Tackling the insider threat: Where to start?

[Free CISSP Exam Study Guide] Get expert advice that will help you pass the CISSP exam: sample questions, summaries of all 8 CISSP domains and more!

Many organizations still believe the definition of an insider threat is limited to a rogue employee purposefully leaking embarrassing information, or nuking a couple of systems when he or she quits and walks out the door with internal or customer data to take to a new job.

But not all insider threats have to be malicious to cause an incident.

tackling insider threat

Perhaps someone on your marketing team wasn’t aware of their regulatory obligations in handling customer information and handed over a large dataset to a third party processor. In some regions, if the company didn’t get an explicit opt-in from the customer to allow that third party to handle the data, it could be considered a security incident.

Or what if someone on the HR team left a flash drive in the lunch room containing personal health information, and that info gets disclosed to other employees? Sure, it may not have been intentional, but it was still an incident caused by an insider.

Taking the threat seriously

Insiders have been behind several significant data breaches, yet many CISOs are still solely focused on keeping the bad guys out, instead of looking within their own company.

Richard Henderson, global security strategist at Absolute, a security company offering endpoint visibility and control, believes that this disconnect is due to human nature and behavior.

“No one wants to presume that the people they work with on a daily basis can intentionally or unintentionally cause significant harm to their company,” he says.

“And while building a fortified, walled perimeter and patrolling for signs of attack is an easy decision, it’s not so easy to pivot to newer ways of thinking, like the zero-trust model, or continuous monitoring tools like user/entity behavior analytics. It’s not uncommon to assume that something bad is likely going to happen, but it’s rare to assume it’s because of something someone on your side did.”

Neutralizing the threat

As storage and processing costs continue to plummet on a per-unit basis, it has become more attractive for both malicious and non-malicious insiders to use these technologies to their benefit, Henderson notes.

“With Internet/Intranet ‘pipes’ larger than they’ve ever been, it can be simple for a malicious insider to hide their goals inside the torrent of traffic that companies have to monitor. At the same time, those very same technologies make it very tempting for employees without nefarious intentions to send data to the cloud, send jobs outside the company for processing, or to merely store confidential information in personal cloud storage so they can easily work from home.”

Neutralizing or minimizing the insider threat requires a robust and evolved security strategy, he says, but even before that, companies need to gain visibility into all endpoint devices.

If you can’t randomly pick an endpoint device and query it to determine what its current patch status is, what sensitive data resides on it, what software is installed, and where it is physically located, how can you move on to more advanced things like building out a mature insider threat strategy?

The answer is: you can’t.

“Everything starts with visibility,” Henderson says. “Visibility into how employees use corporate resources and into how and where data is stored. Visibility into how employees connect to your infrastructure and into the current risk profile of their endpoints. Are they current on patching? How long has a device been outside of the network? Do you have actual visibility of where all your data in your organization has moved to? Has some of it migrated to the cloud? All of these questions can be addressed with comprehensive asset management and data discovery toolkit.”

Henderson also notes that attempting to spot future malicious insiders during the hiring process is mostly a waste of time.

“We only need to look at the case studies of double-agents or turncoats in the history of intelligence agencies to see that even with the most in-depth, comprehensive, and probing background investigations, there are always going to be insiders that will decide to do something bad,” he notes.

“Circumstances and motivations change for people all the time. We may be able to potentially screen out riskier candidates with larger and more involved background checks, but it will never be able to give a definitive yes or no on someone causing an incident. Those resources would be much better used as investment in other tools that can monitor how employees handle and consume sensitive information.”

Preparing for the future

It’s difficult to predict the situation we’ll face five years from now.

“We could see some organizations make a complete and total move to both virtualized and cloud infrastructures, and we could see others retreat entirely from the cloud,” Henderson points out.

But enterprises thinking about security that far ahead should have a plan in place now to actively monitor every single endpoint device in their organization, and that includes contractors they allow to access their internal resources.

“That monitoring technology needs to look for potential compliance and regulatory violations as well as the movement and storage of important data, whether it be customer or internal data. Knowing what important info exists on your computers allows you to quantify the risks inside your organization better,” he believes.