Dave Henderson of BlueFort Security describes how organisations can monitor for insider threats.
The arrival of the annual Verizon Data Breach Investigation Report is eagerly awaited every year by security professionals the world over. It’s a weighty tome that digs deep into the state of cyber security, providing detailed statistics around leading vulnerabilities, the industries most at risk and from which threats, and identifies tell-tale signs of an attack.
In the most recent report, researchers found that approximately 30% of breaches involved a firm’s own employees. Even more worrying, this percentage has been on the rise since 2015 – and shows no sign of slowing down.
Not all these incidents are malicious. Some are simply a case of user error such as succumbing to a phishing scam or leaving sensitive information unencrypted and, therefore, open for all to see.
However, as furlough schemes around the world end, the economic downturn begins to bite, and organisations plan to resize, this will likely lead to a reduction of the workforce. Unfortunately, departing employees pose one of the biggest risks to organisations – and this may be especially true of employees who don’t leave on good terms.
As many of us are now working remotely with cloud-based applications the norm, employers need to be confident their most sensitive – and valuable – data is protected. After all, it’s no longer intellectual property and sensitive company information at risk, organisations now have to comply with a whole host of data protection regulations, or face potential fines from regulators.
Although earlier this year Marriott and British Airways were given a temporary reprieve over payment of their data breach fines, the sums they are due to pay – £83m and £199m, respectively – are among the biggest levied to date.
With large flash drives and cloud services readily accessible, sending or carrying data beyond the confines of the company is a quick and easy process. Added to that, employees are all too familiar with where all the sensitive data resides – so they have both the access and the motive (good or bad). These two key issues make it very difficult for organisations to defend themselves against insider threats.
How to spot a potential insider threat
There are a number of classic giveaways that point to an employee behaving in a way that could indicate they may be an insider threat. Typically this would be accessing – or attempting to access – files that are not relevant for their specific role, files that they’ve never needed to access in the past, or simply traversing areas of the IT infrastructure that are outside of their usual patterns of behaviour. There could also be a significant increase in the volume of data that an employee is accessing and subsequently moving to a flash drive, external cloud application such as Dropbox or sending to a personal email address.
Fortunately, for cyber security teams already drowning in alert fatigue and data overload, there are some relatively simple processes that organisations can implement to increase their chances of detecting malicious and accidental insider threat activity. These processes focus on the data itself enabling security teams to monitor for high risk behaviour within the company, and investigate before it’s too late. These include:
- Knowing where the data resides, who has access to it, from where and when, and then tracking when the data leaves. A key element of this is data classification. Tag files by level of sensitivity, making it easier to identify how confidential the data being taken is. Not only does this help maintain regulatory compliance, it is a useful tactic that facilitates appropriate security responses based on the type of data being retrieved, transmitted, or copied.
- Ensure that data protection mechanisms are established and will alert for unauthorised data transfers (sensitive data sent via email, data copied to removable drives and so on). At a minimum, businesses should be able to track all types of file movement and data egress, and at least provide an audit trail of what each employee has been up to prior to departure.
- Identify baseline employee behaviour around their data access activities to increase the chance that unusual insider behaviour will be quickly identified.
- Monitor for unusual outbound traffic patterns, including odd connections to unknown IP addresses, unusual connection length times for outbound connections, large amounts of data being transferred from the environment.
- Invest in tools to help. For example DLP software can automatically classify data and apply rules that govern who has access to it, and what can be done with it. UEBA tools baseline ‘normal’ user behaviour and then alert IT security teams to anything outside that baseline.
Benjamin Franklin will forever be associated with the phrase: “Nothing is certain but death and taxes”. I’d like to bring it more in line with the 21st century and add the words “ insider threats” to the phrase. It is inevitable that one of your employees will be responsible for some kind of data loss, whether it’s malicious or not. The key is the steps you take to prepare for the eventuality, and minimise the risk.
When all’s said and done in today’s topsy-turvy world, IT security teams should continue to think the best of their employees, but definitely plan for the worst types of behaviour.
Dave Henderson is co-founder BlueFort Security.
Main image courtesy of iStockPhoto.com