Insider threats are of particular concern to organisations as the
impact of a rogue insider can be catastrophic to the business. The 2016
Verizon Data Breach Investigations Report showed that 15% of data
breaches were a direct result of insider deliberate or malicious
behaviour. Given that it is not likely that all insider breaches are
discovered and/or reported this number may well be under represented in
Verizon’s statistics. In addition, insiders often have legitimate access
to very sensitive information, so it is no wonder that it is difficult
to detect these breaches. Regardless, they can negatively impact the
business in a big way, and must not be overlooked.
As a member of the Cisco Security Services team I speak to a lot of
customers and see views of insider threats vary by industry vertical.
For example, financial services and gaming companies see financial
objectives as the main motivator, manufacturing/high technology/biotech
see intellectual property theft as their biggest concern, and personal
services store and process large amounts of personally identifiable
information which they must protect from insider theft. The unique
challenge faced is that insiders are often more difficult to identify
behaving maliciously as they are often misusing their legitimate access
for inappropriate objectives such as fraud or data theft.
Strong user access policies are a key building block to a good insider threat management strategy. Regular review of user access rights, along with job rotation, mandatory leave, separation of duties, and prompt removal of access rights for departing employees have been the core of managing insider risk for many years. Once you have these key components in place it is time to go to the next level.
As with everything in security there is no single answer and frankly you should question anyone that tells you they can fix all of your security problems with one service.
To reduce the risk of the insider threat, we suggest the following strategies:
https://apprenda.com/blog/a-wolf-in-sheeps-clothing/ |
Strong user access policies are a key building block to a good insider threat management strategy. Regular review of user access rights, along with job rotation, mandatory leave, separation of duties, and prompt removal of access rights for departing employees have been the core of managing insider risk for many years. Once you have these key components in place it is time to go to the next level.
As with everything in security there is no single answer and frankly you should question anyone that tells you they can fix all of your security problems with one service.
To reduce the risk of the insider threat, we suggest the following strategies:
- Classify your sensitive data. This is the most critical step and often difficult as this requires the technology team and the business to align in order to classify what data is sensitive and to ensure there is consistency in the classification strategy. Remember to not boil the ocean; this step should focus solely on identifying sensitive data that could effect the business should it be stolen. Carnegie Mellon University has a good example that can be adapted to most organisations.
- Once the data has been classified, proceed with a plan to protect it.
a. Instrument the network
so you can detect atypical accesses to your data. To validate if your
instrumentation is setup correctly, you should be able to answer the
following questions
i. Have new users started accessing sensitive data?
ii. Have your authorised users accessed more sensitive data than usual?
iii. Have your authorised users accessed different groups of sensitive data more than before?
Many fraud management professionals would
recognise these questions as lead indicators of possible fraudulent
activity, and astute HR professionals would recognise these as possible
lead indicators of an employee about to leave the business. Both of
these scenarios are very typical lead indicators of insider data loss.
You should try to make use of fraud management and HR personnel to
assist you in determining what to look for and actions you can/should
take when you detect a possible insider incident.
Data flow analytics may also assist from the technical side as well. Cisco Stealthwatch
uses NetFlow to build profiles of expected behaviour for every host on
the network. When activity falls significantly outside of expected
thresholds, an alarm is triggered for suspicious behaviour. Data hording
is one typical use case where data flow analytics detects anomalous
behaviours. For example, if a user in marketing usually only accesses a
few megabytes of network resources a day but suddenly starts collecting
gigabytes of proprietary engineering data in a few hours, they could be
hoarding data in preparation for exfiltration. Whether the activity is
the result of compromised credentials or insider threat activity, the
security team is now aware of the suspicious behaviour and can take
steps to mitigate it before that data makes it out of the network.
b. Data Loss Prevention software,
or DLP as it is more commonly known, is software that monitors data
flows much like an IPS as well as monitoring data usage at the endpoint.
