At the risk of potentially alienating a high-demand workforce that potentially can jump to a new company for seemingly minor perks such as company-paid cafeterias or flex time with little oversight, CISOs today find themselves with a challenge. In order to protect their corporations against data breach from internal and external sources, CISOs have a tool that is effective at identifying breaches but some employees might find a bit too intrusive: analytics. The move to analytics-based security — be it behavioral, threat intelligence, big data, or one of a myriad of other analytics technologies — could be interpreted as Big Brother watching over the employees.
The potential damage that an insider attack can inflict on a business is massive, a reality that prompted some enterprises to use analytics, keystroke capture, and digital video to track insiders. But are the risks of a company alienating its employees and contractors worth it? Are analytics even an effective means of neutralizing insider threats?
When exploring insider threats, it is critical to focus on the distinctions between a potential and an actual threat. The potential threat is significant with insider attacks, given that these are people who already have legitimate credentials to a company’s systems and who, one way or another, exceed their authority on the system and do something unauthorized such as sabotage servers or steal company data and sell it to a competitor.
But the true threat from insiders is a matter of debate with some experts saying the actual insider threats seen are small compared with today’s external attacks. Then there is the question of how one defines an insider threat in the first place. Forrester Research, for example, defines an insider threat as any breach that is caused or facilitated by an insider, whether it is an “accidental insider or malicious insider,” says Forrester Principal Analyst Joseph Blankenship. Forrester considers accidental insider attacks as ones where the insider had no malicious intent — perhaps an employee accidentally left a port open and an attacker leveraged that to gain access or saved a file to an insecure thumb drive so they could work at home rather than remain in the office.
Using Forrester’s all-encompassing definition, Blankenship reports that insiders were responsible for 24 percent of all data breaches last year. But when limiting the definition to just malicious insiders — the definition commonly assumed in IT and security circles — that percentage drops to closer to 11 percent, he says. That suggests that 89 percent of all attackers were external.
“Some of the vendor marketing may be overblowing the insider threat,” Blankenship says.
IDC uses a similar insider threat definition as does Forrester, also including unintentional insider acts that facilitate external attacks. “The number goes down pretty dramatically if you start to remove things that are unintentional,” says Sean Pike, program vice president for security products at IDC. “Malicious is always a pretty small number, but they are very impactful because they have so much access.”
Another important component of an insider threat analytics strategy is whether to try and keep it secret or not. The “keep it secret” argument focuses on preventing any employee or contractor backlash from them being monitored so precisely. The “disclose it” argument speaks to deterrence, suggesting that the main reason for launching such analytics is less to catch insider evildoers than to discourage anyone from trying.
Indeed, the deterrence argument is made quite handedly by some companies that say that they are monitoring employees, when they really are not. Danny Rogers, the CEO of a Dark Web intelligence company called Terbium Labs, used to work with a casino that populated its money-counting rooms with fake cameras with little red lights on them. He calls it “security theater.” That way, the casino got almost all of the deterrence of true monitoring without almost any of the cost.
That works until an incident occurs and the company has to fess up publicly that it has no footage. But even then, would employees assume that all cameras are still fake? The cat-and-mouse game of loss prevention psychology will get a full workout.
Setting aside the psychodrama of “Are they or are they not tracking us,” the better question to ask is “Should they or shouldn’t they be tracking us?” Rogers positions himself in the “they shouldn’t” camp and he says it is for several reasons.
“When it comes to limits of mining employee data for signs of insider threats, I worry these efforts have already moved too quickly into the realm of ‘pre-crime,’ in which false positives result in employees’ benign activities being interpreted as threatening with employees being wrongfully terminated as a result,” Rogers says.
“The truth is that it’s very difficult to define ‘normal’ behavior for an employee,” he continues. “Often, one’s most productive and creative employees regularly engage in seemingly abnormal behavior as part of their work. In fact, onerous employee surveillance can have a chilling effect on innovation within a company. Generally, I think too much reliance on limited or biased AI (artificial intelligence), whether in looking for anomalous behavior of employees, software, or networks, is resulting in everything from alert fatigue to the increased risk of wrongful termination litigation. You have to have trust in the people in your organization.”
Rogers’ concerns here break down into two basic points. First, it is a bad idea to surveil because of where it might lead. Secondly, it most likely will not work anyway.
