![The Edge Logo The Edge Logo](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt530eb1f4e672eb44/653a71690e92cc040a3e9d6d/Dark_Reading_Logo_TheEdge_0.png?width=700&auto=webp&quality=80&disable=upscale)
Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
7 Ways to Thwart Malicious Insiders
Malicious insider incidents may be less frequent than inadvertent user missteps, but they can cost organizations big time.
![Insider Threat Insider Threat](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt6a2e9997d47d53bc/64f150a57de67f570c00e347/Slide1CoverArt.jpeg?width=700&auto=webp&quality=80&disable=upscale)
leowolfert via AdobeStock
Malicious insider activity is less common than the inadvertent missteps by insiders -- but they are expensive. While malicious activity comprises just 23% of all insider incidents, according to a 2020 Ponemon survey, these attacks typically are more costly for the organization -- averaging $755,760 per incident and $4.08 million per year.
Overall, malicious and non-malicious insider incidents can account for the loss of up to 20% of annual revenue, according to research from Code42 and Aberdeen.
“Data today is digital and portable, so it's never been easier to take,” says Jadee Hanson, CISO and CIO at Code42. “There are countless ways for employees and contractors to move proprietary documents to a removable USB drive, personal Dropbox, or G-Drive and take it with them to benefit them in their next role or give a competitor a strategic advantage."
Hanson points to source code, patent applications, and customer lists being at risk. "Many of these cases go unreported and impact companies for years to come," she says.
Here are tips to protect against a malicious insider attack. Many of these best practices help prevent non-malicious insider incidents, as well.
An insider risk program requires much different skills than rank-and-file security skills, says Code4's Hanson. Security analysts need to have exceptional people, interview, and behavioral analytics skills to be able to target examples of malicious insider risk, she says.
“There’s a sensitivity to malicious insider risk cases because people are involved,” Hanson says. “These are the people we work with and sit next to every day.”
That’s why Hanson says she only has one person in her department working on insider risk: “I don’t want six SOC analysts doing this because it takes a different skill set. I don’t want multiple people having access to sensitive personnel information.”
Wendy Overton, director at Optiv, believes companies need a full team dedicated to insider risk. The team can then report back to legal and HR on what they see at the company and in the industry so they can help determine the most appropriate responses to insider threats, she says.
While cases vary, Code42’s Hanson says there are two basic types of malicious insider threat cases that companies frequently experience.
In the most clear-cut case, a foreign threat group would entice an employee with a lucrative payment for turning over sensitive company data. Hanson says these are almost always clear-cut cases and much easier to prosecute.
In a more ambiguous case, Hanson says an employee would leave a company and the security team finds that they transferred company data on a personal iCloud or Google drive.
"There are often cases where the person knew the rules but they say it’s a mistake, so it’s always a tough call," Hanson says. "This is why I say security analysts handling insider risk have to have understand behavioral science. They have to be able to determine if the person is lying to them."
Security teams need to identify the people in their organization who present the most risk, says Ryan Kovar, distinguished security strategist at Splunk. For example, he would give the person in the mailroom who recently left the company a low score, but give a higher score to the CEO.
However, very often mid-level network and database administrators are the ones to look out for when it comes to malicious cases because they have access to domain admin routes, route access to servers, and access to company firewalls, he points out. They know what they are doing, and if something anomalous happens, it's potentially more likely it wasn't an accident.
"I have been able to set up much better defenses by looking at risk," Kovar says. "The admins present the most risk because they can turn off the logging and potentially never get caught."
Code42's Hanson adds that security teams want visibility into the company's high-risk data.
"For us, we can't lose the source code files our developers create," she says. "For Tesla, it might be new intellectual property on the source code for its new driverless technology. We need visibility into any high-risk data that leaves the network."
Companies will inundate their human resources and legal departments if they don't give the security analysts some leeway to do an initial interview, says Code42’s Hanson.
Because malicious insider risk cases deal with people's careers, she says, the security analyst must have the ability to make that initial inquiry. It doesn't make sense to escalate the case before the security analyst has more facts.
