Does my company need to be more proactive about insiders during hard times?
Simply put - yes. Given stressful situations, people are more likely to partake in risky activity, malicious, criminal or otherwise. While there is no technological panacea, technology can help in detecting the early warning signs of nefarious activities on the network. But instead of just discussing the technology, let's take a closer look at things from a human perspective to understand the non-technical drivers, and why given today's "hard times" it is of even greater importance to be even more proactive with regard to monitoring nefarious insider activity.
I'm not a criminal psychologist, but several have conducted research in this area. Mike Gelles, formerly of the Naval Criminal Investigative Service (NCIS), wrote an excellent paper called Exploring the Mind of the Spy. In it, he examines the personalities of insiders, looking beyond the traditional areas of opportunity, motive, and ability that are generally associated with criminal activity.
Dr. Gelles cites three criteria that can lead to the transformation from loyal employee to malicious insider:
-- A personality or character weakness
-- A crisis - personal, financial or career
-- The absence of assistance during a crisis.
While we won't examine these items in depth, it is clear that we are in the midst of a national financial crisis that has led to personal crises for many individuals affected by the situation - many of whom now have no place to turn for assistance. These individuals may be facing a layoff, a significant drop in the value of their retirement investment portfolio, a foreclosure or significant credit-card debt, all of which can result in increased stress. This stress in turn may also put extra strain on personal relationships. This spiraling situation may put some people in a desperate position, which may lead them to act in nefarious ways.
Given these tough times and their potential consequences, early detection and response are important to protecting valuable corporate assets that may be the target of illegal activity. Technology solutions are available that focus on the needed detection and response. One is security information and event management (SIEM), which is designed to among other things monitor the activity of an organization's IT environment and detect early warning signs of nefarious insider activity.
SIEM looks across multiple things:
-- IT infrastructure - firewalls, intrusion prevention, network gear, VPNs and physical security controls like badge readers, video analytics and RFID;
-- Applications - custom, commercial, Web and non-Web-based applications;
-- Identity management - LDAP, Active Directory and IDM solutions developed by companies like SUN and Oracle;
-- Sensitive data - databases and file servers
Such a wide and deep perspective of the organization's environment can help address many key questions:
-- Who did it?
-- Should they be doing it?
-- How was it done?
-- What was impacted?
-- Who else might be involved?
-- How long has this activity been occurring?
-- What else are these individuals doing?
Companies may look for many things when monitoring for insider activities. Note that every company has a different approach based on corporate culture, sensitivity of data and the like. Also, while technology helps reduce the false positives and bring forward the most compelling events, human interpretation is always needed. Nothing beats human intuition - technology just augments it.
Here are some indicators of potential misdeeds:
-- Accessing/modifying systems outside of job requirements/policy
-- Accessing/downloading unusually large amounts of information
-- Using the identity credentials for someone else
-- Printing sensitive documents
-- Using Webmail, sending e-mails to competitors, and surfing job websites
-- Using services to make browsing anonymous
-- Entering the building at unusual times - early, late, weekends or holidays
Even today, there are large gaps in the security postures of many businesses when it comes to insiders. Businesses that don't take steps to address these gaps are at a grave disadvantage compared to their peers. Their risk profiles are substantially higher, and by the time the problem becomes painfully obvious to them, it may be too late. Taking these proactive preventive measures is important to minimize the impact of a breach by an individual who is acting desperately in these hard times.
Contos is CSO of ArcSight.