Insider threats pose myriad challenges to an organization but are often deprioritized in favor of preventing external threats from compromising company assets. It’s a situation further exacerbated by the fact that a good percentage of what actually falls under the category of insider threat is caused by outsiders pulling the strings—leveraging valid, compromised credentials and systems.
This focus on external threats as more urgent and dire betrays a false confidence in the level of threat prevention that can be achieved. With all the evidence around the extent of damage initiated by insiders, program emphasis should be equal to, if not more important than, external monitoring, because when detecting insider threats, it all boils down to timing and a slight change in mindset. Security teams should start with the assumption that insider compromise may already exist.
It can take as little as a few minutes or even seconds for an insider to exfiltrate sensitive data or infect critical systems with malware. Insiders are privileged and, unlike most intruders, operate in “trusted space” behind the firewall. So, whether the insider’s actions are intentional or accidental, the damage is already done, with no one the wiser. And in most cases, the longer it takes for an organization to detect and investigate such a threat, the greater the resulting damages are likely to be.
Make no mistake: Timely detection and investigation of insider threats is far easier said than done. For many organizations, this is due largely to a lack of the right tools or technology, the right expertise or both.
As far as technology is concerned, defenders often make the mistake of using the same tools security operations centers and incident response teams use to detect and respond to external threats; however, these tools are not likely to identify insider threats. Many such tools provide mostly network visibility or are signature-based and thus can only identify indicators of known threats that require an initial exploit or breach to penetrate a targeted network. Since insiders already have network privileges, their activities lack these indicators and are unlikely to be detected by these tools.
But even for organizations that do seek out the right tools for detecting and investigating insider threats, the market is oversaturated and tricky to navigate. Misleading claims and confusing marketing are plentiful. Tools ranging from user and entity behavior analytics platforms, to data loss prevention offerings, to user activity monitoring solutions are frequently—and falsely—touted as panaceas of sorts, making it more difficult for prospective customers to determine which offerings are suitable for their needs.
Meanwhile, on the expertise front, the issue for many organizations is that they’ve long been accustomed to prioritizing—and allocating most of their security resources toward—combating external threats versus scrutinizing internal behavior for even the slightest deviation. This leaves any insider threat activity as a common blind spot, but so are the various fundamental elements and integrative composition of an insider threat program (ITP)—otherwise known as the means through which anomalous activity can be detected and investigated most efficiently and effectively.
Developing an ITP is not just a matter of throwing another tool at the problem and seeing what sticks. It does however, require a strong foundation that integrates various resources and stakeholders throughout the organization, identifies an organization’s critical assets and vulnerabilities, and drives policy and governance to protect the organization and its stakeholders from this threat.
There are no shortcuts for developing and implementing an effective ITP. As the old saying goes, it takes a robust combination of people, process AND technology. However, if companies are unsure where to begin, there are still basic steps that can help mitigate the risk, even before beginning a technology evaluation process.
For instance, by adjusting the employee offboarding process, companies can become substantially less susceptible to insider threats. This only requires simple yet effective actions such as ensuring exiting employee accounts are closed, access privileges revoked and login credentials invalidated in a timely manner. After all, if a former employee maintains valid access to company assets, any misuse would not trigger alerts. Given that many insider threat incidents have been linked to former employees, proper offboarding can lower these risks significantly.
Insider threats are a complex problem that require not only a different focus and approach, but also a different mindset. It’s an issue far too big to be ignored. Insiders—be they malicious or unwitting accomplices—have direct, accelerated access to the most coveted of internal secrets and assets. And in most cases, the longer such activity goes unnoticed, the greater the damage. When it comes to combating insider threats, time really is of the essence.