During the Seventh Annual Billington CyberSecurity Summit in September 2016 in Washington DC, I participated in a panel alongside distinguished cyber experts. The discussion points ranged from the effectiveness of security awareness training to the problems associated with outdated cybersecurity policies to stopping insider threats. The insider threat discussion evolved into an interesting debate. Some panelists viewed an insider threat as purely a situation in which an employee or contractor intentionally does something to hurt the organization, such as Edward Snowden, the former defense contractor behind a massive leak of classified documents in 2013. However, other panelists, including myself, disagreed with that definition.
Identifying insider threats is not only about finding the next Edward Snowden. While malicious insiders are certainly a significant concern among organizations, outsiders who compromise employee or contractor accounts and then access the network as legitimate users also fall into the insider threat category. Once a bad actor is inside the organization’s network using legitimate credentials, whether through malware or “shoulder surfing” someone in a coffee shop, there is little difference from a malicious insider. For example, when bad actors breached the Office of Personnel Management, stealing millions of personal records, they initially gained access by stealing a third party contractor’s login credentials.
In addition to malicious actors, non-malicious insiders who unintentionally put the organization at risk as they perform their business-as-usual activities should also be of concern. Based on Bay Dynamics’ data from real business environments, in the vast majority of data exfiltration incidents– meaning when employees leak sensitive data outside an organization – the employees are legitimate users who are carelessly sending out data for business purposes. They are exhibiting normal employee behavior to their peers and department who are unaware or unconcerned that the employee’s actions may be in violation of the established business policy.
Similarly, when this careless but non malicious behavior is common across peers within the same department, reviewing and updating outdated business processes is critical to promoting the right culture of users doing the right thing.
Detecting insider threats is not an exact science because the bad actors are not blatantly tripping alarms. However, from a detection point-of-view, all three types mentioned above require analysis of behavior combined with the business and risk context of their activities.
Exposure from non-malicious repeat offenders can be minimized using a combination of risk-based behavioral analytics, such as paying specific attention to third parties with network access, targeted security awareness training, and enforcement of cyber security best practices. Based on Bay Dynamics’ research and experience working with large organizations, security awareness training is effective if it is targeted to individuals who have recently exhibited the behavior, and is specific to the policy and behavior in question.
When they are called out by their employer, close to 80 percent of users who are exhibiting risky behavior (e.g. visiting high risk websites, emailing sensitive data, uploading data to unapproved cloud providers, etc.) make changes so that they are more security-conscience. A focused approach renders better results than a periodic, mandatory, multi-hour general security awareness training that covers 100 topics. A significant benefit to reducing careless behavior is that it enables responders to prioritize and focus on the most severe, malicious threats.
One element of identifying insider threats that is often overlooked is the need to include human knowledge of the business context of user behavior. Machine learning can process volumes of data and identify unusual behavior, but there are instances where neither a machine nor a responder has the business knowledge to make the final determination. Just as credit card holders occasionally get a text message asking if a transaction is valid, and their card is frozen or not based on whether they responded affirmatively or not, looping in those with the business knowledge can greatly reduce the time and effort required to stop insider threats.
In order to stop insider threats before it is too late, organizations must understand the various flavors in which they come. Malicious insiders, such as Edward Snowden, can be detected by monitoring and flagging unusual behavior, and then pulling in employees in the business, such as application owners who govern the crown jewels, to justify if the behavior was indeed suspicious. Once justified, responders can investigate. Non-malicious insiders can also be detected by monitoring and flagging risky behavior, and then sending them to security awareness training that’s tailored for the specific individual, focused on the policy he/she violated.
Updating outdated business processes and policies is also key to promoting good cyber security hygiene. Bad actors who compromise insider accounts and then pose as legitimate insiders are difficult to identify, but also leave the most tracks, whether that’s evidence of a malware infection or significantly different behavior than the legitimate account owner. No outsider can perfectly replicate someone else’s behavior. They will misstep, behaving in a way that is unusual for the insiders they compromised, and organizations must be ready to detect, investigate and stop the criminals in their tracks.
Steven Grossman is Vice President of Strategy and Enablement at Bay Dynamics. He has more than 20 years of management consulting and industry experience working with technology, security and business executives. At Bay Dynamics, Steven is responsible for ensuring businesses are successful in achieving their security and risk management goals. Prior to Bay Dynamics, Steven held senior positions at top tier consultancies such as PwC and EMC, where he architected and managed programs focused on security, risk, business intelligence/big data analytics, enterprise Program Management Offices, corporate legal operations, data privacy, cloud architecture and business continuity planning for global clients in the financial services and health care industries. Steven holds a BA in Economics and Computer Science from Queens College and has achieved his CISSP certification.
