Virtualization Technology News and Information
September is National Insider Threat Awareness Month - Experts Weigh In


September marks National Insider Threat Awareness Month, a time dedicated to emphasize the importance of detecting, deterring and reporting insider threats. This began as a collaborative effort by U.S. government agencies, three years ago and has now grown to both the public and private sector. 

In honor of the month, industry experts have shared their thoughts on different strategies organizations can use to protect themselves from these threats.


Nabil Hannan, Managing Director, NetSPI 

"To account for internal threats there must be a mindset shift in what constitutes an organization's threat landscape. Most companies focus exclusively on external threats and view their own people as trustworthy. As a result, insider threats are often under addressed cybersecurity threats within organizations. We learned with SolarWinds that detecting such a threat is vastly different from traditional pen testing, code review or other vulnerability detection techniques. Security teams need to move from only looking for vulnerabilities to also looking for suspicious or malicious code. With a vulnerability, the threat actor interacts with the attack surface in a way that exploits a weakness. With malicious code, the threat actor is either choosing or creating the attack surface and functionality because they have control over the system internally. So, instead of the threat actor exploiting vulnerabilities in the attack surface, now the threat actor creates the attack surface and exercises the functionality that they implement. Failing to implement threat modeling that studies potential threats to both vulnerabilities and malicious code can set your organization up with a false sense of security."


Will LaSala, Field CTO, Americas, OneSpan

"The rise of digitalization and Web 3.0 has led to an exponential increase of high-value transactions occurring online. As more processes become digitized an array of solutions have cropped up, most void of security capabilities. These solutions are unable to verify and authenticate the true identity of the person or business on the other end of the contract - which creates opportunities for threat actors to take advantage of unsuspecting employees, gain access to an organization's network and obtain sensitive data. 

Employees have become accustomed to signing contracts quickly and digitally, they are failing to verify whether or not the contract they have received is legitimate. As a result, employees are signing and unknowingly sharing confidential information with external threat actors. For example, attackers continue imitating the DocuSign brand, sending phishing links and documents that appear to be from DocuSign but in reality, are links and files that expose login credentials. With insider threats becoming a prominent security issue, organizations must take a proactive approach to mitigate exposure opportunities. To ensure that employees do not unknowingly expose data when signing digital documents, organizations should add enhanced authentication to secure access to agreements as well as ‘flatten' uploaded documents to avoid shadow attacks. Businesses who provide these solutions also have a role to play, ensuring the identification and authentication capabilities are built into the entire digital transaction lifecycle." 


James Christiansen, CSO VP, Cloud Security Transformation, Netskope 

"The ‘Insider threat' has been one of the greatest threats since the beginning of IT. It's the risk that never goes away because insider threats involve employees - often the weakest link in any company's security posture. Employees are not only vulnerable to common attacks or insecure practices (e.g., email phishing), but they have bonafide access to workplace systems and an understanding of internal processes, providing the malicious insider a head start. For example, recent research found that 22% of users upload, create, share or store data in personal apps, creating an ever-increasing amount of data sprawl that puts sensitive company data at risk.

Organizations aren't required to report internal losses associated with insider losses, meaning this issue is more prevalent than we know. While there is rapid change in technology, there are a few steps to protecting against an insider threat. First, strong background checks, general awareness, and targeted education to high value employees is key to turning an insider from malicious to benign. Additionally, find ways to leverage analytic systems using strong statistical analysis to better understand normal and unusual behavior. By doing so, we can get better visibility, control, and ability to notify the users of their actions. Lastly, your best security monitor is your fellow staff members. Create a culture whereby if employees see something, they feel comfortable enough to say something."


Rick McElroy, Principal Cybersecurity Strategist, VMware

"As the Great Resignation continues and ‘quiet quitting' becomes increasingly popular, organizations find themselves at a higher risk for insider attacks. Over the past year, 41% of cybersecurity professionals have encountered attacks involving insiders, according to VMware's Global IR Threat Report. These findings underscore the increasingly critical nature of talent management when it comes to cybersecurity controls, especially as companies are trying to manage employee turnover, onboarding and the use of non-sanctioned apps and platforms. 

