Mitigating Insider Threat Incidents

December 15, 2016 by Lore Engineering Team

Did you know that an organization’s insiders account for more than four out of 10 cyber-security incidents and that they often pose more of a threat than outsiders? The situation plays out something like this: An employee becomes disgruntled. In retaliation, he goes into the company’s network, steals information and corrupts data. The organization and its affiliates are the ones that suffer from the employee's crime.

Most organizations know these crimes occur and are frustrated with their own lack of experience, time and budget to prevent them.

Cybersecurity Insider: The Asset as Threat

“Challenges range from a lack of policy and procedure adherence and poor access management controls, to a need to balance security with an organization’s performance, [to] keeping employees informed about cyber-security risks, and a talent shortage of security professionals.”

Unfortunately, these growing pains are almost universal. However, they are not impossible to overcome. Technologies have been designed to manage adherence to procedures and alert security professionals to threats and/or violations. Some can also alert you to previously difficult-to-monitor activities such as USB storage anomalies, malicious encryption of data, etc. Furthermore, they achieve stellar threat detection while simultaneously adhering to employee privacy guidelines.

How Insider Threats Are Detected

Monitoring is the best defense against insider threats. Passively monitoring the network and individual desktops can drastically reduce the time and manpower necessary to investigate a potentially malicious act, and ensure serious violations are caught as soon as possible.

To devise an effective monitoring system, first identify the risks. While all data can be at risk, it’s important to consider the data that could have the biggest potential to cause harm to an organization. Customer data is one of the riskiest assets for a company as identity theft remains a major threat to economic stability. Some of the most common actions resulting in identity theft involve a vengeful insider copying information from the database or stealing a laptop or mobile device, and then claiming it lost. Understanding the asset risk can help devise a priority list of what types of activities need to be monitored.

Intellectual property theft is also a problem. IP theft is generally motivated by financial gain and/or revenge. To detect potential IP Theft is to identify high-risk files associated with key IP projects and monitor for unusual traffic patterns and access to those files. A starting point would be logging activity during off hours, and setting alerts for unusual mobile storage as well as suspicious mobile activities such as screenshotting while certain apps are open.

Activity logs can be highly useful when monitoring intellectual property violations, but effective evaluation also requires time and manpower. Through thorough analysis, logs can reveal harmful behavior from patterns of seemingly innocuous events. Conversely, a reduction in activity could suggest the employee is up to something during work hours.

Employee Profiles to Protect an Organization

Most employees are trustworthy. Only a fraction of a company’s assets are at a high risk to the organization. Most insider threat risk factors can be identified simply with an employee profile. Some easy earmarks include:

• Stress level of job
• Status in the company
• Turned down for a promotion
• Erratic behavior
• Several incident reports

Each organization is different, so it’s important to identify additional factors that could make understanding the behavioral profile of employees who pose the greatest threat. There are dozens of excellent risk assessment and management applications out there that can identify and report on potentially malicious activities within and without an organization. Many also offer pre-made reporting templates and real-time activity dashboards with up-to-the minute threat assessments. Automated software isn’t a catchall for threat prevention, but it does help diminish the overwhelming manpower required for data analysis and frees up your high-value technical assets to do what they do best.  

Implementing an Insider Threat Detection and Management System

A 360-view of an insider detection and management system involves behavioral monitoring, privilege escalation detection, and event correlation. Digging deeper into behavioral monitoring companies start to consider a Network Intrusion Detection System (NDIS), network flow analysis, network protocol analysis and packet capture. For privilege escalation detection you’ve got to consider a Host Intrusion Detection System (HIDS) and File Integrity Monitoring (FIM), which detects unauthorized user access attempts. Security Information and Event Management (SIEM) makes event correlation possible, which helps detect communications with malicious hosts and provides a centralized dashboard that prioritizes threats to make them more visible.  

All things considered, one of the biggest pitfalls companies are then forced to consider is the covering of all bases while they are overpaying for redundant or bloated software that’s taxing the network and an already strapped budget.

Constructing a comprehensive threat detection policy requires a thorough understanding of existing platforms, corporate structure and protocols, risk identification and asset management. If your company wants help on guidance in building your internal protection strategy, contact us now