Going on the Offense: How to Eliminate Internal Threats

Over the past few years, we’ve observed significant changes in the types of conversations we’re having with CISOs. What used to be discussions about how to keep bad guys out has evolved to how to manage and address internal threats. Internal threats come in a variety of shapes and sizes. It could be an attacker who has already gotten in and waiting for the right moment to make a move. It could also be an insider threat. It could be a malicious insider looking to do harm to the organization. Or it could be employees who don’t mean any harm but may doing things (knowingly or unknowingly) that could put an organization at risk.

With the perimeter all but dissolved, and as enterprises transition to the cloud, it’s becoming clear that identity, and where there are points of access, is the new perimeter. The challenge for many organizations is how to understand their posture around identity. This requires understanding who is doing what, when, and where, and understanding it across all applications and platforms on prem, in the cloud and in hybrid environments. Having a holistic view of identity–all users, privileges, access patterns and accounts–is becoming more critical in order to be more proactive and to have proper controls over accounts (privileged, user, service, and more) and to being able to protect accounts from compromise.

DevOps Connect:DevSecOps @ RSAC 2022

For those looking to go on the offense with Internal Threats, we have pulled together several key considerations that organizations should think about when implementing a preventive and proactive Internal Threat program. You can read our full “Security Evolved” whitepaper here.

There are three key questions to consider:

  • What are the different types of Internal Threats?
  • What are the existing technology and resource gaps to overcome?
  • How Identity and Access Threat Prevention (IATP) can effectively stop threats before they do harm?

The many forms of Internal Threats

Understanding the many shapes of Insider threats is important.  It’s not just a malicious insider or someone who unknowingly clicks on a link. For example there are BYOD considerations, employees who bend the rules, people who share accounts, people with weak passwords, people with more access than they should have, privileged users using non-secure endpoints…shall I go on? Let’s also not forget APTs and advanced malware that may already be dwelling inside your organization waiting to make their move. If you can understand and have a complete view of identity, behavior and risk, then you can start to respond to internal threats in a much more intelligent and proactive manner.

Technology and Resource Gaps

Responding to internal threats with existing technologies can be a challenge because they may not be dynamic enough or they lack key features to address the problem. Let’s take a look at these challenges:

  1. User and Entity Behavior Analytics and Analytics tools are not real-time, they lack enforcement and have a large reliance on staff to address threats.
  2. Access Management solutions lack views of threats and have poor control over privileged and service accounts.
  3. Network Security tools lack behavioral detection, are often tied to the perimeter and can be difficult and costly to deploy.

And then there is the resource gap. In speaking with CISOs today, I don’t think I’ve met one who hasn’t had a team suffering with “too much to do.” And I don’t think we’ll see this change anytime soon. They have too many alerts to follow up on and often lack the people or skills to be able to follow up on every alert. In one survey I read it stated that only 1 in 4 companies have 24×7 coverage to be able to respond. Solving the technology and resource gaps are going to require an approach that allows security teams to be more proactive.

How can Identity and Access Threat Prevention help you effectively stop Internal Threats?

At a high level, the concept of Identity and Access Threat Prevention (IATP) is to solve the gap that has been preventing organizations from being able to preempt threats before impact and reduce risk with a more holistic view of identity that allows security teams to better manage and control user access. Understanding identity, behavior and risk and being able to respond in a highly adaptive manner based on policy allows organizations to be more proactive. With this approach, an organization can continuously preempt threats like credential compromise, lateral movement, account takeover, abuse of tools and protocols and other threats.

At their recent Gartner Security & Risk Management Conference, Gartner presented their findings on the top technologies for information security and their implications for security organizations in 2018.One of those technologies is a framework called CARTA. CARTA stands for continuous adaptive risk and trust assessment which pushes enterprises to embrace a continuously adaptive approach to information security. Put simply,binary decisions – black or white, allow or block – do not work anymore. Enterprises have to think about how to enable transactions when all the information is not available or when there is a level of evolving risk. A CARTA mindset allows enterprises to make decisions based on risk and trust. Identity and Access Threat Prevention is a solution that can help organizations with adopting a CARTA approach in their security strategy.

To build a more dynamic prevention program that will both eliminate insider threats and provide relief for your overworked security team, you should look for some of these key IATP capabilities:

  • Ability to learn identity, behavior and risk
  • Continuous threat detection
  • Real-time response that adapts based on risk level and policy
  • Holistic view of identity across all accounts and platforms
  • Doesn’t require 24×7 coverage

In our “Security Evolved” whitepaper  we dive into these capabilities in more detail and why each of these are important to having a truly preventative program. Below, we highlight the importance of real-time response and visibility.

Real-time Response

As outlined earlier, Gartner’s CARTA framework encourages enterprises to utilize continuously adaptive approaches to information security. Shifting from detection of threats to prevention of threats, and doing it an adaptive manner, addresses the shades of grey because binary decisions (allow or block) don’t work anymore.

To go on the offense, you need to get in front of the threat. When abnormal or anomalous behavior is detected, you want to be able to automatically respond as it is happening to either verify identity or prevent a threat from becoming successful. The best type of response will be real-time (as the threat is detected) and one that adapts based on the risk of the the user, asset being targeted, and policy so that the right level of enforcement can occur based on the scenario.

Enforcement options that go beyond simple block or allow are a key requirement. For example, being able to allow, block, isolate, ask a user to reauthenticate or use multifactor authentication to verify identity, obtain approval, force password updates, and more. Having a variety of response levels is important. In some cases where risk level is lower, a simple reauthentication might be appropriate and in other cases, something more robust might be in order.  Having a set of fine grained responses and policies allows you to better ensure that real business isn’t stopped. The last thing a security team wants to do is stop critical business from happening.

Visibility to Reduce your Risk

While IATP can automate the detection and response to threats, it’s important to have a holistic view of identity with visibility of all accounts across all platforms so that the solution can track the security posture of the network and provide deep real-time insights into Privileged Users, End Users, Service Accounts, and Endpoints. Having the ability to see things such as unmanaged endpoints, stale privileged accounts, weak passwords, exposed passwords, and shared devices can help provide insights into where risk can be proactively be reduced. This visibility and intelligence helps security staff analyze events, get work done faster, and proactively manage the attack surface of the network. Good visibility is a requirement to help reduce your overall risk for internal threats, insider threats and breaches.  

Next steps

IATP represents an opportunity for organizations to go on the offense with Internal Threats. It provides a proactive and adaptive approach that incorporates identity, behavior and risk to detect and prevent threats in real-time. Additionally, having the ability to automatically respond to suspicious activity in real-time can not only help an overstretched security team increase their efficiency (some say by as much as 30-40%) but it can stop a real threat from accessing the network and potentially causing real harm to the business.

This post reflects an update to our April 2017 blog on Internal Threats.

*** This is a Security Bloggers Network syndicated blog from Preempt Blog authored by Heather Howland. Read the original post at: