Recent news events such as the WikiLeaks and Edward Snowden disclosures have brought the insider threat into clear focus. It is important to understand that there are various types of insider threats and that each one requires a different approach from an information security standpoint.
Negligent insiders are those who accidentally expose data, such as an employee who forgets their laptop on an airplane. A large number of security incidents and “data breaches” fit this description. Various measures can be used to deter negligent activity. For example, access controls can prevent people from obtaining sensitive data that they do not need in order to do their jobs and encryption of data at rest can help prevent data loss by negligent insiders in the event that they lose their laptops or other equipment. User education also matters here. Anything you can do to get employees to be more conscientious with company data can have a positive impact – for example, providing dummy datasets to developers so that they don't work with real personally identifiable information (PII) information on development systems.
Malicious insiders are employees who intentionally set out to harm the organization either by stealing data or damaging systems, such as a disgruntled employee who deletes some records on his last day of work. Good access controls can help prevent damage done by malicious insiders. Checks and balances are also extremely important in this arena. It is critical to have multiple people keeping an eye on sensitive transactions so that no one person can single-handedly circumvent company policy.
Furthermore, cases of insider malice are often identified and investigated through the use of logs. It is important to collect logs from endpoint systems and network devices to obtain valuable insight into who is doing what on your network. Proactively monitoring network and system transactions can also serve as a deterrent for discouraging malicious insiders from sabotaging or stealing data, since they know that their activities might be discovered.
Compromised insiders are individuals whose access credentials or computers have been compromised by an outside attacker. This is a much more challenging type of insider threat to combat since the real attacker is on the outside, with a much lower risk of being identified. Typically, no amount of deterrence will discourage them from carrying out their attack. Additionally, traditional security solutions that focus on catching malware and exploits cannot identify the unauthorized use of legitimate accounts. In this case, closely monitoring network activity is really the only way to uncover and shut down this type of threat.
Leveraging network and security monitoring
Monitoring activity through various logs is really the key to successfully identifying and shutting down all of these classes of insider threat. By leveraging network activity logs from various technologies such as firewalls, IPS systems, SIEMs, packet capture and NetFlow, organizations can more easily be aware of and subvert insider attack attempts. Each of these technologies has its strengths and weaknesses in terms of expense, level of network visibility provided, and privacy concerns, but they should all be evaluated as part of an effective insider security strategy.
By collecting and analyzing metadata from throughout the entire network, NetFlow in particular provides a wide breadth of visibility at a reasonable cost and without the privacy concerns associated with full packet capture. NetFlow can be leveraged for both real-time threat detection, as well as to create a network audit trail of previous transactions for use in forensic investigations. Some NetFlow-based monitoring solutions also enable the integration of identity data so that organizations can see exactly who is responsible for causing specific issues.
It takes more than technology
It is also important to recognize that technology alone cannot prevent insider threats. Prevention takes a cross-organizational effort that also involves HR, management and legal. For example, if HR alerts IT about a disgruntled employee, the worker's network activity can be monitored so that anomalous behaviors such as logging on at unusual hours of the day can be swiftly investigated. And without the involvement of other groups within the company, malicious behaviors discovered by IT cannot be properly addressed.In order to be truly effective, insider threat management programs need to involve a broad understanding of the various types of attackers and motivations attached to insider threats, as well as include the right mix of tools and individuals necessary to effectively detect and thwart attack attempts.