Insider threats come in many forms, including disgruntled employees with malicious intent and unassuming workers who inadvertently mishandle and leak sensitive data or peak at a co-worker’s private information. Ponemon’s 2018 Cost of Insider Threats: Global found that 159 organizations around the world experienced more than 3,200 insider incidents in the 12 months previous to the study, at a total average cost of $8.6 million.
When organizations gain greater visibility into threats of all kinds coming from the inside, they can increase trust by driving bad actors out and improving their overall security posture. Below are the top five events that organizations monitor cloud applications for, as well as information on how monitoring them can help to promote good security hygiene within a company.
Altered Profiles and Permissions
Profiles and permissions are established in cloud applications to regulate what a user can and cannot do. For example, in Salesforce, every user has one profile but can have multiple permissions sets. The two are usually combined by using profiles to grant the minimum permissions and access settings for a specific group of users, then permission sets to grant more permissions to individual users as needed. Profiles control object, field, app and user permissions; tab settings; Apex class and Visualforce page access; page layouts; record types; and login hours and IP ranges.
Which permissions various employees enjoy depends on which permissions their companies have set up. In some companies, all users enjoy advanced permissions; others use a conservative approach, granting only the permissions that are necessary for that user’s specific job roles and responsibilities. But with more than 170 permissions in Salesforce, for instance—and hundreds or thousands of users—it can be difficult to grasp the full scope of what your users can do in Salesforce.
Created or Deactivated Users
If user deactivation is not done properly when an employee leaves the organization, that may result in an inactive user gaining access to sensitive data or an external attacker taking over their still-active credentials. That is why one aspect of managing users is the ability to create and deactivate them. For cloud applications, a security issue may also arise when an individual with administrative permissions creates a “shell,” or fake user, under which they can steal data. After the fact, they can deactivate the user to cover their tracks.
Another method security teams use to watch out for any potential insider threats is monitoring for user creation. And by keeping track of when users are deactivated, you can run a report of deactivated users within a specific time frame and correlate them with your former employees (or contractors) to ensure proper deprovisioning. Monitoring for creation and/or deactivation of users is also required by regulations such as Sarbanes-Oxley (SOX) and frameworks such as ISO 27001.
Users can run reports on nearly anything within Salesforce, from contacts and leads to customers. And those reports can be exported for easy reference and analysis. This means employees can extract large amounts of sensitive data from cloud applications simply by exporting reports. Departing employees may choose to export a report of customers, using the list to join or start a competitive business.
If the IT team monitors for exports, though, this can help an organization:
- Secure sensitive customer, partner and prospect information, increasing trust with your customers and meeting key regulations and security frameworks (e.g., PCI-DSS).
- Stop the exfiltration of data before more damage occurs.
- Rapidly discover team members who may be stealing data for personal or financial gain.
- More quickly spot and remediate the activity, reducing the cost of a data breach.
- Detect potential instances of compromised credentials and deactivate compromised users.
Companies often are primarily concerned with which reports are being exported—simply running a report could create a security issue. The principle of least privilege dictates that people be given only the minimal amount of permissions necessary to complete their job—and that applies to data that can be viewed. But many companies grant broad access across the organization, even to those whose job does not depend on viewing specific sensitive information.
You can monitor top report runners, which reports have been run and report volume to track instances where users might be running reports to access information that’s beyond their job scope. Users may also be running but not necessarily exporting larger reports than they or their peers normally do.
In addition, you can watch for personal and unsaved reports, which can help close any security vulnerability created by users attempting to exfiltrate data without leaving a trail. Whether it’s a user who is attempting to steal the data, a user who has higher access levels than necessary or a user who has accidentally run the report, monitoring for report access will help you spot any additional security gaps or training opportunities.
Logins Far and Wide
Monitoring login activity might give you additional insight. Users who have not been properly deprovisioned may be able to gain access to sensitive data after employment, in the case of a departed employee, or at the end of a contract with a third party. Login activity can also tell you a user’s location, hours, devices and more—all of which can uncover potential security incidents, breaches or training opportunities.
Therefore, organizations can monitor for inactive users logging in to safeguard data from theft by a former employee or contractor. Login activity can also tell you whether employees are logging in after hours or from a remote location. This may be an indicator of an employee working overtime, but it may also be a red flag for a departing employee logging in after hours to steal data or of compromised credentials.
What to Watch For
Cloud applications have become an integral part of doing business today, offering employees the anywhere, anytime access to the applications and data they need. However, many applications within many clouds creates greater complexity, which makes it easier to steal data undetected. For this reason, many companies are considering solutions to help them monitor user interaction and behavior with these applications and data. Start with the top five monitored events discussed above to start your journey toward greater visibility into user activity—and greater security.