6 Ways to Tell an Insider Has Gone Rogue
Malicious activity by trusted users can be very hard to catch, so look for these red flags.
July 19, 2018
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt2411ee8a89c88a29/64f0d5f27899726b3c83269e/01-rogueinsider.jpg?width=700&auto=webp&quality=80&disable=upscale)
Insiders with legitimate access to enterprise systems and data are responsible for far more data breaches than many might realize. Granted, very often the breaches are accidental or caused by an individual's negligence or failure to follow policy – but when a malicious insider is responsible, the results can be disastrous.
Edward Snowden's 2013 heist of some 1.5 million classified documents from the National Security Agency (NSA), where he worked as a contractor, remains one of the most spectacular examples of insider theft. But there have been countless other incidents in recent years where organizations have experienced serious data loss or damage to systems and data as the result of malicious activity by an insider.
While enterprises are generally cognizant of the threat, many have struggled to deal with it. One reason is that most security tools are not truly designed to spot dangerous or potentially malicious activity by someone with legitimate access to an enterprise system or data. In addition, many organizations have been cautious about implementing too many controls for monitoring insider activity for fear of being viewed as too big brotherly.
"Enterprises are ill-equipped to protect their trusted insiders because legacy systems like employee monitoring or keystroke logging are extremely heavy and invasive to user privacy," says Christy Wyatt, CEO of Dtex Systems. "This means that many organizations have been reluctant to deploy them."
The key to dealing with insider threats is to keep an eye on all those accessing your most sensitive data in a way that does not intrude on privacy. "There are many critical behavior red flags that you can look for in order to accurately and quickly pinpoint insider threats," Wyatt says. "Three of the major red flags we see are data exfiltration, obfuscation, and bypassing security measures."
Here, according to Wyatt and others, are six signs that an insider has gone rogue or is headed that way.
Not all rogue insider behaviors are motivated by financial gain. In fact, in a substantial number of incidents, malicious behavior has been triggered by disgruntlement, a desire to get revenge, and other personal triggers.
If an employee or other trusted user displays certain negative behavior traits in the workplace, monitor that behavior, says Jeffrey Slotnick, president of Setracon Enterprise Security Risk Management Services.
Behavioral indicators to look out for include sudden or unusual introversion, compulsive or destructive behavior, passive aggressiveness, a sense of entitlement, and the inability to assume responsibility or take criticism, he says. Lack of empathy and a predisposition toward law enforcement are other red flags, Slotnick says.
Monitor employees under financial distress, adds Gurucul's Nayyar. "Look for wage garnishment, loans on 401(k)s, large medical bills, in conjunction with travel to foreign countries," she says.
In addition, be wary of insiders who suddenly start behaving in an atypical manner. For example, if an HR employee who typically works between 9 a.m. and 5 p.m. Monday through Friday suddenly starts working after hours and on weekends, take note, Spinner says.
"Sure, they might be trying to catch up on an important project the boss gave them using their personal computer. But they could also be on the lookout for sensitive information," he says.
"Savvy rogue insiders know or assume that there are security measures in place to keep an organization safe," Wyatt says. So they will try and find ways around them. Therefore, it is important to keep an eye out for installation of proxies, use of password-cracking apps, copying and pasting sensitive data into seemingly innocuous files, and attempts to disable or tamper with security tools such as DLP, she advises.
"Savvy rogue insiders know or assume that there are security measures in place to keep an organization safe," Wyatt says. So they will try and find ways around them. Therefore, it is important to keep an eye out for installation of proxies, use of password-cracking apps, copying and pasting sensitive data into seemingly innocuous files, and attempts to disable or tamper with security tools such as DLP, she advises.
Insiders with legitimate access to enterprise systems and data are responsible for far more data breaches than many might realize. Granted, very often the breaches are accidental or caused by an individual's negligence or failure to follow policy – but when a malicious insider is responsible, the results can be disastrous.
Edward Snowden's 2013 heist of some 1.5 million classified documents from the National Security Agency (NSA), where he worked as a contractor, remains one of the most spectacular examples of insider theft. But there have been countless other incidents in recent years where organizations have experienced serious data loss or damage to systems and data as the result of malicious activity by an insider.
While enterprises are generally cognizant of the threat, many have struggled to deal with it. One reason is that most security tools are not truly designed to spot dangerous or potentially malicious activity by someone with legitimate access to an enterprise system or data. In addition, many organizations have been cautious about implementing too many controls for monitoring insider activity for fear of being viewed as too big brotherly.
"Enterprises are ill-equipped to protect their trusted insiders because legacy systems like employee monitoring or keystroke logging are extremely heavy and invasive to user privacy," says Christy Wyatt, CEO of Dtex Systems. "This means that many organizations have been reluctant to deploy them."
The key to dealing with insider threats is to keep an eye on all those accessing your most sensitive data in a way that does not intrude on privacy. "There are many critical behavior red flags that you can look for in order to accurately and quickly pinpoint insider threats," Wyatt says. "Three of the major red flags we see are data exfiltration, obfuscation, and bypassing security measures."
Here, according to Wyatt and others, are six signs that an insider has gone rogue or is headed that way.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024