September is National Insider Threat Awareness Month (NIATM), which is a collaborative effort between the National Counterintelligence and Security Center (NCSC), National Insider Threat Task Force (NITTF), Office of the Under Secretary of Defense Intelligence and Security (USD(I&S)), Department of Homeland Security (DHS), and Defense Counterintelligence and Security Agency (DCSA) to emphasize the importance of detecting, deterring, and reporting insider threats. In honor of National Insider Threat Awareness Month we are posting the Top 10 Tips to Prevent Insider Threats.
One of the most pernicious problems in information security is the Insider Threat. The best firewalls in the world won’t keep out someone who can log in inside the wall. The most advanced multi-factor authentication system on the market won’t stop someone who is fully authorized to be there. Keeping files isolated won’t stop the person whose job includes access to the files.
While this sounds a little grim, the reality is you can beat the Insider Threat. It just takes a combination of tools and processes that can recognize and stop the insider threat before it goes from a potential problem to a major breach.
I know that top ten lists are a little cliché, and not everyone will agree on the order or even what to include, but here is our take on the top ten things you should know to contain the insider threat.
10: If You See Something, Say Something
There are a couple of parts to this. The first is the obvious, if you see a colleague doing something that looks a little dicey, then bring it up to Information Security. While getting involved may feel awkward, the truth is we are all a vital part of the security stack. The second part, while less obvious, is conducting a self-audit to see if you are at risk yourself. Some tools, like Gurucul’s Unified Security and Risk Analytics platform include a self-audit capability that lets you identify things you may not have realized were putting you at risk. Users are provided a self-audit much like a credit card statement to view their own risk-ranked anomalous activities, identities, access, devices, and other key data points in an easy to use web portal. When users detect an anomaly, the false positive rate is very low, and the context provided is richer and faster than IT can provide.
9: Educate Users for The Win
Users are an organizations greatest strength and sometimes, unfortunately, its greatest liability. While user education won’t stop a malicious insider, it will go a long way to preventing an inadvertent security breach by someone who got phished, or mis-used a public WiFi hotspot, or left files shared where they shouldn’t have. It can also give them the knowledge they need to recognize when someone else is doing something dicey, so they can say something. Education turns into part of the solution, rather than their being part of the problem.
8: Purge Dormant and Orphan Accounts
How many idle accounts are in your directory? How many users who are no longer with the company are still in here? How many access groups for legacy teams, that haven’t met in years, are still in the system? How many users have permissions they inherited from a colleague, who inherited them from a colleague, for a project that no longer exists, but still gives access to sensitive data? These are all User Access Hygiene issues that should be addressed on a routine basis.
7: Implement Strong Authentication
Having valid credentials makes an attacker’s job much, much, easier. Whether they gleaned them from a phishing attack, a compromised third-party site, or stole them from a colleague’s desk doesn’t matter. Simple user ID and password combinations aren’t enough. Passwords require a good minimum complexity and should never be used in multiple locations. How often they should be updated is a matter of debate. Changing passwords too often leads to users writing them down because they can’t remember a new 15-character password every month. Changing it too rarely leads to them never being changed at all. In any case, multi-factor-authentication (MFA) is a must. Even if an attacker gets the user ID and password, MFA can prevent them from using them.
6: Control 3rd Party Access
Some major breaches have happened when a 3rd party vendor was compromised, and the attacker leveraged that access to reach into their target organization. A challenge with 3rd parties is holding them to the same security standards your organization uses. You don’t have visibility into their environment, so how can you fully trust them in yours? Access by third parties should be carefully controlled and monitored to make sure someone over there isn’t trying to go somewhere they shouldn’t. After all, there is no reason the HVAC company needs access to the Gift Card system.
5: Enable “Sentiment Analysis”
Sentiment analysis is a term to describe “figuring out what someone is thinking about.” In this case, it means applying analytics and behavioral analysis to determine if someone has become a threat in the context of cybersecurity. Is someone facing inferior performance reviews or discipline on the job? Dealing with life stresses away from the office? Having some financial trouble? Even without access to personal information out of a respect for personal privacy, you do have internal information from HR, the card access system, local and remote logins, and the like. That information can be more than enough to indicate a potential risk well before it becomes a risk in fact.
4: Detect Account Compromise
Compromised accounts are a major issue. Whether it’s an account compromised through phishing, a “drive-by” web hijack, malware on a workstation, or any of the myriad ways an account can be compromised, the result is the same – a threat inside the walls. That makes detecting compromised accounts an important tool for reducing the Insider Threat. It’s especially important for organizations that haven’t implemented strong access controls (#7, above) since the accounts are easier to compromise. Detecting unauthorized access early can be the difference between telling a user to reset passwords and having to deal with a major incident.
3: Stop Data Exfiltration
What motivates an attacker and what they’re after can vary widely. One frequent target is intellectual property, which makes protecting the company’s data vital. Placing appropriate controls on the data, monitoring access, and preventing unauthorized movement can stop a malicious actor from achieving their aims even if they do manage to get inside. By analyzing efforts to exfiltrate data it’s possible to identify an insider threat and mitigate the attack, whether it’s someone shifting files to an off-site file sharing site, or sending file attachments to their personal email, they can be identified and stopped.
2: Detect and Stop Privileged Access Abuse
Privileged users can be the most pernicious Insider Threat. While the details change depending on who it is – admins who can give themselves access to restricted data or impersonate other users, or engineers who have access to the organization’s most valuable intellectual property, or executives who can go anywhere in the environment – they could all become a serious threat. Fortunately, there are good tools for monitoring and controlling sensitive information. Additionally, there are some common behaviors that reveal a user’s effort to abuse their privilege which makes identifying and stopping them possible before the data escapes.
1: Monitor User Behavior
The most effective counter to the Insider Threat is to monitor user behavior in real-time to predict and detect abnormal user behavior associated with potential sabotage, data theft or misuse. User and Entity Behavior Analytics (UEBA) is the application of data science to create user and entity behavior baselines from historical access and activity. Once behavior baselines are established, analytics is used to monitor user and entity behavior in real-time. UEBA ingests massive amounts of data and provides insight into what’s actually going on with users in your organization, as it’s happening. The key to predicting the insider threat is to identify when user behavior starts being anomalous to then take corrective action. That action can be automated and orchestrated for optimum effect in environments where you are looking at millions of user activities and events per second.
Individual organizations might reorder things or swap threats in and out to suit their own situation, but there you have it. The top ten tips for identifying and combating the Insider Threat.
Gurucul has a bunch of resources to help your organization combat the Insider Threat if you’re interested:
- Replay our webinar on demand: Practical Advice to Uplevel your Insider Threat Program Today
- Download our whitepaper: Uncover Insider Threats through Predictive Security Analytics
- Read the 2020 Insider Threat Survey Report
- Check out our 2020 RSA Conference Survey – What’s Your Risk Score?
- Contact us for a demo of Gurucul’s User & Entity Behavior Analytics product