This article is part 1 of 3 in the “Insider Enterprise Threats” series, outlining effective policies and practices for combating insider cyber security threats to the modern enterprise.
Insider cyber security threats are much more prevalent than most of us realize.
IBM estimates that 60 percent of all cyberattacks are perpetrated by those with insider access; McAfee cites enterprise insiders as a major source of PII (Personally Identifiable Information) sold on the dark web, particularly in the healthcare industry; and at least two-thirds of major corporations reported insider threat incidents in 2016 ranging from file theft and destruction to selling passwords and deliberately sabotaging critical systems.
Although it’s not the focus of this article, even government organizations face these threats, with over 40 percent reporting such incidents every year. It’s a serious yet incredibly overlooked risk.
Employees turn malicious for a variety of reasons.
Some are disgruntled and respond by acting out electronically against their coworkers and employers. Others have personal or financial problems outside of work that trickle into the workplace and manifest themselves in destructive behavior. This includes those who may be bribed or financially incentivized to sell credentials or other information. Others yet are simply thrill-seekers who might enjoy file theft or system sabotage. As research in cyber psychology shows, we’re likely to behave more recklessly online than we are in-person anyway.
There are many aspects to addressing and combating these insider threats. Much like anything in security, there is no “silver bullet” that will instantly and irreversibly absolve all risk. Instead, securing an enterprise against insider threats involves a comprehensive and multi-pronged approach, bringing together monitoring, active threat identification, training, a corporate security culture, and more – which will be addressed over the course of this series.
This first article will focus on monitoring cyber behavior in the workplace. The second article’s focus will be technical “IT” solutions for monitoring and securing systems and files themselves, and the third article’s focus will be on monitoring human behavior outside of the digital domain and outside of the enterprise itself. While nothing is ever perfect, these three approaches – when properly integrated – form a powerful combatant to insider cyber threats.
How Can User Activity Monitoring Help?
So, why user monitoring? Certainly, employees won’t like being included in their own organization’s threat profile, and it may be equally uncomfortable on the management end. “Surveillance” in the workplace is also a contentious issue in and of itself, whether tracking email conversations, device logs, or Internet search histories. Nobody likes being distrusted – particularly on paper (and in code).
Combating threats from inside an enterprise, however, is impossible if you’re not looking for them in the first place. Just as passing on a perimeter firewall would be negligent in the face of outside hackers, so too would be skipping over user monitoring. This may raise some complicated questions, but user monitoring programs are necessary.
First, organizations should monitor employees’ Internet behavior on a patterned basis all the while looking for strange activity. Data analytics is helpful in this regard. If you observe any outliers, such as connecting to unknown or foreign IP addresses, those incidents should be flagged and reported. The same goes for when employees log on remotely; if an accountant who never works from home begins sending data requests in the middle of the night, something might be awry.
Security teams should also watch for strange downloads and file transfers, as well – particularly for users who have access to PII and other sensitive enterprise information (i.e. financial data or intellectual property documents). As you investigate these incidents and pinpoint their causes, use this information to improve your monitoring and analytics.
Volumes of activity can similarly provide valuable insight. It’s certainly true that some users may work remotely or visit strange IPs as part of their job. But sudden or dramatic increases in that activity itself – like excessive printing, file downloading, and after-hours access – should set off alarm bells.
And again, this monitoring should run on a mix of technical and human work. For instance, if you set a printing threshold that employees know about, it would take a human observer to notice that an employee is printing just under the threshold every single night.
User monitoring still carries over to after an employee’s departure. In addition to “freezing” old accounts (so login attempts won’t work), place flags on old credentials. Employees who are laid off or terminated may choose to sell their usernames and passwords online or attempt to sabotage company systems from afar – such incidents should be detected immediately.
Of course, all of this monitoring isn’t too helpful without rapid-response capabilities. Being able to quickly terminate IP connections, lock down accounts, and end file transfers mid-execution are all essential to not just detecting – but preventing – insider threats in real time.
Further, it’s critical to document any insider threat evidence collected through this monitoring. In order to prove an employee to be an insider threat – and even to prosecute them in a court of law – there needs to be clear, meticulously-kept evidence. This is another value added by monitoring.
So, remember: as with most cyber security threats faced by a modern enterprise, threats don’t just need to be identified and flagged; they need to be quickly and aggressively combated by the entire organization itself. It’s just another part of a comprehensive security posture.
About the Author: Justin Sherman is a student at Duke University double-majoring in Computer Science and Political Science, focusing on all things cyber. He conducts technical security research through Duke’s Computer Science Department; he conducts technology policy research through Duke’s Sanford School of Public Policy; and he’s a cybersecurity contributor for the Public Sector Digest. Justin is certified in cybersecurity policy, corporate cybersecurity management, social engineering, infrastructure protection, insider threat prevention, and homeland security planning from such organizations as FEMA, the National Institutes of Health, the U.S. Department of Homeland Security, and the U.S. Department of Defense.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.