How to Build an Effective Insider Threat Program: Part I

By Shareth Ben, Insider Threat SME at Securonix

On the heels of insider threat awareness month, it’s clear that although we are more aware of the attacks and threats from within an organization, we still have a long way to go. This first article in a two-part series provides practical tips on what and who to consider when building a program to combat insider threats.

It has been six years since the Snowden incident took place, sending a wakeup call to large enterprises that they needed to start looking internally for risks posed by employees and contractors. Two years later Galen Marsh, who was a financial advisor at a prominent Wall Street bank, damaged the bank’s reputation by stealing sensitive client data from corporate systems and uploading it to a personal server hosted at his home. While these high-profile cases caught the attention of security professionals, there are many insider-caused incidents happening every day that put organizations at financial and reputational risk.

Guarding the perimeter of an organization’s network alone is not enough. The adoption of the cloud for infrastructure, middleware, and applications is growing at a phenomenal pace. The benefits of moving to the cloud are obvious, but along with that comes an increased need for security. The enterprise perimeter is becoming more porous as the applications that drive business rest outside the secure perimeter of the enterprise, requiring that the enterprise network be open to external networks while still being secure.

There is no doubt that insider threat risks continue to matter, and organizations need to take detective and preventive measures before it’s too late.

Multiple surveys indicate that insider threats are a key source of concern for enterprises. According to Cybersecurity Insiders’ 2018 Insider Threat Report, 90 percent of organizations feel vulnerable to insider threats – with 53 percent confirming insider attacks against their organization.

According to the Verizon 2019 Data Breach Investigations Report, 34 percent of breaches involved internal actors, and 29 percent involved the use of stolen credentials.

What do these numbers mean?

The bottom line is that these numbers can have an impact on your business which can be benign or severe depending on the outcomes caused by the insider’s actions. The Verizon report cited above also notes that 25 percent of breaches were motivated by the gain of strategic advantage (espionage). For example, if a research scientist at a pharmaceutical company sells the formula for a new drug to the competition, that pharmaceutical company can incur millions in revenue loss due to low-cost competition. This type of corporate espionage has happened in the past. In less severe cases employees or contractors have attempted to take proprietary data, which resulted in the termination of employment or a harsh warning.

The key takeaway is for organizations to decide how much effort they are willing to invest in terms of cost, resources and time depending on their industry vertical, nature of the business and risk exposure.

How to build an effective insider threat program.

Most medium and large organizations have limited insider monitoring in place using data loss prevention (DLP) or privileged access management (PAM) system solutions. However, they still struggle to effectively mitigate insider threat risks. This is because, as much as it may sound cliché, security cannot be solved using technology alone. It is a combination of people, processes, and the nature of your business. We say the nature of your business here because what you do as a company determines what matters to you the most, and therefore what you want to protect.

The key is to find synergies between people, process, and technology which are suitable for your organization, based on various factors such as organization size, culture, and most importantly risk appetite.

Risk appetite can be defined as how much risk exposure an organization is willing to tolerate when it comes to insider threats. Most insider threat programs fail because the organization’s risk appetite is not clearly defined at the beginning. This lack of clarity creates a lack of focus during operations, preventing the program from seeing success in the investments made across people, process, and technology.

Where to begin?

The first step is to assess your organization’s appetite for risk and what the organization values the most. For example, some organizations value their brand reputation the most while others worry more about the theft of intellectual property.

The next step is to build a strong understanding and consensus across the key business units such as HR, legal, compliance, and key business units. This is essential for an effective program outcome. In order to accomplish this consensus, organizations should form an Insider Threat Working Group (ITWG). The ITWG’s mission is to educate the business units on the importance of protecting the organization from such threats.

Lastly, the ITWG forms a partnership with key stakeholders to define policies and procedures. Laying down this foundation will pave the way for the future of the program.

What type of risks to mitigate?

According to the Carnegie Mellon CERT model, the three types of insider risks that are caused due to insider threats are confidential data leakage, IT sabotage, and fraud.

Most organizations that have embarked on the insider threat monitoring journey focus on data leakage prevention and IT sabotage related monitoring as they can cause the most harm. The former is more common than the latter, but both can create havoc for organizations if not managed properly.

The three primary types of insider risks can be mitigated as follows:

IT sabotage

• Monitor high privilege access to critical databases, servers, and applications that affect the integrity of the systems.
• Server monitoring should include Windows security events, Windows authentication events, Unix auditd logs, Cyberark logs, and others.
• Database monitoring should include Guardium logs or similar for database activity monitoring.
• Application monitoring should include business applications and third-party applications.

Confidential data leakage

• Monitor for the exfiltration of data by employees and contractors that leads to confidentiality issues and intellectual property theft.
• Monitor egress vectors such as email, removable media, print, web uploads, CD, and DVD.
• Leverage technologies such as DLP tools to monitor email gateway logs, print logs, SharePoint logs, and others.

Fraud

• Monitor for fraudulent activities that result in financial loss to an organization.
• Categories of fraud include online banking fraud, expenses fraud, AP fraud, AML fraud, trade surveillance, and more.
• Monitor log sources such as OLTP transactions, ATM transactions, wire transactions, and others.

What type of insiders should you monitor for?

Insiders can be categorized into three main types:

• Negligent Insider: An employee or contractor unknowingly or accidently compromises data due to bad security hygiene.
• Complacent Insider: An employee or contractor intentionally ignores policies and procedures or bypasses them because they think it’s not needed.
• Malicious Insider: An employee who intentionally compromises data and misuses privileges in order to cause damage to the organization.

In all three cases the employee or contractor is putting the organization at risk, but the malicious insider can result in the largest risk because of their intentionally malicious actions. This type of insider is also harder to detect because they are highly motivated and will typically actively work to circumvent existing controls and take other precautions to remain undetected.

Securonix’s observation in the field is that organizations deal with complacent and negligent insiders 90 percent of the time. The disciplinary actions taken against these insiders vary from warnings to termination of employment. The outcomes for a malicious insider can involve more serious consequences. The FBI has been involved in extreme cases including nation-state attacks to steal valuable data such as intellectual property that is core to a business’s competency in the market.

Summary

Insider threats can have a significant negative effect on businesses today, but their impact can be mitigated by a well-thought-out insider threat program that includes people, processes, and technology.

Part two of this series on insider threats will address the technologies required to combat insider threats, how to evaluate them, and where to begin.

About the Author

Shareth Ben, Insider Threat SME at Securonix.Shareth is an information security professional with over a decade of program management experience, serving the security needs of Fortune 500 clients. Currently, he is focused on providing insider threat and cyber threat solutions by bringing synergies between people, processes, and technology to mitigate risks to enterprises. He is passionate about improving the security posture of organizations by providing thought leadership and best practices based on lessons learned in the field. Shareth has a Master’s degree in Information Systems and a Bachelor’s degree in Computer science.