Insider Threats: Red Flags and Best Practices
Security pros list red flags indicating an insider attack and best practices to protect against accidental and malicious exposure.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltd3d0904e391937d0/64f0da481209053c2adcf335/insider-intro.jpg?width=700&auto=webp&quality=80&disable=upscale)
Many businesses are finding the source of their greatest concerns are trusted employees with whom they interact every day.
The insider threat is growing, with more than half (53%) of organizations confirming insider attacks in the past 12 months and 27% stating they have become more frequent, according to a new study. High-profile incidents and news headlines have both spread awareness of the growing problem.
Ninety percent of businesses feel vulnerable to insider attacks, according to the new study by Cybersecurity Insiders. The group polled its member community of 400,000 people to learn about trends, insights, and guidance for its 2018 Insider Threat Report.
"You can see trend lines over time," says Holger Schulze, founder and CEO of Cybersecurity Insiders. "There is increased awareness not just that insider threats are real, but if and when they occur, they can be much more harmful than malicious attacks from the outside."
[Join Jean Marie Handy, senior threat researcher at Carnegie Mellon's Software Engineering Institute, for a conversation on "Detecting and Stopping Insider Data Leaks" at the INsecurity Conference, Nov. 29-30 in National Harbor, Md. Use code DR100 to save $100.]
Not all insider attacks are malicious in nature, says Jon Heimerl, manager of the threat intelligence communication team at NTT Security. Data from the company's latest Quarterly Threat Intelligence Report indicates 25% of insider threats are hostile; the remaining 75% are due to accidental or negligent activity.
While accidental threats are more numerous, malicious insiders could cause more damage.
"A malicious insider - a guy who gets a job and does industrial espionage or gets disgruntled - those breaches tend to be bigger because they have more access to a lot of data and know exactly where to look to find data to steal," says Heimerl. "That's the problem hackers usually have. They have to find what, and where, that cool data is."
How to know if an insider threat is imminent? Many organizations are trying to figure it out. Insider threat detection is the top focus for 64% of companies, followed by deterrence methods (58%), and analysis and post-breach forensics (49%).
"Organizations realize deterrence is important, but at the end of the day they have to assume - especially larger organizations - there are active insider threats and insider attacks occurring," Schulze notes.
Here, the experts lay out red flags and best practices to help you determine when an insider threat is happening and what you can do to protect yourself. Read on for more:
The top enabling risk factor for insider threats is too many users with access privileges, cited by 37% of organizations, reports Cybersecurity Insiders. Other risk factors include an increasing number of devices with access to sensitive data (36%) and greater complexity of IT (35%).
Companies are investing in protecting data with intrusion detection and prevention systems (63%), log management (62%), SIEM systems (51%), and predictive analytics (40%), according to the Cybersecurity Insiders survey. The extent of your tools will depend on the size of your business. Large organizations will want to invest in "all of the above," Schulze explains, but small ones may have to choose between a dedicated SIEM and dedicated monitoring system.
Heimerl advises storing valuable data in a subnet as it complicates the process of finding it, for both internal and external attackers. If you have enough monitoring and security controls in place, you will notice repeated access if an unauthorized person repeatedly tries to gain access.
"Make sure you understand who actually needs access to your data, then you control that with a reasonable role-based access mechanism - user IDs, passwords - to make sure people have access to the data they actually need," says Heimerl. "It's hard to establish and maintain, but critical, especially if you're talking about an insider breach."
Behavioral monitoring tools have been continuously improving for the past year or so, says Heimerl. They build a profile of each individual and flag when activity deviates from their typical behavior. This may include the type of data they access and when they look for it.
Data indicates 94% of companies use tools to detect anomalous behavior, compared with 48% last year. Nearly half (44%) employ User Activity Monitoring as their top tool for managing user behavior, and 42% use server logs. Only eight percent have no visibility at all.
Many systems rely on artificial intelligence to look for anomalies, says Schulze. This may include a user who accesses 10-15 applications they don't normally use for work, or someone who logs into their VPN or databases on the weekend when they wouldn't normally be working. Backups of customer data, sales opportunities, and other records could also trigger an alert, he says.
