As entire workforces remain in remote working conditions, the danger of insider threats is as unmistakable as ever. It is critical for businesses to recognize that this form of threat from legitimate users has always been more elusive and harder to detect or prevent than traditional external threats. Additionally, while the most common insider threats are not usually motivated by malicious intent, and the damage they cause is unintentional, it is no less ominous to business viability.
This September marks the second annual National Insider Threat Awareness Month. Last year, the U.S. National Counterintelligence and Security (NCSC) and National Insider Threat Task Force (NITTF) partnered with federal agencies to launch the initiative to bring awareness to this crippling threat type.
In honor of the month, below are some tips from leading cybersecurity and IT resilience experts that cover how an insider threat could manifest itself and what organizations can do to prevent these issues in their companies’ networks and applications.
Know how to spot an insider threat
Irregular behavior detected at the system or network level can be an indicator of an insider threat. There are numerous indicators for insider threats, and knowing how to recognize the signals and keep track of dispersed or remote working employees is a major part of prevention and protection to the enterprise.
A combination of training, organizational alignment, and technology is the right approach. Specifically, behavioral analytics technology that tracks, collects and analyzes user and machine data to detect threats within an organization is essential. This advanced technology determines anomalous vs. normal behaviors. This is typically done by collecting data over a period of time to understand what normal user behavior looks like, then flagging behavior that does not fit that pattern. It can often spot unusual online behaviors – credential abuse, unusual access patterns, large data uploads – that are telltale signs of insider threats. More importantly, it can often spot these unusual behaviors among compromised insiders long before criminals have gained access to critical systems.
Adopt a zero-trust policy
“Most people think of malicious employees looking to disrupt the business or even exfiltrate sensitive data for their own personal gain. But insider threats more frequently come from staffers that were unknowingly compromised by bad actors, enabling unfettered network access,” said Bryan Skene, CTO of Tempered. “Zero trust protects against both situations because everything (user, server, or networked thing) is required to establish trust first in order to communicate, even within the network perimeter. We recommend utilizing a software-defined perimeter (SDP) that extends invisibility to cloud, multi-cloud, virtual, physical, and edge environments. This provides global connectivity and mobility for entire workforces using one comprehensible policy, wherever they are, for whatever they need to reach securely. Best of all, this can be deployed without ripping and replacing (or even modifying in most cases) existing infrastructure.”
“State-of-the art solutions are available today that utilize this type of SDP to isolate the network into trusted microsegments and can be deployed as overlays on top of any IP network,” Skene continued. “This creates a modern, zero-trust approach to network security that minimizes the common flaws we see in legacy products.”
Examine access and privilege controls
“Many organizations grant too much privilege to their staff, contractors, and partners, where traditional perimeter security will not protect them from an insider accessing critical data. Businesses need to adjust their security strategies to match modern threats, moving away from sloppy password practices and unsecured privileged access and shifting to focus on administrative access controls based on a least privilege approach,” said Torsten George, cybersecurity evangelist at Centrify.
“Businesses can take the following steps to address insider threats throughout the month of September and beyond,” George continued.
“Enforce segregation of duties: Separate duties, especially for sensitive or shared processes and tasks. This ensures that no individual can complete a single task alone. In this context, organizations can for example leverage so-called “access zones” to tie the rights a user has to specific resources.
Establish least privilege: Only give privileged users just enough access to resources, just-in-time to do the job required. Leave zero standing privileges to be exploited.
Implement access request and approval workflows: Govern privilege elevation with self-service access requests and multi-level approvals, to capture who approved access and the context associated with the request.
Leverage user and entity behavior analytics based on machine-learning technology to monitor privileged user behaviors: This will help identify abnormal and high-risk activity, as well as can trigger real-time alerts or removal of privileges to stop threat actors, whether they are internal or external threats.”
Protect your mission-critical data
“Companies need a strategy in place that gives themselves a fighting chance to quickly get activities up and running following an insider threat-based cyberattack or disruption. As organizations increasingly rely on unstructured data to perform day-to-day business-critical functions, they need to maintain instantaneous and unfettered access to this core data,” said Carl D’Halluin, CTO of Datadobi. “Our recommendation is maintaining a secure golden copy of your mission-critical data in an air-gapped location of your choosing (a physical bunker site, data center, or public cloud) that complements the traditional data protection strategy. Try as we might, we cannot foresee or prevent every insider threat. However, retaining vendor-, hardware-, and software-agnostic access to a golden copy in addition to a traditional backup strategy mitigates risk of exposure from an accidental or malicious insider threat.”
Utilize solutions that provide policy-driven and scheduled data integrity
“Organizations should use solutions that can provide policy-driven and scheduled data integrity checks to scrub the data for faults, auto-healing without any user intervention and replication capabilities that allow organizations to keep an additional copy of their backups on a different site. When used together, these measures will increase disaster recovery and high availability to prevent data loss from external and internal threats,” said Surya Varanasi, CTO of StorCentric.
“Cybercriminals love to exploit vulnerabilities and individual employees are proving to be particularly vulnerable,” said Gijsbert Janssen van Doorn, director of technical marketing at Zerto “These ‘insider threats’ are often unintentional and non-malicious. It’s just employees who unknowingly open phishing emails or click on the wrong ad, etc. When these bad actors get in, they can then wreak havoc on an organizations’ critical data and systems, and levy large financial costs and possible damage to your brand.”
“Protecting against the threat of ransomware and other insider threats requires ensuring employees know how to spot ransomware when they see it, but it also requires rethinking legacy data backup strategies to create a resilient IT for when employees do get fooled,” van Doorn continued. “By investing in continuous data protection for continuous availability, organizations can recover data files within seconds.”