Defending Against Insider Threats

by Javvad Malik

This article is the second in a two-part series. Read the first part here.

Regardless of which category insider threats fall into, companies must have the ability to quickly detect and respond to suspicious activity. However, this can be challenging as perimeter and preventative security controls are largely ineffective because the attackers are already “inside” the corporate system.

Like many other attack methods, a layered defense is the most effective way to combat insider threats. Here are five security best practices to enhance your insider threat prevention and detection strategy.

  • Implement procedural and user policies – Procedural and user controls are important to gain management support and ensure that policies implemented will be acceptable from both a legal as well as a cultural perspective. Examples demonstrating these controls include documenting activities that are explicitly banned in the employee code of conduct, and having asset managers review access requests made to business applications under their control.

These controls provide a framework within which aggrieved employees can escalate issues. The hope is that, with such policies in place, employees feel like management is listening to them, before they resort to harmful acts against the company to get a response.

  • Deploy technical controls – Insider threat detection techniques lie in monitoring user activity as opposed to system activity. As such, organizations need to first establish what constitutes normal user behavior within their environment. Once these controls are in place, and a baseline (of both normal activity and peer activity) is established, then analytical techniques can be used to identify suspicious user activity and outliers. Baselines can also be set against logins (times/locations), file or system access, network traffic, or even endpoint activity amongst others to catch any user behavior that deviates from the norm.

Once a baseline of normal activity is obtained, detecting outliers becomes easier. For example, HR users connecting to an employee database is probably a normal part of operations. But, if a user in marketing suddenly starts accessing a vast number of records within the employee database, something is likely very wrong.

  • Rely on threat intelligence – Threat intelligence has emerged as a valuable asset to help identify all forms of threats, including those posed by insiders. Threat intelligence will help organizations detect instances where a user may be establishing connections with and sending data out to malicious sites, or command and control servers. Threat intelligence can also help security teams identify where a partner or third-party may have been compromised.

In today’s dynamic and evolving threat environment, busy IT security teams often don’t have the time or resources to undertake analysis of emerging insider and outsider threat data on their own. Threat intelligence accomplishes this for them. Integrating threat intelligence into existing security systems is so crucial to the detection and response process today. Threat sharing communities are becoming much more popular, as companies look for ways to remain up-to-date on emerging threats.

  • Prioritize behavioral monitoring – Understanding “normal” behavior of users on systems can help identify where an insider has deviated, which could indicate signs of malicious activity. For example, if a user begins to access sensitive files across projects that the user has never accessed before, nor has any of his peers, then it could indicate a threat. Similarly, a spike in the volume of data transferring across the network, or being copied onto an external drive, would merit further investigation.
  • Establish rapid response steps – Many insider threats act on impulse. A bad review, a pay cut, a lost contract, or dismissal can all lead to an insider acting inappropriately. For example, a user that has access to the corporate Twitter account could cause significant reputational harm. Similarly, a user could start deleting critical files from servers.

It is not always possible to predict when these acts may happen, but security teams should be prepared to take action when they do occur. It’s important to have timely monitoring controls in place to detect untoward behavior (e.g., sentiment analysis monitoring for the corporate Twitter account). Then, when inappropriate activity is discovered, response processes should be able to quickly isolate the user, revoke access and repair any damage done.

Defending your company from insider threats requires a different strategy and approach than dealing with malware, hackers and other types of cybercrime. And because the risk of internal attacks can often be higher than that of outside threats, it needs to be taken seriously. Learning more about insider threats, developing strategies to detect them, and following security best practices, such as those listed above, will help you fortify your internal defense strategy and better protect vital company assets.

Javvad Malik is the security advocate at AlienVault.

Leave a Reply

WWPI – Covering the best in IT since 1980