Best practices for preventing insider threats in a down economyHugh Njemanze, CISSP, founder, CTO and executive vice president of research and development, ArcSight
IT administrators, network managers and just about everyone else in the nation know that the economy’s condition can lead people to take actions they would not take in more affluent times. In fact, in stressful situations, people are more likely to partake in risky activity, whether it is malicious, criminal, negligent or otherwise. Organizations must be aware that in these tough times, the likelihood of suffering damage from insider activity is on the rise.
This should be of special concern to those tasked with safeguarding valuable data on the network, since a company’s data and intellectual property can help it swim in tough times — or sink it if the data and intelectual property are stolen or otherwise compromised. Luckily, technology can serve as a crucial weapon in the security administrator’s fight against intellectual property breaches.
Given these tough times and their potential consequences, early detection of and response to the insider threat are important when protecting valuable corporate assets. Technology solutions are available that focus on the needed detection and response. One worthwhile approach is through security information and event management (SIEM), which is designed to, among other things, monitor the activity of an organization’s IT environment and detect early-warning signs of malicious insider activity.
A SIEM approach to protecting information ensures that multiple avenues of risk for various types of intellectual property are assessed and continuously monitored:
- Sensitive data – databases and file servers
- Applications – custom, commercial, web and non-web-based applications
- Identity management – LDAP, Active Directory and IDM solutions developed by companies like SUN and Oracle
- IT infrastructure – firewalls, intrusion prevention, network gear, VPNs and physical security controls like badge readers, video analytics and RFID
Such a far-reaching and deep perspective of an enterprise’s environment helps address many essential questions, such as determining who is doing what, whether they should be taking those actions, how are they doing it, who and what is impacted by the activity, who else is involved and the duration of the activity.
Organizations must search out many different factors when monitoring for insider activities. Furthermore, every company has a different approach based on corporate culture, sensitivity of data and so forth. Also, while technology helps reduce the false positives and bring forward the most compelling events, human interpretation is always needed. Technology assists in rooting out the insider threat, but nothing beats human insight and experience.
In my conversations with CSOs and CIOs, it quickly becomes clear that they still see large gaps in the security postures of many businesses (including their own) when it comes to insiders. To remain competitive and keep their valuable information from appearing in competitors’ databases, organizations must take steps to address these gaps. By deferring action their risk increases, and by the time a publicly visible breach occurs, a company could find itself trying to mend a loss of customer and investor confidence, which in itself is likely to be a much more expensive proposition than an early and proactive investment in monitoring, detection, response and prevention would have been. It is essential that organizations assess their current security practices regarding insider activity and take proactive, preventive measures to detect and protect against undesired behavior.