In the first part of this series, we examined the seriously-overlooked threat posed by malicious insiders – employees, contractors, and more – and discussed user monitoring mechanisms that can help identify and detect these threats as they arise. In this second article, we’ll identify technical solutions for providing situational awareness across the networks, securing files, and other security solutions designed to prevent, detect, and monitor malicious behavior. This time, the focal point is the technology itself. While monitoring cyber behavior is vital to combating insider threats, it won’t stand on its own; systems, applications, data, devices, and other digital services should be technically secured and monitored against malicious insider activity, as well. This poses a number of challenges.
Insider Enterprise Threats ChallengesTraditional defense mechanisms fail against insiders. Perimeter firewalls, intrusion detection systems, and multifactor authentication standards are meaningless against an adversary who has active and legitimate access to systems and information. They are already “inside” the cyber boundaries laid by conventional security software, which makes them even more likely to slip through the cracks and cause considerable harm. Further, even if we do monitor the activity on a user’s account, there are challenges in discriminating between normal and abnormal behavior. Change management is critical. The integrity of the files are critical for true network situational awareness. If an encrypted file is read dozens of times a day by an accounting team, will the system notice if someone outside of accounting decrypts the file? What about a malicious insider within accounting – would they be detected? How do we distinguish between legitimate file transfers and non-legitimate ones? What about using USB sticks legitimately (i.e. backing up presentations for a business trip) versus maliciously (i.e. installing malware on company systems)? Along this vein, ideal policy solutions to these problems may be impractical. For instance, it might be convenient to block all Internet downloads, including those attached via email, but this last point would massively impair organizational communication. It might also be desirable, on some level, to prevent employees from bringing their own devices into work, but again, this may result in the same inconvenience. Imagine a visual design company prohibiting iPads. (Some policies, though, might in fact be possible – like banning USB sticks.) In short: insider threats are complicated not just from a monitoring perspective but from a technical security perspective, as well. Employees should be treated equally, though this makes it hard to know who (if anyone) is a malicious insider. As a result, we need robust IT protections and robust risk mitigation protocols to complement other defenses.
How Can IT Security Solutions Help?Focus heavily on user access control. Set default account privileges to the minimum needed for daily tasks and then vary those privilege baselines between departments and roles. IT staff will likely need higher permission levels than accounting personnel, to use just one example, although they likely shouldn’t have access to client financial information. Similarly, if an employee needs elevated access for a temporary project (i.e. security testing), their access should be revoked as soon as the project ends, their increased privileges should be officially documented, and this should then affect how their activity is monitored – both logistically and rigorously (again, discussed more in the first article). Encryption-based security solutions and data with industry-grade protocols mitigates the potential damage caused by an employee stealing information or selling credentials. Block file deletion in almost all circumstances, and make sure heavy backups and redundancies are in place. If a single angry IT employee can irreversibly delete critical business documents, that’s only asking for trouble. Similarly, place clear restrictions on who can modify which files and under what circumstances. Identity-based access control, true change management, and the ability to record an unauthorized action are the best defense for all around risk management and mitigation. Prohibit users from running non-whitelisted executables, particularly when they’re loaded off of CDs or thumb drives. Block strange IP connections and known malicious websites, restrict Internet downloads, prevent remote printing (i.e. sending documents from work to a device at home), and prevent unencrypted remote logins to your system. Additionally, don’t let users modify network logs, prevent employees from disabling or altering antivirus programs, and don’t make multi-factor authentication an option that users can turn off. These will only strengthen enterprise security against malicious insider behavior. As addressed in the last piece, establish robust monitoring protocols to flag such incidents. Security and management personnel need real-time information to quickly contain insider threats, and only well-refined feedback loops will ensure this fact. After employees are terminated, for instance, immediately deactivate their login credentials. If employees switch jobs or departments, re-evaluate and reclassify their digital privileges. If contractors need system access, rigorously monitor and scrutinize their cyber behavior – and so on and so forth. We could go on all day about technical protections against insider threats from purchasing forensic toolkits and malware removal software to conducting system audits and creating “honeypots” to trap both technical and nontechnical threats. It should be clear, though, that without a completely-integrated approach to insider threats, enterprise organizations will fail to achieve a robust cyber security posture. Security needs to be a holistic effort. To learn more about how Tripwire can help protect your business from insider threats, click here.