Question: What things should I be scanning for that could, collectively, indicate I've got a malicious insider?
Katie Burnell, global insider threat specialist at Dtex Systems: Put simply, you should be scanning the full spectrum of user behaviours that lead up to an actual theft or sabotage of data. Without insight into exactly what your users are doing on their endpoints, you are blind to symptomatic behaviours that malicious users exhibit ahead of any data exfiltration or sabotage, for example.
A malicious insider will intentionally perform activities that may harm the company – for example, data-based activities through exfiltration or sabotage, or deliberate acts to compromise the operations of the business. In order to succeed in these activities, the user will likely need to circumvent corporate security measures, whether it be disabling existing tools, such as VPNs, or adopting alternative applications akin to private browsing or elevating their privileges. Security bypass activity is a conscious violation of security policy and is consistently used to engage in high-risk behaviour. Visibility into these actions and tell-tale early warning signs is vital.
Your monitoring approach must be holistic and involve appropriate levels of visibility into each stage of the insider threat kill chain. Focusing exclusively on the latter stages – aggregation and exfiltration – is a common shortfall of many approaches and fails to spot initial indicators of questionable and potentially high-risk user activity.
What do you advise? Let us know in the Comments section, below.
Do you have questions you'd like answered? Send them to [email protected].