Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Jason Straight
Jason Straight
Connect Directly
E-Mail vvv

Spring Cleaning In The SOC: Focus On the Inside Threat

Along with warmer weather and melting snow, spring brings the perfect opportunity for user engagement. Here's how to transform insiders into your most sophisticated security device.

New York City has had more than its share of winter this year (not to slight this winter’s weather endurance contest winner – Boston). Despite school closings and transportation delays, the snowy winter does have its bright spots. There is nothing quite like seeing the city freshly blanketed with clean, unspoiled snow. My daughter loves the snow because “it covers up all the garbage.” She’s right, but nothing remains pristine for long in New York City. Soon residents churn the white snow into a gray, slushy mess, and the garbage beneath pokes through.

Speaking of gray, slushy messes full of garbage, how’s your network doing? Has your clean, shiny, unsullied infrastructure become a dark, shadowy world of orphaned files, nasty binaries, and data-siphoning ghouls? Just as New Yorkers quickly spoil their winter wonderland, users drag every network into blight and decay when they connect to it – and through it to the outside world. Ultimately, it comes down to the users. As they go, so goes network security.

Company after company has seen its network compromised by a seemingly endless barrage of attacks from, well, anywhere. Media reports on state-sponsored attackers and foreign criminal masterminds have drawn corporate attention outward. The security industry has responded with a dizzying array of tools and technology designed to keep the bad guys out. “Next-generation” firewalls, antivirus protection “on steroids,” and “advanced threat detection” capabilities have proliferated, helping create a $70 billion information security market.

Bruce Schneier, information security expert and occasional industry provocateur, has bluntly stated, “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.” Yes! To be fair, today’s unprecedented array of tools empowers network defenders, but without strategic focus, sound processes, and informed people, the gap between the defenders and the attackers will remain.

And make no mistake – the attackers are winning and expanding their lead despite huge investments by defenders. While current and former employees cause 66% of security incidents, maybe as victims of phishing attacks or through slightly careless internet usage, an estimated 90% of security spend focuses on perimeter protection.

We’re looking out when we should be looking in.
Almost all attacks involve compromised credentials, and 84% of attacks for financial gain are “non-technical.” The attacks slip past millions of dollars of technical and physical protection mechanisms. If attackers want access to a computer system, they just ask for it with a cleverly crafted spear phishing email.


The good news is that the “human layer” has received little attention and security investment recently, leaving lots of room for improvement and an orchard full of the proverbial low-hanging fruit.

Certainly malicious insiders are dangerous. A trusted insider with authorized access is well positioned to steal, destroy, or expose sensitive data. Many companies have been burned by disgruntled IT staff or pilfered by departing sales staff. Malicious insiders are hard to detect. “Signs” that someone is going rogue could be “signs” of an overachiever: working long hours, accessing the network remotely, or taking an interest in other areas of the company. However, SIEM technology and content-aware DLP systems successfully leverage big-data analytics to tackle this problem. For companies ready to shift some resources from the castle walls to the interior, the return can be substantial.

But it ain’t easy.

The malicious insider is generally not the greatest threat at the human layer. Often, the loyal, well-intended but careless or uninformed insider somehow, unwittingly, aids the enemy. Maybe it’s the “road warrior” who stores business data on personal devices and cloud platforms, connects using “free WiFi” pretty much anywhere, and circumvents security controls to “maximize efficiency.” We have all seen it – and many of us have (gulp) done it.

[Learn more from Jason about insider threats and building a culture of security at his Interop session in Las Vegas on Friday, May 1.]

Or how about the imperious executive who wants 360-degree access to everything 24/7, gets the latest gizmos recommended by “tech whisperers,” blows off two-factor authentication, browbeats the help desk for policy exceptions, and auto-forwards corporate email to a personal webmail account.

Let’s not forget your vendors. Many companies rely on contract language, vendor reps and warranties, and insurance coverage for protection from attacks by vendors or third parties. Unfortunately, you can’t prevent the reputational damage, data loss, or other financial harm stemming from a significant breach. Moreover, when vendors connect to your network, it’s on you to restrict access and monitor activity appropriately.

And the list goes on.

Now hold on. Take a deep breath. Before you lock down your network and install 24/7 video surveillance cameras, think practically. First off, most users will help you if you educate and empower them appropriately – they want to protect your business as much as you. Second, some incredibly powerful tools are available to support your insider risk management program.

Any protection measure that impedes value creation should be carefully considered against its likely return. The last thing a company should create is a “police state” that monitors every digital step or unduly punishes well-intended employees for a simple mistake. Start with the basics, like acceptable use policies, email and web filtering, encryption and password policies, two-factor authentication, and remote access policies. A realistic, executive-sponsored, business-centric security awareness program (as opposed to a mandatory, 15-minute canned video for new employees!) can tremendously reduce insider risks. And the same SIEM, DLP, and behavioral analytic technologies that detect malicious insiders can help identify risky behavior by trusted users.

There is no “easy button.” IT resources alone cannot accomplish the hard work of creating reasonable, effective policies and implementing behavioral analytic tools. However, with committed key business stakeholders, an organization can dramatically improve security.

Along with warmer weather and melting snow (you may have to wait another month or so, Boston), spring brings the perfect opportunity for user engagement. Along with a sensible dose of technology, you can plant seeds of cultural change to protect your company in today’s cyber risk environment. You have a choice: your users can remain your biggest vulnerability, or you can transform them into your most sophisticated security devices.


Jason Straight<http://www.unitedlex.com/about-us/jason-straight.php> is the Senior Vice President and Chief Privacy officer at UnitedLex<http://www.unitedlex.com/>. He has more than a decade of experience assisting clients in managing information security risks, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Franois Amigorena
Franois Amigorena,
User Rank: Author
4/2/2015 | 6:26:28 AM
2015 could be the year for tackling insider threat

Great article Jason. Agree there is a lot that organizations can do now to help mitigate the risk from the insider threat. The good news from our latest report is that over a third of US professionals are planning to launch an insider threat program this year. They are also planning a combination of tactics with the majority including technology (66%) and organization-wide security training and awareness (57%) in their plans. 2015 could well be the year for tackling the insider threat!

COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Latest Comment: Exactly
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-22
All versions of package cabot are vulnerable to Cross-site Scripting (XSS) via the Endpoint column.
PUBLISHED: 2020-09-21
Inappropriate implementation in permissions in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of a permission dialog via a crafted HTML page.
PUBLISHED: 2020-09-21
Inappropriate implementation in Omnibox in Google Chrome on iOS prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
PUBLISHED: 2020-09-21
Insufficient policy enforcement in media in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
PUBLISHED: 2020-09-21
Insufficient validation of untrusted input in command line handling in Google Chrome on Windows prior to 85.0.4183.83 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.