Insider Threat Management

A CISSP’s Take on Combating Insider Threats

Share with your network!

Data breaches are a problem that affects organisations of all sorts, types, and sizes, and they continue to increase in frequency. In fact, the problem has become epidemic-like, threatening both businesses and people’s personal data.

The assumption is that these cybersecurity data breaches are caused by an outsider attack (outside of the place where data is collected, stored, and manipulated), but this is only half true. Yes, you do need someone to initiate a form of (typically socially engineered) attack such as phishing to compromise a machine from the outside, but more often than not, the actual threat is an insider threat.

What are Insider Threats?

An insider threat-based incident typically involves someone with privileged access to your systems, files, and data – such as employees or vendors. According to a 2017 report from Netwrix, almost 58% of all security incidents were caused by an insider threat. If insider threat incidents are a growing problem, why are so few companies doing something to stop them?

The biggest reason why more companies haven’t addressed insider threats up until this point is a lack of knowledge on the subject. (But this is changing.)

As more and more news stories covering expensive insider-caused data breaches come out, companies are moving to address this big cybersecurity gap by shifting company culture and implementing new insider threat management processes and tools.

Often times organisations are too trusting of employees, expecting them to understand that they work to benefit the company, and will do no harm. And while most employees follow the rules, sometimes there are deviations, either intentional or malicious. In the case of malicious threats, insiders may attempt to do harm against the company by attempting to steal or leak sensitive information. This is when suddenly, employees become a potential insider threat.

Of course, when this happens, companies will want to know: who, did what, when, and how?

Data Theft and Exfiltration

If almost 58% of all cybersecurity incidents are caused by insider threats, then the biggest security incident to follow would be information disclosure or data breaches (also known as data exfiltration). According to a report from InfoSecurity Magazine, over 3.4 billion records were stolen in 2017.

Data exfiltration has the potential to affect all organisations, but each business will have different sets of data they would consider sensitive.

For example, healthcare organisations will have protected health information (PHI) that they need to protect due to HIPAA regulations. Financial companies will have personally identifiable information (PII) and sensitive proprietary information. Pharmaceuticals, manufacturing, and software companies will have patents, industrial schematics, and source codes they want to protect. Entertainment companies will consider their media files as their sensitive informational assets. Retail stores and e-commerce companies will look to protect PCI data as they deal with customer data and credit card transactions. The list goes on.

Every one of these data elements is considered an intellectual asset that is worth something to company they belong to and unauthorised exposure, exfiltration or leakage of this sensitive data could cause massive financial harm to these businesses.

Defending Against Insider Threat Incidents

Defense in depth is required to address insider threats if we considered the different attack vectors that are involved.

Conversations regarding security controls to defend against insider threats will often include DLP, security monitoring, user and entity behaviour analysis, and user access management. But in most cases, the acquisition of all these security solutions can be quite costly (monetarily and time-wise) to address insider threats especially when these solutions cannot address all aspects of insider threats alone.

Proofpoint specialises in detecting insider threat from multiple threat vectors by combining elements of DLP, SIEM, UEBA, and UAM tools into a single, cost-effective solution. With it, you'll get the ability to detect risky user activity, and investigate incidents and potential threats with comprehensive forensic evidence.

If the potential for insider threat incidents concerns you and your organisation, then I encourage you to give Proofpoint a try.

Joseph Tso is a Cybersecurity Professional with over 20 years of Information Technology field experience with a focus on creating and managing cybersecurity programs. His expertise includes Cyber/IT Risk Management, Data Governance, Security Governance, Incident Response, and Privacy Management. Joseph has worked in a broad range of industries such as E-commerce, Entertainment, Fashion, Aerospace, and Finance/Insurance. Joseph has extensive knowledge of cyber law and regulations that include but not limited to NYS DFS Cybersecurity Regulations, EU GDPR, HIPAA, DFARS, and SEC. Joseph has experience with cybersecurity frameworks such as NIST, COBIT, and ISO 27001. Joseph has participated in speaking panels discussing Cyber Regulations. Joseph has professional certifications in CISSP, ITIL Foundation, Six Sigma Green Belt, and ACE: Access Data Certified Examiner for Forensics. Joseph Tso is a Summa Cum Laude graduate from Pace University with a B.S. in Computer Forensics and is expecting his Master of Science in Information Security and Assurance that is sponsored by NSA/DHS from Embry-Riddle Aeronautical University in 2018.