It's critical for CISOs to have visibility into their own network to track insider threat indicators, such as data transfers and accessing unusual resources. This allows for organizations to better protect their proprietary information, and for security teams to more quickly detect insider threats." 


Greg Foss, Principal Cloud Security Researcher, Lacework

"Think of the last employer for whom you worked. Did they have individual or shared accounts for corporate resources? Did access to these services exist outside of the corporate boundary, with no central means of access control? What about programmatic access that isn't associated with an individual identity? Or better yet, cloud management infrastructure or even just one of the many instances hosted within. You are not alone if you answered ‘yes' to any of these questions. Former employees will likely maintain access to some corporate resources, whether they know it or not. It's not just the insider threat that we must understand, but "the former insider." A possible recession brings significant uncertainty, resulting in many people with varying access to sensitive resources losing their jobs. Some of which become disgruntled. Organizations must understand their infrastructure, implement robust access controls, and monitor for misuse because once an insider, always an insider."


Mario Orsini, Associate Director, Security, Raytheon Intelligence & Space

"Insider threats can take many forms, but the top categories witnessed are typically: recruited, such as when a foreign entity uses exploitable weaknesses to convince an individual with access to provide information to those who do not have a need-to-know; volunteer, when an individual may choose to sell out their country or organization because of motivators such as greed, disgruntlement, divided loyalties, or ideological reasons; and unwitting, which is when an individual unwittingly gives away information through poor security procedures or clever elicitation collection techniques.

Regardless of the motive, it's critical for organizations and their security teams to help prevent the next insider attack. One of the top ways to bolster protection is by adopting Zero Trust within an organization. Zero Trust principles such as ‘Never trust, always verify,' network micro-segmentation, and least privilege access can be extremely effective in ensuring an organization doesn't become the next major breach victim." 


Daniel Elkabes, Vulnerability Research Team Leader, Mend

"In an era widely fueled by and dependent on data-driven tools, developers are under a lot of pressure to get software, applications, and products out quickly. Expedited work timelines, in tandem with increased demands and simple human error can result in developers unintentionally using open source code that has malicious packages; consequently opening the doors for threat actors to sneak in. For security teams who are working diligently to protect their organizations against external threats - addressing insider threats can be an intimidating topic to approach, as it shines a light on any oversights or errors that were made by colleagues. It is this hesitancy, however, that underscores the need to spread awareness.

With open source software providing many benefits to enterprises and development teams, their use and deployment will not slow down. And neither will developers. However, in order to elicit a real change in behavior and avoid risky code being used, developers need to understand the larger implications of their actions and the project. Hands-on, visual training will help developers see how quickly and easy it is for something to go wrong from a simple coding mistake. This will help reiterate the importance of regularly managing open source components and all their dependencies, and how this helps avoid putting the organization at risk.

In addition to training, developers should proceed carefully and dedicate more time to ensure they're implementing the correct packages that are free of any malware or vulnerabilities. While easier said than done, developers should approach the process of downloading and installing packages for projects through two different steps to eliminate cases of vulnerabilities. First, developers should view the package to ensure that it is safe. Once the package is determined safe and free of any malicious software, developers can then move forward with installation. By taking off the blinders and helping developers see through an alternative lens that examines the repercussions of insider threats and steps that may not always be taken, security teams can provide a clearer image and equally shed light on the larger context of how insider threats impact businesses and customers."


Joe Payne, CEO and President, Code42

"Insider threats are not a new problem, but the problem has grown substantially because almost all corporate data has been digitized and, with a mouse click, can be moved to a personal email, Dropbox or Github account. Almost all malicious data theft from insiders occurs when people change organizations, which is on the rise because of the Great Resignation and recent layoffs. A new approach to stop theft and reduce risk is required.