As for why it likely would not work, Rogers’ argument is that deviation analytics, which is typically what machine learning does, needs to know what to look for. “You can’t really define abnormal until you define normal. Can you actually define a narrow ring of normal for any given user?” Rogers asks. “It may sound nice in a marketing sense, but I don’t think you can define a narrow enough definition of normal for this to work.”
Rogers’s argument is that for the analytics to work well, it needs to be given a large number of samples of what network activity looks like when there are no insider attacks and it ideally also needs to be shown what it looks like when there are such insider attacks. But that is a challenge in logic, as a company would presumably never have complete confidence that there were no insider attacks happening during any sample period.
David Pearson, principal threat researcher at Awake Security, a former adjunct professor at the Rochester Institute of Technology and a member of the technical staff at Sandia National Laboratories, agrees with Rogers’ concern about the quality of the initial dataset. “How great would it be to be the attacker who got in before your fancy baseline was established as the norm?” Pearson asks rhetorically.
IDC’s Pike vehemently disagrees with both Pearson and Rogers. “It’s a little silly as an argument” that a company would never have a perfect snapshot in time of noncriminal activity, Pike says.
“You’ve got to start somewhere and you may very well need to start at a place where there is rampant fraud happening. As the system goes on, those behavioral patterns will change,” Pike says. “You might spot a pattern (of fraud) and go back and say ‘Now I see it.’”
Pike’s position is that companies must start by looking for the easy things, “the low-hanging fruit” such as employees logging in at odd times, starting to come in early or leaving late when that was never their pattern, their browsing activity, where they are logging in from, and which files are they trying to access. “It’s not so incredibly intrusive,” Pike says. “It’s sort of nonthreatening to employees.”
But is aggressive tracking an overall effective tactic to thwart insider attacks? Pike maintains that it generally is. First, there is a lot of monitoring that is required. “There are regulatory obligations to do some sorts of surveillance,” such as recording phone calls with customers, Pike says. Indeed, some surveillance “has been lifesaving,” such as when the system detects that an employee is acting suicidal.
As for employee pushback and potential resentment to extensive surveillance, Pike does not think that should be a significant concern. First, he does not believe that the surveillance should be announced. “I like my surveillance with a side of secrecy,” Pike says. “It really all depends on what you do with that information. The bad actors will probe ‘What can I get away with here?’ It’s only when you act on anything, that’s where you start alienating folk.”
For example, Pike says, if a manager cracked down on an employee for coming in late based on network analytics and cited the network analytics as the reason that could cause problems. It is better, Pike says, to file away such information and wait to observe corroborating evidence personally. “Even though you have the information, you don’t have to act on every single piece,” Pike says.
Forrester’s Blankenship agrees. “How much are you advertising that you’re doing this monitoring? For example, has anyone been fired as a result? The employees may not even know that they are being monitored.”
Blankenship also points to the level of monitoring and how far it goes beyond what employees expect and assume companies are doing. And that perception changes sharply from one another with defense contractors and banking employees assuming far more surveillance than might be the case with agriculture and hotel industry employees.
“In the U.S., most employees would say that if they are working on a company device, that they would expect (monitoring) to happen,” Blankenship says.
Anton Chuvakin, a Gartner research vice president and distinguished analyst for security and risk management, says the attitudes about surveillance and analytics, especially as it comes to insider attack threats, sharply changes as the geographies and verticals change. “The European Union and Europe in general tend to be on the ‘do not do it’ side,” Chuvakin says. “The U.S. government does it a lot. And U.S. corporate is somewhere in the middle.”
Although Chuvakin offers questions about keystroke logging — “Is it creepy?” he quips — he stresses that the question is truly perceptional. “It is very heavily in the eye of the beholder.”
There is also a strategic question of how much time and effort should be focused on security dealing with the insider threat. For many in security, it is just not much of a priority. “People are too busy fighting malware to even think about insiders,” Chuvakin says.
When it comes to security and privacy, Europeans often look at the topic differently than their counterparts in North America. Catherine Flick is a member of the Association for Computing Machinery’s Committee on Professional Ethics as well as being a reader (the British rough equivalent of a tenured professor) in Computing and Social Responsibility in the Centre for Computing and Social Responsibility at De Montfort University, a public university in Leicester, England. She has strong feelings about privacy.