Network DLP uses signatures like an IPS, but the signatures are
typically keywords in documents or data patterns that can identify
sensitive data. Endpoint DLP can be used to control data flow between
applications, outside of the network and to physical devices. This
becomes especially important if there are concerns about sending data to
external data storage systems (eg Google Drive, Box, SkyDrive etc.) or
to USB attached storage. DLP can control access to all of these
systems, but it is a matter of policy and vigilance as new capabilities
are released at the endpoint.
There is a lot of skill in effectively
setting up DLP software and much of the complaints about the lack of
effectiveness of DLP comes down to a lack of proper data classification
and poor DLP software configuration. There is also an argument that
network DLP is losing relevance with the increasing amount of encryption
of network traffic. This is certainly true and enterprises need to
have SSL interception properly configured to maximise the effectiveness
of their DLP investment. Still not all traffic will be able to be
decrypted and you must determine whether your risk appetite will allow
for users having encrypted communications you cannot monitor. This is
not exclusively an IT decision, but one that needs to be decided by a
well-briefed executive.
c. Network segmentation
is unfortunately something that is often not done well until after a
security breach. One of the benefits of a properly segmented network is
that a malicious insider keeps bumping into network choke points. If
these choke points are properly instrumented then alerts flow to warn of
potential inappropriate access attempts. This gives the defender more
time to detect and respond to an attack before sensitive data leaves the
network. For example, if your Security Operations Centre (SOC)
observes a user in Finance trying to access an Engineering Intranet
server then you should be raising an incident to address why this user
is trying to access a server that most likely holds no relevance for
their job function.
- Honeypots with decoy sensitive data are one of the more controversial strategies that may not be for everyone. The honeypot should be setup with decoy data and a similar look and feel to the production environment. The decoy data needs to look authentic and the knowledge of the existence of a honeypot needs to controlled on a need to know basis. The great advantage of a honeypot over other technical strategies is that all traffic that goes to the honeypot can be considered malicious and by its very nature as the honeypot has no business relevance. The honeypot is only there to trap those that could be looking for sensitive data inappropriately. Our consultants have found it useful in the past to use the same authentication store as the production environment so you can quickly see which user is acting inappropriately, or you may have an external attacker using the legitimate credentials of an insider to hunt for sensitive data. Either way, you need to act quickly and deliberately to head off possible data loss. Like every data loss scenario you need a robust process for managing these incidents types.
- Use of non-core applications, especially social media applications – There has been an explosion of social media applications in recent years ranging from Skype, WhatsApp, QQ, WeChat, LINE, Viber and many others. One concern we often hear from our customers is that they are worried that their staff are using these applications to send sensitive data out of the business. These applications are often used for business purposes and depending on the sensitivity of the data this may be considered inappropriate behaviour. Our favoured strategy is to use some of the recommendations above, classify your data, and instrument the network to look for inappropriate use. But, from the user’s perspective, they are trying to perform their job in the most efficient manner and no one wants to discourage “good behaviour!” If there is a legitimate business use for a social media application, we recommend that a corporate social media application be deployed so staff can be efficient in their job. Security needs to enable users to get their job done and not hold up business progress and increase business complexity. Additionally, users must understand the ramifications of their actions and know what data can be sent externally and what cannot leave the organisation without appropriate protections. Education is the key to achieving an effective balance and reminders, like a “nag screen” that alerts the user that they are accessing sensitive data can reinforce the user’s training. Document watermarks and strongly worded document footers about the document sensitivity can also serve as another valuable reinforcement.
- Additionally, we recommend that you have the ability to hunt for caches of sensitive data – one phenomena that that our security consultants see time and again is that people have the habit of creating a cache of sensitive data to steal before they send or take it out of the organisation. This is true not just for insiders, but often with external attackers that are preparing to exfiltrate data. Our consultants use endpoint tools to look for caches of documents in user directories, desktop and temp directories as the most common places to find document caches. Often the documents will be compressed into an archive such as a ZIP, RAR or GZ file for quicker data exfiltration and to avoid tripping the DLP keyword filters. Whatever tool you use to hunt for data caches it must be able to return the name and type of documents when it does its scans. You should select a tool that can hunt on the basis of a threshold of data volume and be able to dynamically tune the amount. Some of the more sophisticated DLP solutions can implement this functionality.