Insider “threat” is a bit of a misnomer. Most insiders aren’t looking to cause harm. At best, they believe they’re cutting through the red tape; at worst, they’re apathetic.
Let’s take a common scenario: an employee sends sensitive data to their personal email to work over the weekend. A security-aware one may have thought, what’s the chance of someone hacking my email vs. me finishing this work by Monday? Pretty unlikely I’ll get hacked, so I choose work. (Send.)
At the enterprise level, this risk paints a different picture. When you’re managing an environment where the average cost of a data breach is $4.18 million, and nearly 10% of employees exfiltrate data over a six-month period, your risk calculation for the enterprise looks very different.
How do you stop the bleeding, and how do you prevent leaks from happening again? To cover your bases, consider a methodical, holistic approach: start with one strategy from each of the following, and iterate as your needs dictate. We’ll start from micro to macro.
Determining what you need to protect is the prerequisite to any prevention strategy.
Have you:
- Identified your most critical assets (i.e., your “crown jewels”)?
- Restricted access to these critical assets?
- Determined how this access will be given?
If you’ve done all the above, let’s take a step further. Data needs to be protected in its various states: at rest, in use, and in motion.
Data at rest—stored on a file system, in a database—is vulnerable to unauthorized users. With techniques such as encryption, role-based access control (RBAC), and multi-factor authentication (MFA), you can scale policies of permission and reduce the number of compromised accounts.
Data in use—a user is reading or modifying it—is vulnerable to the actions of authorized users, both well-intentioned and not. To protect data in use, software solutions can flag or block behavior, such as screen capture or copy-and-paste of sensitive data.
Data in motion—in transit from one place to the next—is vulnerable due to the inherent expansion of the attack surface. You can stop data from being sent in the first place (blocking emails to external recipients, disabling USB ports) or protect it by using secure communication channels (VPN, encrypted email).
All of the above, plus more
If you want a comprehensive solution, data loss prevention (DLP) software can do all of the above and more. What if someone copies sensitive data into another file? DLP solves this by scanning for sensitive information (e.g., credit card numbers) of every document in all its states—at rest, in use, and in motion.
DLP is not without disadvantages; for example, traditional data detection requires an exact match. Current advancements in DLP focus on finding similar (vs. exact) patterns with machine learning, visualizing how your data is moved and modified, adding regulatory compliance, and even interpreting audio data for the most critical of environments.
Outside of data-centric preventions, you may want to detect any behaviours that could indicate someone has shifted from well-meaning to malicious intent. Maybe a night owl has decided to come in during the day, or someone is transferring files from directories they’ve never touched before. To detect the extraordinary, you need to capture the ordinary.
User Behaviour Analytics (UBA) software creates these baselines of “normal” by capturing and analysing data like user logins, file access, email activity, and application logs. User and Entity Behaviour Analytics (UEBA) applies the same concept to non-human entities such as network devices and applications. Keep in mind that UBA/UEBA requires professionals who can fine-tune these machine learning-based solutions to decide what’s abnormal or not.
If you’re seeking to simply record (vs. predict) what users are doing, you can use User Activity Monitoring (UAM) software. Typically used more specifically, UAM can log keystrokes and playback videos of user activity. You might enable UAM for a specific user you suspect of performing illegal activity.
If you have insiders who want to cause harm, they’ll find a way to bypass all your technology. If you engage them pre-emptively, this will be your most effective defence.
The principles are simple, but if you’ve ever raised a human (or interacted with one), you know it’s easier said than done. The FBI, masters of hostage negotiation and behaviour analysis, will tell you that threat management is like good parenting:
- Show empathy while setting clear boundaries.
- Be patient while executing consequences.
- Regularly re-evaluate progress.
The good news is that these skills can be taught, and experts can be brought in during the most serious of situations. At a minimum, your workforce should be able to recognise concerning behaviour and feel like they can (and should) report it. An individual’s reaction to stress and sense of self are all factors in assessing the threat level. Your workforce will have the intuition and first-hand insight technology cannot give you.
Besides increasing awareness through training, if your company embraces a culture of trust and pride—and hires people with similar values—the risk of insider threat goes down.
There’s always more you can do when it comes to playing defence. Check out the Insider Threat Mitigation Guide from the US Government’s Cybersecurity and Infrastructure Security Agency for a more in-depth resource.
The key is to focus on what you’re trying to protect and to build defences from there. By applying a strategy from each of these areas—your data, your activity, your culture—you can execute a series of quick wins and iterate as you go.