By Armaan Mahbod, manager, insider threat analyst team, Dtex Systems
You’ve spent millions on security. You have the latest and smartest firewalls installed. You have deployed cutting-edge AI-powered antivirus solutions. Phishing emails are stopped cold by your expensive anti-spam and email security gateway solutions, some of the time at least. You are using a CASB to secure your cloud. Your web gateway solutions stop anyone in your organization from visiting high-risk URLs. Everything seems to be in order. Then, it happens. Your public relations team gets a call from a news reporter who wants to ask you about a data set being offered for sale on the dark web, which looks like it belongs to your company. Visions of Equifax, Sony, Target and many, many more stomp their way through your head …
The reality today is that even the most advanced security infrastructures are vulnerable. Cybercriminals are always getting better at exploiting vulnerable code, developing new malware strains, and taking advantage of misconfigurations. Threats from the outside are only part of the problem. As leader of the insider threat analyst team at Dtex Systems, I help to run assessments inside of organizations that are interested in addressing the insider threat. We frequently find instances where users are able to engage in high-risk behaviors without detection by simply turning off security controls.
In a recent assessment we ran, an international financial services institution (with thousands of employees spread across the globe) could not understand why its users were repeatedly able to visit high-risk websites that were supposedly being blocked by several security layers. Not only were the solutions not blocking users from accessing risky URLs, they were also not able to provide any data on how users were able to bypass them. As we progressed through the trail of bits, we discovered that the users were simply turning off the controls designed to stop them from engaging in dangerous activities. The tools these users were hitting the kill switch on didn’t have safeguards built in to deter such actions, nor did any provide alerts when they were turned off.
Killing controls is not the only way insiders are driving risk. In many cases, they are sidestepping them.
Our most recent insider threat intelligence report gathered examples of insider risk taking place across a dozen industries and different regions. Sixty percent of the assessments we ran detected instances where employees were using anonymous and private browsing to circumvent security controls. In 72 percent of the assessments, we detected situations where insiders were using high-risk, unsanctioned applications to get around security controls. We also uncovered scenarios where users would log off corporate networks and WiFi and then engage in high-risk activities, which we believe they did in order to avoid detection. Some of the actors in the situations we identified had malicious intent. Others were simply looking for ways to work in a manner they believed to be more efficient. Several wanted to conduct personal business without being monitored. Regardless of the intent involved, all of them were increasing risk to unacceptable levels.
Keeping the Security “Lights” On
Fortunately, there are frameworks available to follow that will allow you to strengthen your infrastructure and reduce and even eliminate opportunities for trusted and questionable insiders to shut down or dodge security controls. There are also ways to properly safeguard your security technologies and to make certain that they are working effectively and remain in place. To start with, follow at least this basic four-step framework:
1. Have capabilities in place that can identify and alert when users are attempting to turn off security products installed on endpoints in use. This capability can be delivered via an added layer that can detect when users are interfering with solutions deployed on their machines or via features that are built directly into technologies. Although, not all of them provide this function as an option.
2. Gain visibility into what your users are doing while off the network. Today’s employees are highly mobile and have the freedom and flexibility to conduct work from anywhere. Employees who leave the office to work from Starbucks for a few hours may or may not have malicious activities in mind. They may have the ability to engage in risky behaviors without detection if their organization loses sight of their activities while they are disconnected. Today, there are non-intrusive technologies available that can provide intelligence about any threatening moves employees make while they are unplugged.
3. Know when users are opening browsers in private and incognito modes, when they are using TOR browsers, or non-approved VPNs. Many users believe that such techniques can shield risky behaviors. There are many cases when they can. This is especially true in environments where monitoring capabilities can’t see when these types of technologies are being used. Your organization may not need to know the details of activities its employees are engaged in while browsing privately or anonymously, but such usage can be an indication that an insider threat is active. The only way to address this vector is to know when it is in use.
4. Understand how well your controls are performing. To get maximum protection, you need to understand efficacy levels, be able to identify whether or not solutions are working as intended, and determine if systems are being tampered with or operating within or outside of normal parameters.
To effectively reduce cyberthreats and insider threats, you have to take a multi-layered approach to protecting your security infrastructure. This basic framework won’t address all of your challenges, but it will provide your organization with an effective way to address a major driver of both risk categories — humans.
