Rethinking Insider Threats in the New Normal

My Conversation with Ed Amoroso from TAG Cyber

Insider Threat Management is a rapidly growing focus of the modern digital organization. The term "insider threat" may have traditionally connoted a malicious employee set on stealing resources or causing damage for purposes of revenge or profit, or as a nation state actor. This notion is limiting as to the true extent of this unique and complicated threat vector. I recently had the chance to discuss the topic with Ed Amoroso, former Chief Security Officer of AT&T, now CEO of TAG Cyber. Ed’s perspective on the topic is highly informed and thought provoking.  As every organization plots its course through the new normal of remote and highly distributed workplaces, this is an important topic. 

Here are four highlights from our conversation, about insider threats in the new normal, that I found particularly interesting. Take 25 minutes and listen to our full discussion on Proofpoint LiveTalks here.

1. Understanding the Ragged Information Edge of the New People Perimeter

The forces of digital transformation have been transforming the security perimeter for years. And the rapid shift to remote work in th new normal has accelerated this transformation to a matter of months. Insider threat management for remote workers has become a top concern for cybersecurity professionals. 

Traditionally, the idea of an “insider” was based on someone’s physical proximity to data. If they had a badge to access a work building, they could pose a security threat. However, even in the ‘90s, this definition didn’t account for access to the broader network.

“The insider problem in security has become this ragged edge where there’s all these different pockets where you’ve put something sensitive,” Amoroso says. “Now, if the data inside is compromised, then you’ve got a problem.”

The notion of this “ragged” information edge that forms around the modern people perimeter is a powerful concept to motivate the need to rethink traditional approaches to protecting sensitive data in the modern enterprise. Traditional approaches of locking down data are naïve when considering how authorized users are routinely accessing, manipulating, and sharing this data as part of their daily activities. Users are multi-channel by nature, accessing and moving information between SaaS applications, email, cloud file sharing and their endpoint. And now, by necessity, users are accomplishing their jobs outside of the traditional security perimeter.

2. Disaggregating Value Chains and Insider Risk

While the rapid shift to remote work is a highly visible transformation that everyone can appreciate, another business trend has been reshaping the modern people perimeter for years.  We see disaggregation of value chains in nearly every industry, driven by natural forces of specialization and enabled by digital transformation that make it easy to share data and resources. 

It is easy to appreciate this trend in physical supply chains, where suppliers share data and infrastructure access with their trading partners. It is more complicated when considering how knowledge-based services are being delivered. It is routine for sensitive services such as legal counsel or human resources to be outsourced. These third parties require access to information to collaborate virtually. It gets particularly interesting and complicated to consider industry specific examples.  Pharmaceutical companies leverage outside experts on FDA validation.  Software companies outsource pen testing services where consultants scan code for security vulnerabilities. Semiconductor companies bring in process automation experts to optimize fabrication processes. These examples speak to the need to rethink who has authorized access to sensitive information and how to manage the insider risk associated with this access.

3. Compromised Actors are Insider Threats

In the recent high profile incident at Twitter, a 17 year old hacker conviced a “Twitter employee that he was a co-worker in the IT department and had the employee provide credentials to access the customer service portal.” This illustrates the potential for outside actors to compromise authorized insiders to provide information directly or provide their credentials to access sensitive infrastructure or data. 

Proofpoint has actively monitored COVID-19 themed phishing schemes that target both personal financial information as well as capturing user credentials that could be used to access corporate resources. Even one employee who responds to a phishing email with valuable information, can pose a threat to the entire organization.  

When security teams expand their view of insider threats to include compromised users, it helps broaden the strategies for managing this complex problem.  Protecting the integrity of email communication, actively monitoring for phishing schemes, promoting security awareness within the userbase, and actively monitoring for data exfiltration all complement the behavior monitoring approaches typically associated with Insider Threat Management.

4. Behavioral Analytics and Insider Threat Management

Visibility into user activity and behavioral analytics are fundamental to early detection and efficient response to insider threats in the new normal – whether compromised, malicious, or negligent. The subject of user privacy is top of mind for modern security professionals. As they work to implement policies and tools to protect their evolving people perimeter, they must address concerns surrounding user privacy.

“[User controls] have to be set up in a way that help people understand that they’re being protected, not snooped, because the instant you start suspecting that the motivation for the tools being used is something beyond just protecting, then [employees] are going to go scamper off to shadow IT,” Amoroso says. “And with work from home, it makes it spectacularly easy.”

The ability to actively detect anomalous behavior or out-of-policy activity is critical to maintaining security. Even with strict policies around the use of cloud file sharing, personal email, and basic data management with tools like USB sticks, the modern digital worker is constantly balancing compliance with productivity. Modern organizations need to maintain visibility to activity and data movement in order to make informed policy decisions and certainly to manage incident response.

Prepare your team to tackle insider threats head-on

Thanks to Ed for the engaging discussion about insider threat management in the new normal. Listen to our full conversation here.