This article was originally published on CFO.com.
Data theft by insiders is rampant but usually not discovered until after they’ve left.
It seems as if cybersecurity is in the news constantly these days. Everyone talks about the threats from state actors looking for political or commercial advantage, organized criminal groups looking for theft or extortion opportunities and monetizable information, even random individuals with an ax to grind who don’t like your business for some reason.
All these cyber threats are real and need to be addressed — but there’s a threat closer to home that too often gets ignored and that continually drives information security experts to distraction.
That threat comes from your managers, employees, and business partners.
For years, surveys that track vulnerability concerns among information security professionals have ranked “insider” threats at the top of the list. “Insiders” in this context include everyone who has permission to operate “inside” your network perimeter — and thus have a legitimate presence in your network. In the modern managed services world, they might not actually work for you directly, but they need to have at least some access to your systems and data in order to do work on your behalf.
Even so, “employees” rank highest among the groups causing concern (probably because non-employees are more likely to have restricted and controlled access to critical information), and the evidence suggests that they mostly go undetected, their misbehavior being discovered by forensic analysis only after they have left.
Interestingly, although financial gain remains the top motivation for bad behavior, “convenience” ranks a close second — employees ignore the rules because they see them as inconvenient and don’t understand the consequences of their actions. Because these threats arise inside the network perimeter, intrusion prevention and detection systems, designed to counter unauthorized access attempts from outside, aren’t much use against them. We need something extra.
Over the past decade or so, several approaches have been developed to address the spectrum of insider threats. As well as the obvious things — carefully screen new hires, re-screen everyone periodically, restrict access and permissions to the minimum needed, and have clear policies, reinforced by periodic education and training — two broad groups of processes and technology have emerged:
- Retrospective review: Watch everything that goes on and record every event. Then analyze the record of events (usually a set of “log” files) to discover who did what, when. This “Security Information and Event Management” (SIEM) approach can be a powerful forensic tool, but it generally catches problems and the people that caused them only after the fact. Important, but useful for prosecution rather than prevention.
- User Behavior Analysis (UBA): We are all to some degree creatures of habit, and when we decide to behave badly, our patterns of behavior almost always change in detectable ways. If you watch what people do on a routine basis and see unexpected changes (which often show up quickly), you can often intervene before or just as a bad action occurs. This approach can be especially useful for individuals who are in situations known to correlate strongly with bad behavior: recently quit; passed over for a promotion or bonus; about to be disciplined or fired, and so on. You can also pay close attention to anyone in a position of trust — anyone who has privileges that could lead to bad outcomes if abused.
Of course, watching what everyone does all the time can be an expensive proposition in a large business where there may be tens or hundreds of thousands of credentialed users. You need to address two aspects of the problem: what constitutes a “bad” behavior pattern, and what constitutes a meaningful change in behavior.
We can use a combination of machine learning and predictive analytics to attack both aspects of the insider threat. Historical analysis of the SIEM data (and there will generally be a lot of it) can discover the patterns that identify bad behavior. User-specific risk profile scores provide a baseline against which to evaluate possible deviations from normal behavior. Alerts trigger additional focused monitoring and prevention activities.
Not all bad behavior is directly malicious. You might be surprised at how many other factors — curiosity, boredom, and jealousy, for example — can lead employees to behave outside of what’s necessary or permitted for their roles, even if the results don’t cause additional direct harm. Yet abuse of privilege is an underlying pathology of many bad outcomes, and weeding it out early can save embarrassment and possible disaster later.
Supporting both SIEM and UBA approaches are technologies that restrict or prevent the “exfiltration” of data. As portable devices have become more capacious and network connections faster, the need to respond quickly and effectively has grown. Data Loss Prevention (DLP) tools monitor network traffic for patterns (in terms of content, volume, or timing) that should not be present and block outbound routes. That’s important, but so are policies and processes that prevent employees from using USB drives to carry out data in a pocket or purse.
No approach to information security can guarantee you’ll never have a problem — the price of safety is constant vigilance — but the tools and practices of SIEM, UBA, and DLP can help. And there’s no longer an excuse for not using them.
Do you know who’s about to go rogue in your business?