cents. But damage to the reputation of an organization and the toll it takes on customer goodwill is incalculable.

Gartner research shows that 50% of enterprises were using some type of data loss prevention (DLP) solution in 2014. DLP has made great strides and traditional security products are omnipresent. Gartner also forecasts that global cybersecurity spending will reach $76.9 Billion in 2015. It’s clear that organizations are not skimping on security.

It’s not about the data
Nonetheless, even with numerous safeguards in place, why are there so many high-profile breaches? The reason is because the solutions most organizations employ focus on the wrong thing—data. Data is obviously important, but organizations struggle to identify all their data, classify its importance, tag it, store it in certain containers, and wrap DLP around it. Even so, IT departments rely on DLP to control the movement of important documents and information exiting the company firewall. Unfortunately, DLP is often too restrictive or inadequate.

For example, with DLP standing in the way of sharing an Excel spreadsheet with the latest sales goals or a Word document with product plans, employees often turn to unauthorized (and even riskier) ways—maybe their own laptop, a thumb drive, personal email or cloud storage. Or, worse than that, some employees throw their hands up in frustration—stopping the flow of business-critical information entirely. DLP’s “stop block and tackle” approach just isn’t very effective, so it can often end up as another piece of expensive shelfware that does little to stop the insider threat.

We all know there are other methods, such as content monitoring and filtering, but they also lack the context necessary to identify, analyze, and react to threatening insider behavior, so they, too, end up back on the shelf with DLP. In the end, organizations will be able to do very little about insider threats if they keep the narrow focus on data. However, there is something very concrete an organization can do if it thinks more broadly and realizes that the insider threat is a user behavior issue.

Focus on the user
A better approach is to look at the activities of the user rather than employing the blunt force of limiting or rejecting an action. A close examination of user behavior can spot trends so an analyst can cut through the cacophony of alerts, determine the situation, and immediately take action to stop an insider threat.

An effective breach mitigation program should help analysts answer these questions:

  1. Is trust misplaced? 
  2. Is a technical control not working as expected? 
  3. Are employees following policies? 
  4. Are policies too rigid?

Effectively detecting, responding to, and remediating the range of threatening user behaviors requires a contextual view of user behavior that comes from combining the best of network activity monitoring technologies with endpoint monitoring. By applying the right remediation, implementing effective security policies, improving employee training, and targeting high-risk insiders, user activity monitoring can provide the visibility organizations need to counter the risks of inappropriate behavior.

 

Daniel Velez is the senior manager for insider threat operations at Raytheon Cyber Products. He is responsible for the delivery and support of insider threat monitoring, investigation solutions and services to Raytheon's customers. Prior to joining Raytheon, he served as a ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Franois Amigorena
50%
50%
Franois Amigorena,
User Rank: Author
4/15/2015 | 3:36:33 AM
2015 is the year for tackling insider threats

Great article Daniel. Nearly all networks have authenticated users with access and rights, who carry out the kind of malicious or careless behavior that often leads to security breaches. 2015 does seem set to be a huge year for tackling the insider threat, as we've seen from our recent research report of 500 IT professionals. More and more organizations are now planning to launch an insider threat program and within that program they are looking to take a joined-up approach of better user education and enhanced user technology solutions. The good news is that the technology is available today to help secure user access to company resources and protect users from their own casual behavior.

rnellis
50%
50%
rnellis,
User Rank: Apprentice
4/20/2015 | 1:30:26 PM
Insider Threats: Focus On The User, Not The Data
Great article! It is refreshing to finally see articles that address the true root of the security problem. The more we educate your uses the safer our companies will be. I have always believed that the more you educate a user on security the more eyes and ears you have throughout the company you have looking for security issues. I know that this works because I have seen it in action and anyone who does not think that user education is worth the time or money is losing out on a valuable security resource.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Exactly
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7734
PUBLISHED: 2020-09-22
All versions of package cabot are vulnerable to Cross-site Scripting (XSS) via the Endpoint column.
CVE-2020-6564
PUBLISHED: 2020-09-21
Inappropriate implementation in permissions in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of a permission dialog via a crafted HTML page.
CVE-2020-6565
PUBLISHED: 2020-09-21
Inappropriate implementation in Omnibox in Google Chrome on iOS prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
CVE-2020-6566
PUBLISHED: 2020-09-21
Insufficient policy enforcement in media in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
CVE-2020-6567
PUBLISHED: 2020-09-21
Insufficient validation of untrusted input in command line handling in Google Chrome on Windows prior to 85.0.4183.83 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.