How to identify and thwart insider threats

It is often cited that an enterprise’s employees are its biggest vulnerability. What are company’s doing about it? In a significant number of cases, companies are perhaps doing nothing.

According to the SANS Institute and SpectorSoft, 74 percent of the 772 IT security professionals they recently surveyed are “concerned about malicious employees.” The survey pool spans 10 industries including financial, government, and technology and IT services. The survey data also shows that 32 percent of respondents “have no technology or process in place to prevent an insider attack”.

Clearly there is an intersect between professionals who gave each response. With more than 25 percent of survey respondents employed at organizations with a workforce greater than 20,000 people, the large enterprise has representation in this data.

It’s time to drill down into the personalities and penchants of these living information security vulnerabilities. According to insider threat detection firm SpectorSoft, insiders whose behavior purposely or inadvertently threatens the enterprise and its data fit several archetypes, each with clear profiles, behaviors, intentions, and associated threats. CSO explores insights into insiders such as moles, imposters, disgruntled employees, hacktivists, ringleaders and those who feel entitled together with how companies can ‘pause’ and ‘delete’ them.

Not me!

The answer to the question of why some companies would have no special protection against insider threats is an easy one: leaders and managers who make those decisions are people too and given to naturally positive human assumptions and ignorance. “Some organizations maintain a ‘not in my backyard’ mindset, stemming partially from culture (‘we hire great, trustworthy people so we won’t have a problem’) and partially from the lack of a known incident (‘we’ve never had an insider attack so we must be doing OK’),” explains Mikey Tierney, COO, SpectorSoft. Ultimately the organization cannot foretell what any employee will do or become once they are part of the family, so-to-speak.

A closer look at archetypes of people who are threats as described by SpectorSoft will reveal what drives them. A mole is obviously someone who really works for someone else, perhaps another company but really any entity with a cause in opposition to the target company. According to SpectorSoft, a mole will often have science and engineering skills, holds a position creating intellectual property, and has access to critical data, which they will attempt to pilfer.

An imposter is actually an outsider with insider credentials, an attacker or former employee. They target those and other credentials and accounts to steal or breach data and intellectual property. The disgruntled employee is out for revenge, seeking justice for real or imagined wrongs of the company. According to SpectorSoft, this employee is easier to detect than other malicious actors and the enterprise should isolate them before they sabotage, steal, breach, or defraud the organization.

A hacktivist wrecks, subverts, and destroys systems and data belonging to high-profile organizations or governments in a publicly obvious fashion to make a social or political statement. Conversely, a ringleader seeks financial gain by accessing information outside his purview so he can leave with more than he invested in the company to form another business or work for a competitor. The ringleader enlists any help he can to achieve their goals. Similar to the ringleader, an entitled employee plans to walk out with their work product and compete with their former employer. He usually works alone, exploiting his work product and any knowledge of it.

Each of these archetypes is a trusted employee who is misusing the privileges or access that the company granted them.

Taking an axe to archetypes

Though least privilege, zero trust approaches can limit damage from insiders, these are not fool proof. There are cases where data requires additional protections. An entitled employee for example might have full and unrestrained access to his work product in order to do his job. Likewise, an imposter can retrieve data in a very stealthy manner, avoiding the use of readily detected system scans and brute force dictionary attacks on login screens.

Organizations should consider detection methods from the User Behavior Analytics space to deal with insiders, says Tierney. These methods apply behavioral baselines to identify attacks based on employee actions that deviate from normal, established behavior patterns. These tools can detect anomalous activity and alert the organization in a timely manner, prompting manual or automated remediation responses.

In one example where a user behavior analytics tool could have proved useful, Sutter Health, Sacramento discovered only this past August that in April 2013 a former employee emailed customer documents to a personal email address (not a normal, permissible behavior), according to California Department of Justice data breach reports.

But depending on the kinds of systems in the enterprise environment, the necessary log data and information may not be seamlessly accessible for the user behavior analytics product to draw upon to create a complete baseline in the first place, according to Rohit Gupta, CEO, Palerra, a cloud security automation firm. “Data on user behavior may not be available at all or may not be easily externalized for user behavior analytics systems to access and use it,” says Gupta.

Other measures

Beyond behavior analytics, enterprises should maintain insider incident response plans that define the response, which should include an extended response team due to the fact that an employee is involved, says Tierney. “Legal, HR, and departmental management all come in to play,” says Tierney.

[ ALSO ON CSO: Revamping your insider threat program ]

But remember, incident response plans are only as good as the processes set up to detect incidents for response. “If detection doesn’t take place, incident response plans are not useful,” says Gupta.

As everyone knows, experts often recommend that the actual response include dropping connections and closing holes. But taking mass actions such as dropping connections is severe because it adversely affects business activities at scale, according to Gupta. “These systems are not granular enough to drop only a single workload but rather they disrupt the business and many workloads,” says Gupta; “it’s better to use workflow detection techniques that allow for selective intervention.”

Finally, keeping detailed accounts of insiders actions in a format that C-levels, attorneys, and others who must become involved will find accessible is vital to remediation whether legal or administrative, according to Tierney.

Though insider threats continue to be a grievous issue, adopting a solution as though it was a catch-all balm without thoroughly vetting it is not the answer. The enterprise should know what it’s getting and whether it is enough when teamed with other security resources.