Protecting against insiders in all the right places
Written by Hoke Smith
It’s easy to oversimplify the challenge that insider threats present to organizations. Along those same lines, it’s also easy for those organizations to become overly focused on what they define as their ‘crown jewels’ and neglect other assets that may represent appealing targets to the authorized user looking to profit from their access or avenge a grievance with their employer. Let’s spend a few minutes looking at some common, and some not-so-common, facets that organizations should be considering when thinking about their own stance against insider threats.
THE COMMON CATEGORIES
Insider threats often fall into one of a few broad categories, mainly based on their motivations for acting.
This is probably the easiest for anyone to understand. Insiders will obtain information—such as customer identity data, product plans, source code, or other intellectual property—to sell on the dark web or to competitors in the same field.
Like financial gain, insiders can also use proprietary information to help their own careers when moving to a competitor in the field. Along with intellectual property, common targets for this kind of activity include customer contacts, creative concepts, corporate strategy, and other information that would make a new hire more valuable to his or her employer.
While the financial gain may be involved in the case of espionage, this deserves to be treated as a separate category unto itself. Foreign nations will induce existing employees or intentionally place individuals in the organization to extract valuable information. This is intelligence collection, driven by top-down strategies and requirements. The objective is usually to advance political agendas or help native companies compete. The actors behind this class of threat are persistent, with the patience and resources to mount and maintain campaigns that last years.
Finally, some insiders will act purely out of anger or because they have a grudge of some sort against their organization. It can be because of an ‘overlooked’ promotion or raise, a perceived slight, or even more interpersonal, relationship-focused reasons. In these cases, the insider seeks to discredit or embarrass the organization publicly.
For this last category, it’s valuable to look at the 2014 Sony Pictures hack. While it was the work of outsiders (not an insider threat), it shows the damage that can be done by publicly disclosing something not generally considered crown jewels—in this case, email.
By releasing email exchanges between senior executives at the company, emails that mentioned famous names including actors and directors in a less-than-positive light, the hacker group ‘Guardians of Peace’ cost Sony Pictures tremendous brand value. This included delaying release of the movie The Interview for security reasons, thanks to threats of terrorism.
WHAT’S LEFT UNPROTECTED?
Now that we’ve examined insiders’ motivations and mentioned some of the information they will commonly go after, we can talk about some of the under-protected assets within the organization.
Most enterprises have made good progress toward identifying and protecting the crown jewels of intellectual property, sensitive customer and employee information, and financials. Where else can they do a better job to deter insider activities?
Bid, Proposal, And Contracts
While these aren’t as ‘sexy’ to talk about, bid & proposal details, as well as contracts, can be very effectively used by a competing organization to gain an edge in legitimate competition.
Human resources departments hold a wealth of information that, if exposed, could be embarrassing for an organization. These often include the results of internal investigations as well as personnel files for all employees in the company.
Ironically, those same personnel files can also hold incredible value in helping to identify and deter insider activities. That’s a topic for another time and place, however.
Email And Other Communications
As the Sony Pictures scenario shows, communications between individuals within the organization can be used to great (negative) effect and should be safeguarded as much as possible.
AND THEN THERE’S ATTRIBUTION
Just because you know something happened, there’s still a matter of understanding who committed the act. This all goes back to getting visibility into, and understanding, user behavior in your organization. One of the more important focus areas is understanding how users can remove data from the corporate network.
For example, one common insider threat scenario involves an authorized user going to a different area in the building and using an open machine to exfiltrate data using file-sharing sites or removable media.
Reducing insider threat risk requires a combination of capabilities, including the important step of endpoint monitoring. Many large enterprises are doing more real-time monitoring to quickly detect and prevent the various tactics for data exfiltration—copying to media, uploading to file sharing, copying the content of a document into a chat window, and so forth.
This has become more pronounced during COVID-19, as security teams seek ways to manage risk when endpoints are off the corporate network. Even as the demand for visibility into endpoint activities has grown, the tolerance for CPU and RAM consumption by security tools has decreased, putting a spotlight on the efficiency of endpoint agents.
Enhancing event triage—the process of quickly evaluating an alert or event to determine the level of risk it represents—has also become increasingly important as enterprises place more sensors on devices and applications. As the sensors generate more detection events, the ability to quickly place them in the context of a user’s broader behavior helps the security team avoid getting buried under alerts of indeterminate risk.
Finally, post-incident investigations are critical to understanding how insiders operated and protecting against future problems. Assembling a full picture of user behavior requires investigative platforms that accommodate all kinds of data: alerts from enterprise security tools, endpoint event data, user communications such as email and chat, forensic images, and so forth.
The most effective toolsets in this field combine all these factors in a case, quickly eliminate the inevitable noise, place everything into a coherent timeline, and serve the relevant events and artifacts up for review.
PREVENTION AND AUTOMATION
Almost every organization we’re working with is looking to automate more aspects of security. On endpoints, this means giving the endpoint agent sufficient intelligence to automatically decide whether a combination of user behaviors is worth alerting on, capturing as a potentially relevant event for broader analytics, or taking more aggressive action such as blocking a process or quarantining a system.
Rapid detection, combined with the ability to block certain user behaviors at runtime, has the potential to significantly improve the enterprise’s ability to prevent potentially catastrophic insider-driven breaches.
Across the broader detection, collection, and investigation workflow, many enterprises are also looking for the ability to automatically kick off forensic collection, processing, and case creation in response to alerts. In recent years, the burdens on expert investigators to perform routine deployment, data acquisition, transfer, and repetitive configuration tasks have become quite considerable.
We’re excited about the potential of new tools and approaches to automating these components, without losing necessary flexibility, to make security and investigation teams more efficient and help them focus more on the truly risky cases.