People are more connected than ever. Everyone uses email, social media, the web and instant messaging. Some channels are for business purposes, so IT governs and monitors them. Others are for personal use, even if they’re not sanctioned by the organization. A lot of that personal activity is innocent—parents communicating with children at school or making plans for later that day. It consumes some network resources, and most businesses are willing to write that off, but it brings with it the risks associated with the untrained or careless user.
On the other side of the equation are a very small number of people who present a serious insider threat. They intentionally engage in hostile or malicious activities, often working hard to cover their tracks. Their aim is clear: to inflict pain on IT systems and cause damage to the bottom line and reputation of an organization. Financial reports can easily show a price tag for IT systems and the hours it takes employees and consultants to fix them in the wake of an attack. It’s simple dollars and cents. But damage to the reputation of an organization and the toll it takes on customer goodwill is incalculable.
Gartner research shows that 50% of enterprises were using some type of data loss prevention (DLP) solution in 2014. DLP has made great strides and traditional security products are omnipresent. Gartner also forecasts that global cybersecurity spending will reach $76.9 Billion in 2015. It’s clear that organizations are not skimping on security.
It’s not about the data
Nonetheless, even with numerous safeguards in place, why are there so many high-profile breaches? The reason is because the solutions most organizations employ focus on the wrong thing—data. Data is obviously important, but organizations struggle to identify all their data, classify its importance, tag it, store it in certain containers, and wrap DLP around it. Even so, IT departments rely on DLP to control the movement of important documents and information exiting the company firewall. Unfortunately, DLP is often too restrictive or inadequate.
For example, with DLP standing in the way of sharing an Excel spreadsheet with the latest sales goals or a Word document with product plans, employees often turn to unauthorized (and even riskier) ways—maybe their own laptop, a thumb drive, personal email or cloud storage. Or, worse than that, some employees throw their hands up in frustration—stopping the flow of business-critical information entirely. DLP’s “stop block and tackle” approach just isn’t very effective, so it can often end up as another piece of expensive shelfware that does little to stop the insider threat.
We all know there are other methods, such as content monitoring and filtering, but they also lack the context necessary to identify, analyze, and react to threatening insider behavior, so they, too, end up back on the shelf with DLP. In the end, organizations will be able to do very little about insider threats if they keep the narrow focus on data. However, there is something very concrete an organization can do if it thinks more broadly and realizes that the insider threat is a user behavior issue.
Focus on the user
A better approach is to look at the activities of the user rather than employing the blunt force of limiting or rejecting an action. A close examination of user behavior can spot trends so an analyst can cut through the cacophony of alerts, determine the situation, and immediately take action to stop an insider threat.
An effective breach mitigation program should help analysts answer these questions:
Effectively detecting, responding to, and remediating the range of threatening user behaviors requires a contextual view of user behavior that comes from combining the best of network activity monitoring technologies with endpoint monitoring. By applying the right remediation, implementing effective security policies, improving employee training, and targeting high-risk insiders, user activity monitoring can provide the visibility organizations need to counter the risks of inappropriate behavior.
Daniel Velez is the senior manager for insider threat operations at Raytheon Cyber Products. He is responsible for the delivery and support of insider threat monitoring, investigation solutions and services to Raytheon's customers. Prior to joining Raytheon, he served as a ... View Full Bio