For years, security teams have approached insiders the same way they do malicious external threats - blocking data movement (and therefore internal collaboration) isn't as simple when it's a colleague. Security teams that are used to dealing with external threats will find their tactics aren't effective for handling internal threats. They need a new playbook and a new generation of technology.

Addressing insiders requires collaboration between security, HR and legal teams, leading with an empathetic approach. Often, employees are just trying to do their jobs when they create data risk. Investigative teams must shift their mindset before contacting the employee, get context to understand the situation and educate the employee to avoid future incidents. 

For example, it's completely possible (and even likely) that your on-the-road sales member didn't realize downloading her customer list from Salesforce to a personal device created risk for the team - she just thought it would be easier to manage. Often, when a software developer puts his source code in his personal Github account, he thinks that this is okay and not against company policy. An empathetic approach is required in both examples to keep the employees engaged and productive. These simple steps can de-escalate stress for your users and help to build a culture of trust, open communication and respect, while also perpetuating a positive security culture."


Mike Scott, CISO, Immuta

"An uptick in insider threat related incidents has ushered greater awareness around the need to not only protect the sizeable volume of data collected and stored by organizations but also who has access to it.  While it's hard for some to believe that someone within an organization will proceed with malicious intent, many businesses are guilty of giving employees more access to data and privileges than they need. As people come and go and data further cements itself as an essential resource for modern businesses, more steps must be taken to guarantee its security. 

This Insider Threat Awareness Month presents an opportunity for organizations to assess these security risks, assimilate how to detect, and protect their assets before an incident occurs, and manage the misuse of sensitive information in the event of a breach. Insider threats are not always intentional. One way organizations can ensure the proper protections are in place is to define what data needs to be protected, when the data should be protected - always or time-based - and who has access to the data. This way, businesses ensure that only the right people can view the right data at the right times."


Don Boxley, CEO and Co-Founder, DH2i

"Over the past couple of years, work from home (WFH) has morphed into work from anywhere (WFA). While few would argue the horrors of the pandemic, WFA could be viewed as one small positive. Organizations and their employees have learned that we can work from virtually anywhere given the right circumstances. And by circumstances, I mean, support from leadership and the right technology.

Unfortunately, the WFA paradigm has also led to an exponential increase in cybersecurity attacks - not just from external cyber criminals but from malicious internal bad actors as well. And what makes the internal threat even more dangerous is that many of these bad actors are armed with knowledge of confidential internal security procedures, which adds to their ability to cause serious harm to your organization.

We saw quite a bit of this at the start of the pandemic when people were first sent home virtually overnight to work. Many organizations were forced to depend upon their virtual private networks (VPNs) for network access and security and then learned the hard way that VPNs were not up to the task. It became clear that VPNs simply were not designed or intended for the way we work today. Both external and internal bad actors could, were and are still exploiting inherent vulnerabilities in VPNs. Instead, forward looking IT organizations have discovered the answer to the VPN dilemma. It is an innovative and highly reliable approach to networking connectivity - the Software Defined Perimeter (SDP). This approach enables organizations to build a secure software-defined perimeter and use Zero Trust Network Access (ZTNA) tunnels to seamlessly connect all applications, servers, IoT devices, and users behind any symmetric network address translation (NAT) to any full cone NAT: without having to reconfigure networks or set up complicated and problematic VPNs. With SDP, organizations can ensure safe, fast and easy network and data access; while slamming the door on potential cybercriminals."


Surya Varanasi, CTO, StorCentric

"This September 2022 marks the fourth annual National Insider Threat Awareness month. It aims to shine a spotlight on the critical importance of defending against, detecting and mitigating damages from insider threats. Indeed ransomware and other types of malicious malware attacks are not only perpetrated by external cybercriminals, but internal bad actors as well. And, the expense is not only measured in ransomware payments, but also the almost incalculable cost of operations downtime, lost revenue, legal fees, regulations compliance penalties, a rise in insurance premiums, and/or a loss of customer trust. 

