Preventing insider threats, data loss and damage through zero trust

With the proliferation of mobile devices and BYOD, ubiquitous and always available internet connectivity and the widespread use of private, public and hybrid cloud solutions, eventually all organizations will be forced to come to terms with these realities:

• There is no such thing as a traditional security perimeter anymore
• There is virtually no difference between internal and external threats.

Binding activity to the user’s identity and endpoint is essential

Whether they are malicious actors focused on stealing proprietary information and data for profit or personal agenda or legitimate users with excess privileges and/or insufficient expertise who inadvertently wreak havoc, insiders can cause serious damage to organizations.

“Verizon’s 2019 Data Breach Investigations report found that 34 percent of all breaches happened as a result of insider threat actors. The recent Capital One breach further underscores the need to protect against insider threats,” noted Bill Harrod, Federal CTO at enterprise mobility management company MobileIron.

“The motivations, however, have only minimal impact on the protective actions that must be accomplished to keep an organization’s data safe.”

These are the things that, according to him, are a must for achieving an effective security strategy: proactive and continuous automated security operations, multi-factor authentication (MFA), continuous authorization, dynamic access policy enforcement, and adherence to and enforcement of the least privilege principle.

If this sounds familiar, it’s because it’s all part and parcel of the zero trust architecture, which has become essential in this age of unending strings of data breaches.

What is zero trust?

While some may think of it as just one of the latest infosec buzzwords, zero trust actually makes a lot of sense in this day and age.

Whether they are outside or inside their network(s), organizations must stop blindly trusting users and devices that want to access their applications and data, and verify over and over again if each single user or device should be granted access.

Also, as noted before, adopting the “least privilege” approach to privileged access is crucial, and so is binding activity to the user’s identity and endpoint and encrypting all data at rest and in motion.

“In short, the zero trust model enforces that only the right people or resources have the right access to the right data and services, from the right device, under the right circumstances,” Harrod summarized.

Implement zero trust

To implement zero trust, organizations must:

• Equip users with a secure digital workplace space with all the apps they need, on the devices of their choice
• Ensure that they grant user access to authorized corporate data based on full context
• Include protection for data at rest and in motion with encryption and threat monitoring
• Enforce security policies with ongoing monitoring to quarantine devices, to alleviate threats and maintain compliance.

All this should be done in a way that minimizes friction, i.e., the security measures implemented should not be too much of a burden to the end users.

Zero trust as a way to prevent insider threat

There’s no solution for the absolute prevention of every insider threat. The theft of a single or a few credit card or social security number via memorizing is, for example, nearly impossible to prevent, but the ultimate impact of such a theft is limited.

“The issue facing enterprises is how to prevent the loss of massive amounts of correlated data, and how to prevent unauthorized access, modification, or destruction of internal data and resources,” Harrod told Help Net Security.

To minimize insider threat while they implement zero trust, organizations should use:

• Unified endpoint management (UEM) software to check for device health and provision security controls/restrictions
• Mobile threat defense (MTD) to detect and remediate phishing, app, device, and network level threats
• Security Information and Event Management (SIEM) and Unified Security Management (USM) solutions to achieve constant monitoring and visibility into anomalies/outlier activities
• Cloud access security broker (CASB) capabilities, which can be deployed in reverse proxy and API-based deep introspection, to block the exfiltration of sensitive company data to personal storage.

“Common insider threat patterns include exfiltration of large amounts of data, abnormal activity based on traffic and time of day, and unknown assets or devices,” he explained.

“It’s harder to detect and remediate malicious activity that mimics typical patterns or common activity, and this is where AI and ML technologies can come in hand: they can gather near real-time activity data, validate the activity, and detect anomalous behavior patterns long before intrusion detection tools or humans would be able to.”

Another part of the challenge is mitigation, which also has to be quick and effective to prevent a wider infiltration into the enterprise.

“Additionally, micro-segmentation of networks, separation of duties, and least privilege enforcement — along with HR policies requiring proper vetting, background checks, and certifications — all work as additional layers of compensating controls,” he concluded.