Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Articles

8/5/2019
07:00 AM
Katie Burnell
Katie Burnell
Edge Articles
50%
50%

How Do I Monitor for Malicious Insiders?

Big picture: Think holistic, with appropriate levels of visibility into each stage of the insider threat kill chain.

Question: What things should I be scanning for that could, collectively, indicate I've got a malicious insider?

Katie Burnell, global insider threat specialist at Dtex Systems: Put simply, you should be scanning the full spectrum of user behaviours that lead up to an actual theft or sabotage of data. Without insight into exactly what your users are doing on their endpoints, you are blind to symptomatic behaviours that malicious users exhibit ahead of any data exfiltration or sabotage, for example.

A malicious insider will intentionally perform activities that may harm the company – for example, data-based activities through exfiltration or sabotage, or deliberate acts to compromise the operations of the business. In order to succeed in these activities, the user will likely need to circumvent corporate security measures, whether it be disabling existing tools, such as VPNs, or adopting alternative applications akin to private browsing or elevating their privileges. Security bypass activity is a conscious violation of security policy and is consistently used to engage in high-risk behaviour. Visibility into these actions and tell-tale early warning signs is vital. 

Your monitoring approach must be holistic and involve appropriate levels of visibility into each stage of the insider threat kill chain. Focusing exclusively on the latter stages – aggregation and exfiltration – is a common shortfall of many approaches and fails to spot initial indicators of questionable and potentially high-risk user activity.

What do you advise? Let us know in the Comments section, below.

Do you have questions you'd like answered? Send them to [email protected].

 

When Katie Burnell went to work for the Bank of England as a data processor, she didn't intend to switch career paths into cybersecurity. She was on the digital media team when she learned the bank was creating an IT security department. As she moved up through the ranks, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ABOUT THE EDGE

Dark Reading's new section for features, threat data and in-depth perspectives
More about The Edge

 
 
Contest: Name That Toon