Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Jason Straight
Jason Straight
Connect Directly
E-Mail vvv

Spring Cleaning In The SOC: Focus On the Inside Threat

Along with warmer weather and melting snow, spring brings the perfect opportunity for user engagement. Here's how to transform insiders into your most sophisticated security device.

New York City has had more than its share of winter this year (not to slight this winter’s weather endurance contest winner – Boston). Despite school closings and transportation delays, the snowy winter does have its bright spots. There is nothing quite like seeing the city freshly blanketed with clean, unspoiled snow. My daughter loves the snow because “it covers up all the garbage.” She’s right, but nothing remains pristine for long in New York City. Soon residents churn the white snow into a gray, slushy mess, and the garbage beneath pokes through.

Speaking of gray, slushy messes full of garbage, how’s your network doing? Has your clean, shiny, unsullied infrastructure become a dark, shadowy world of orphaned files, nasty binaries, and data-siphoning ghouls? Just as New Yorkers quickly spoil their winter wonderland, users drag every network into blight and decay when they connect to it – and through it to the outside world. Ultimately, it comes down to the users. As they go, so goes network security.

Company after company has seen its network compromised by a seemingly endless barrage of attacks from, well, anywhere. Media reports on state-sponsored attackers and foreign criminal masterminds have drawn corporate attention outward. The security industry has responded with a dizzying array of tools and technology designed to keep the bad guys out. “Next-generation” firewalls, antivirus protection “on steroids,” and “advanced threat detection” capabilities have proliferated, helping create a $70 billion information security market.

Bruce Schneier, information security expert and occasional industry provocateur, has bluntly stated, “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.” Yes! To be fair, today’s unprecedented array of tools empowers network defenders, but without strategic focus, sound processes, and informed people, the gap between the defenders and the attackers will remain.

And make no mistake – the attackers are winning and expanding their lead despite huge investments by defenders. While current and former employees cause 66% of security incidents, maybe as victims of phishing attacks or through slightly careless internet usage, an estimated 90% of security spend focuses on perimeter protection.

We’re looking out when we should be looking in.
Almost all attacks involve compromised credentials, and 84% of attacks for financial gain are “non-technical.” The attacks slip past millions of dollars of technical and physical protection mechanisms. If attackers want access to a computer system, they just ask for it with a cleverly crafted spear phishing email.


The good news is that the “human layer” has received little attention and security investment recently, leaving lots of room for improvement and an orchard full of the proverbial low-hanging fruit.

Certainly malicious insiders are dangerous. A trusted insider with authorized access is well positioned to steal, destroy, or expose sensitive data. Many companies have been burned by disgruntled IT staff or pilfered by departing sales staff. Malicious insiders are hard to detect. “Signs” that someone is going rogue could be “signs” of an overachiever: working long hours, accessing the network remotely, or taking an interest in other areas of the company. However, SIEM technology and content-aware DLP systems successfully leverage big-data analytics to tackle this problem. For companies ready to shift some resources from the castle walls to the interior, the return can be substantial.

But it ain’t easy.

The malicious insider is generally not the greatest threat at the human layer. Often, the loyal, well-intended but careless or uninformed insider somehow, unwittingly, aids the enemy. Maybe it’s the “road warrior” who stores business data on personal devices and cloud platforms, connects using “free WiFi” pretty much anywhere, and circumvents security controls to “maximize efficiency.” We have all seen it – and many of us have (gulp) done it.

[Learn more from Jason about insider threats and building a culture of security at his Interop session in Las Vegas on Friday, May 1.]

Or how about the imperious executive who wants 360-degree access to everything 24/7, gets the latest gizmos recommended by “tech whisperers,” blows off two-factor authentication, browbeats the help desk for policy exceptions, and auto-forwards corporate email to a personal webmail account.

Let’s not forget your vendors. Many companies rely on contract language, vendor reps and warranties, and insurance coverage for protection from attacks by vendors or third parties. Unfortunately, you can’t prevent the reputational damage, data loss, or other financial harm stemming from a significant breach. Moreover, when vendors connect to your network, it’s on you to restrict access and monitor activity appropriately.

And the list goes on.

Now hold on. Take a deep breath. Before you lock down your network and install 24/7 video surveillance cameras, think practically. First off, most users will help you if you educate and empower them appropriately – they want to protect your business as much as you. Second, some incredibly powerful tools are available to support your insider risk management program.

Any protection measure that impedes value creation should be carefully considered against its likely return. The last thing a company should create is a “police state” that monitors every digital step or unduly punishes well-intended employees for a simple mistake. Start with the basics, like acceptable use policies, email and web filtering, encryption and password policies, two-factor authentication, and remote access policies. A realistic, executive-sponsored, business-centric security awareness program (as opposed to a mandatory, 15-minute canned video for new employees!) can tremendously reduce insider risks. And the same SIEM, DLP, and behavioral analytic technologies that detect malicious insiders can help identify risky behavior by trusted users.

There is no “easy button.” IT resources alone cannot accomplish the hard work of creating reasonable, effective policies and implementing behavioral analytic tools. However, with committed key business stakeholders, an organization can dramatically improve security.

Along with warmer weather and melting snow (you may have to wait another month or so, Boston), spring brings the perfect opportunity for user engagement. Along with a sensible dose of technology, you can plant seeds of cultural change to protect your company in today’s cyber risk environment. You have a choice: your users can remain your biggest vulnerability, or you can transform them into your most sophisticated security devices.


Jason Straight<http://www.unitedlex.com/about-us/jason-straight.php> is the Senior Vice President and Chief Privacy officer at UnitedLex<http://www.unitedlex.com/>. He has more than a decade of experience assisting clients in managing information security risks, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Franois Amigorena
Franois Amigorena,
User Rank: Author
4/2/2015 | 6:26:28 AM
2015 could be the year for tackling insider threat

Great article Jason. Agree there is a lot that organizations can do now to help mitigate the risk from the insider threat. The good news from our latest report is that over a third of US professionals are planning to launch an insider threat program this year. They are also planning a combination of tactics with the majority including technology (66%) and organization-wide security training and awareness (57%) in their plans. 2015 could well be the year for tackling the insider threat!

Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow on the size parameter of the tz_map_shared_mem function.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel&Atilde;&macr;&Acirc;&iquest;&Acirc;&frac12;s tz_handle_trusted_app_smc function where a lack of integer overflow checks on the req_off and param_ofs variables leads to memory corruption of critical kernel structures.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the tz_map_shared_mem function can bypass boundary checks, which might lead to denial of service.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in all TAs whose deserializer does not reject messages with multiple occurrences of the same parameter. The deserialization of untrusted data might allow an attacker to exploit the deserializer to impact code execution.