Odd working hours could be a red flag, Schulze continues. "Employees, for no work-related reasons, stay late or come early to do things they're not supposed to do on their systems."
Employees who are sloppy or careless about their work could be a sign of potential security risk, says Heimerl. "It could be an indication someone is disgruntled, and if they're disgruntled they're more likely to steal information," he explains.
This works both ways. While careless employees could harbor malicious intent and cause purposeful harm, they could also be the starting point for unintentional data leaks and dangerous exposure. Sloppy behavior could more likely lead to accidental information sharing. If an employee consistently makes mistakes like accidentally emailing or posting corporate data, it's time to up security training -- or find a new hire.
"Making sure you identify good versus bad employees, and how qualified they are, is a significant part of the process that can't be minimized. In general, people underestimate how quality employee management could have a significant impact," says Heimerl.
Employee attitude can be difficult to gauge, says Schulze. Sometimes it's easy: if a performance appraisal went badly or large amounts of work are missing, you know someone might be upset. However, it's harder to tell if someone has financial problems, which may motivate them to sell valuable data. Some companies do background checks on new hires and existing employees to look for red flags, like a credit score change, which could lead to this.
"All insider behavior is motivated by something," Schulze adds.
As for best practices, businesses can start by organizing their data. You can't protect your most valuable information if you don't know what it looks like. If your company possesses large amounts of credit card data, for example, you'll want to know who has access to it. Do all employees need users' credit card information?
"The single most important thing you can do to protect your data is know what your data is," says Heimerl. "What is your cool data? Most companies don't know what their cool data is, much less where it is."
Schulze emphasizes the importance of understanding which data cannot leave the organization, as well as the data people might be interested in monetizing and leaking. Who is allowed access to that data? What sorts of policies are in place to protect it?
Some companies disable access to USB drives and DVD writers, as well as access to follow-based email programs so it's harder for people to take information outside the company, says Heimerl.
"The process of stealing data is harder so when someone needs to take actions, those actions are more easily visible," he says. NTT Security also advises implementing a tool to make it difficult to send emails outside the business, if doing so doesn't affect operations. While this may not prevent a malicious insider from sharing privileged data, it could reduce the risk of accidental breaches.
Many businesses are finding the source of their greatest concerns are trusted employees with whom they interact every day.
The insider threat is growing, with more than half (53%) of organizations confirming insider attacks in the past 12 months and 27% stating they have become more frequent, according to a new study. High-profile incidents and news headlines have both spread awareness of the growing problem.
Ninety percent of businesses feel vulnerable to insider attacks, according to the new study by Cybersecurity Insiders. The group polled its member community of 400,000 people to learn about trends, insights, and guidance for its 2018 Insider Threat Report.
"You can see trend lines over time," says Holger Schulze, founder and CEO of Cybersecurity Insiders. "There is increased awareness not just that insider threats are real, but if and when they occur, they can be much more harmful than malicious attacks from the outside."
[Join Jean Marie Handy, senior threat researcher at Carnegie Mellon's Software Engineering Institute, for a conversation on "Detecting and Stopping Insider Data Leaks" at the INsecurity Conference, Nov. 29-30 in National Harbor, Md. Use code DR100 to save $100.]
Not all insider attacks are malicious in nature, says Jon Heimerl, manager of the threat intelligence communication team at NTT Security. Data from the company's latest Quarterly Threat Intelligence Report indicates 25% of insider threats are hostile; the remaining 75% are due to accidental or negligent activity.
While accidental threats are more numerous, malicious insiders could cause more damage.
"A malicious insider - a guy who gets a job and does industrial espionage or gets disgruntled - those breaches tend to be bigger because they have more access to a lot of data and know exactly where to look to find data to steal," says Heimerl. "That's the problem hackers usually have. They have to find what, and where, that cool data is."
How to know if an insider threat is imminent? Many organizations are trying to figure it out. Insider threat detection is the top focus for 64% of companies, followed by deterrence methods (58%), and analysis and post-breach forensics (49%).
"Organizations realize deterrence is important, but at the end of the day they have to assume - especially larger organizations - there are active insider threats and insider attacks occurring," Schulze notes.
Here, the experts lay out red flags and best practices to help you determine when an insider threat is happening and what you can do to protect yourself. Read on for more:
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024