Hanson says they recently had a case where an executive downloaded sensitive company information on a personal drive. While it looked suspicious, upon investigation they found out the executive was in the hospital and having his wife print out information so he could look it over there.
Security analysts have to ask questions such as: What do I know about the user? Why are they leaving the organization? What has the user done over the past 60 days? What do the notes say from the last time we checked in on this user? Did the user make some kind of mistake or is there more here?
Remember that in malicious insider cases, the company may wind up accusing an employee of a crime. Companies need processes in place for how they will handle these cases, and it can’t be done without cooperation from the security team, HR, and legal.
While Splunk's Kovar agrees that security analysts have to do an initial inquiry, "in the end, we are just detectives bringing the evidence to higher authorities that act as the judge, jury and executioner."
Security analysts setting up an insider risk program should also have relationships with law enforcement, Optiv's Overton adds. For example, if an analyst sees virtual indicators that could lead to physical workplace violence (risk to life), it might go directly to law enforcement. But for digital cases, the security team should work closely with HR and legal.
"Insider threat programs are meant to mitigate risks by individuals that have access to the assets of the organization and that person does not exist solely in the virtual world," Overton says. "Companies need to look at a holistic perspective and understand there are things both virtually and in real life that can happen that cause harm. Combining the two is the most effective way to mitigate threats."
Employees should understand that the company has developed an insider risk program, which aims to protect company data and outlines the processes and penalties for noncompliance, says Code42's Hanson.
Most companies have fairly standard policies in place for acceptable use policies and how employees should handle company data, she says. Developing policies around punishment becomes more problematic; Hanson says most companies have set policies based on the situation. For example, if someone has been caught by a phishing email for a second time and the second incident results in the company losing sensitive data, is that OK? Every company has to decide for itself what level of risk they will tolerate, she says.
"I wish it was as simple as having a 'three strikes and you're out' policy, but it's not that easy," Hanson says, adding that if the company tries to reach a person several times after an incident and can't get in touch with them, that's a red flag that something is wrong.
Companies can leverage the latest cloud technologies to prevent insider attacks, says Chase Cunningham, chief strategy officer at Ericom Software. By using a tool like Google G Suite, companies can know which documents their employees are accessing, stop them from downloading certain types of documents, and put policies in place to make that happen consistently, he says.
"At our company we decided to get rid of all our physical offices and move everyone to the cloud," Cunningham explains. "Now all we have to do is manage remote access. Everyone has a segment in the cloud with specific work roles, and the only point of failure is the admin."
Companies can leverage the latest cloud technologies to prevent insider attacks, says Chase Cunningham, chief strategy officer at Ericom Software. By using a tool like Google G Suite, companies can know which documents their employees are accessing, stop them from downloading certain types of documents, and put policies in place to make that happen consistently, he says.
"At our company we decided to get rid of all our physical offices and move everyone to the cloud," Cunningham explains. "Now all we have to do is manage remote access. Everyone has a segment in the cloud with specific work roles, and the only point of failure is the admin."
Malicious insider activity is less common than the inadvertent missteps by insiders -- but they are expensive. While malicious activity comprises just 23% of all insider incidents, according to a 2020 Ponemon survey, these attacks typically are more costly for the organization -- averaging $755,760 per incident and $4.08 million per year.
Overall, malicious and non-malicious insider incidents can account for the loss of up to 20% of annual revenue, according to research from Code42 and Aberdeen.
“Data today is digital and portable, so it's never been easier to take,” says Jadee Hanson, CISO and CIO at Code42. “There are countless ways for employees and contractors to move proprietary documents to a removable USB drive, personal Dropbox, or G-Drive and take it with them to benefit them in their next role or give a competitor a strategic advantage."
Hanson points to source code, patent applications, and customer lists being at risk. "Many of these cases go unreported and impact companies for years to come," she says.
Here are tips to protect against a malicious insider attack. Many of these best practices help prevent non-malicious insider incidents, as well.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024