One of the never-ending problems associated with the European Union’s General Data Protection Regulation (GDPR) and copycat laws cropping up in North America, such as the California Consumer Privacy Act of 2018 on the ballot in November 2018, is that these regulations impose restrictions on what data can be retained and how it can be used. With analytics and employee monitoring, that simply increases how much sensitive data needs to be processed.
“There’s more than just the legal aspects of data analytics. Much of the law is still catching up. GDPR only just came into effect, and we’re still waiting to see what the real-world impact of much of that will be beyond annoying consent agreements on websites,” Flick says. “The [ACM’s] code [of ethics] has always had things to say about data privacy, security, and other ethical issues to do with analytics. Merging of datasets needs to be done with care to ensure privacy is protected; de-anonymization is bad [while] informed consent and user control over personal data is good.”
Flick says she is inclined to think that aggressive employee monitoring for the purpose of thwarting insider security threats is “not an appropriate use of that technology” in general, although she adds that for some high-security businesses such as banks, “it might be appropriate.” She argues it is better to focus on all security matters and “to trust (employees) and assume that they’ll be professional. It’s taking a sledgehammer to an ant situation.”
Flick notes that in the U.K., email and messaging communications cannot be examined by a company if it is explicitly labeled “union business.” She adds: “It can have an overall negative impact (on business operations) if employees feel that they’re not being trusted to do their job.”
Pearson says the kind of analysis and monitoring that is typically dealing with insider threats can deliver far more headaches than it is worth.
“Decrypting and analyzing traffic makes it much easier to spot mal intent, but is also a great way to sow distrust with employees. When traffic is decrypted, it’s an area that’s ripe for abuse,” Pearson says. “Obviously, knowing that somebody is searching Google is one thing, but knowing that and why they’re searching for specific medical problems is something much different. Additionally, decryption offers another employee-focused crown jewel to any organization that does it. What if an attacker can access it?” he notes.
Pearson also argues that those kinds of employee-tracking techniques could undermine security if it drives employees to avoid such systems deliberately. “If knowing that the people controlling the analytics are seeing your private information causes you to actually engage in more risky practices, such as aiming to bypass a system by installing less trustworthy apps or using out-of-band devices, then the value of those analytics are significantly degraded,” he says. “Instead, efforts should be made to find a more amenable approach, which may be analytics of intent associated with encrypted traffic without having to peek into the payload.”
Doug Barbin, principal and cybersecurity practice leader at Schellman & Company, Inc., an independent security and privacy compliance assessor, talks about monitoring software that his company uses and how it works well, but mostly because his managers put limitations on it.
“Web monitoring software has been dancing this line for some time. Our firm, with almost entirely field-based professionals, uses a security proxy that protects our professionals from harmful networks and themselves. By default, it can see everything, even perform TLS (transport layer security) inspection of encrypted traffic,” Barbin says. “Could we see employee connections to banking institutions or healthcare? Absolutely. Correspondence with potential employers? Certainly. But we don’t and that is because we made a decision not to.”
Barbin points out that some verticals have non-security reasons for monitoring and it generates quite a few inappropriate incentives.
“In professional services, excess monitoring in such can cause you to miss context and flaws in the workflow. A manager could be penalized for projects going over budget, only to find out there was a project coding problem or the associate was incorrectly billing. Worse, firms have plenty of history of gaming chargeability and other metrics and/or asking associates not to bill all of their time to make project margins look better.
“Move out of consulting and look no further than healthcare where one treatment decision is made over another for the purpose of a better performance metric which drives funding and resources,” Barbin continues. “There is no easy answer other than good managers overseeing the analysts and asking why. Ethics professionals can also play a role going beyond their current mandate of privacy and protecting personal data to use of that data.”
Barbin also argues that metrics that some believe raise questions of improper conduct might signal nothing at all. “From an insider threat perspective policy scenarios, what are you monitoring for?” he asks. Do you disable USB thumb drives or transfers to certain web sites? For example, if an employee was sending files to Dropbox, would that not be a more worrisome situation? Perhaps or perhaps not, Barbin says. He notes that some of his clients post sensitive files on Dropbox if the file exceeds the size limitation of email, which makes lots of large files transfers to and from Dropbox non-suspicious.
Vast amounts of data moving today is not necessarily a bad sign at all. What if employees are just downloading a movie to watch at home that night? “I struggle where all of this wouldn’t be yet another instance of chasing your tail,” Barbin says.