The need to backup data has become ubiquitous. But now, as ransomware and other malware attacks continue to increase in severity and sophistication, we understand the need to protect backed up data by making it immutable and by eliminating any way that data can be deleted or corrupted. 

What is required is an Unbreakable Backup solution that is able to create an immutable, object-locked format, and then takes it a step further by storing the admin keys in another location entirely for added protection. Additionally, the Unbreakable Backup solution should include policy-driven data integrity checks that can scrub the data for faults, and auto-heals without any user intervention. Ideally, it should also deliver high availability with dual controllers and RAID-based protection that can provide data access in the event of component failure. In deployment of such a solution, recovery of data will also be faster because RAID-protected disk arrays are able to read faster than they can write. With an Unbreakable Backup solution that encompasses these capabilities, users can ease their worry about their ability to recover - and redirect their time and attention to activities that more directly impact the organization's bottom-line objectives."


Brian Dunagan, Vice President of Engineering, Retrospect, a StorCentric Company

"During National Insider Threat Awareness month we are reminded of the multitude of reasons a sound data backup strategy and proven solutions are critical. Given today's economic and geopolitical climate it is a given that at some point virtually all organizations will suffer a successful cyber-attack be it from internal or external forces. Given this inevitability, it makes sense that the end customers I speak with, whether they are from private, public, or government organizations, are putting an increasing focus on their ability to detect and recover as quickly, cost-effectively and painlessly as possible. 

A backup solution that includes anomaly detection to identify changes in an environment that warrants the attention of IT is a must. Administrators must be able to tailor anomaly detection to their business's specific systems and workflows, with capabilities such as customizable filtering and thresholds for each of their backup policies. And, those anomalies must be immediately reported to management, as well as aggregated for future ML/analyzing purposes.

Certainly, the next step after detecting the anomaly is providing the ability to recover in the event of a successful ransomware attack. This is best accomplished with an immutable backup copy of data (a.k.a., object locking) which makes certain that the data backup cannot be altered or changed in any way."


Bob Erdman, Director of Development, Threat Intelligence, HelpSystems

"Insider threats are not only malicious, but many times they are accidental.

A purposeful user may be upset and want to cause damage to the organization, or they may be motivated by monetary gains (bribes) and disclose information to third parties. They may even be placed there by outside actors looking to gain knowledge of practices, procedures and intellectual property. More and more there are instances of nation states engaging in this industrial espionage.

On the other hand, accidental compromise is also very common. Users fall victim to malicious phishing or BEC scams and expose their credentials or other damaging information about the organization that is then used by malicious actors to gather intelligence and potentially cause damage to the user's company. This is not only a problem for the employees of the organization but also can be caused by any third party partner, contractor or member of the supply chain that can be used as an initial entry point into the final target's enterprise."

John Grancarich, EVP, Strategy, HelpSystems

"One click - that's all it takes for an unsuspecting user to be lured down the path of credential theft. And once the first set of credentials has been compromised, the front door of your organization is wide open, and it won't stop there. So, take the time to invest in awareness and in training. It turns out that our parents' advice to us as we were growing up is relevant to security as well: an ounce of prevention is worth a pound of cure."

Tom Huntington, EVP of Technical Solutions, HelpSystems

"When is the greatest threat to an organization's intellectual property?  It is when that insider decides to move on to their next career advancement and they decide to take along a little intelligence that they deem not harmful but certainly puts the incumbent company's property at risk to be shared to a competitor or outside threat.  End point security should be able to monitor this activity and provide comprehensive reporting of all the ins and outs of the data.  Did they print, use a USB or email something to their external provider?  What really happened during their exit from the company?  Proper data loss prevention technology should provide the tracking of your data and the prevention of this activity."


Published Tuesday, September 06, 2022 7:30 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<September 2022>