September marks National Insider Threat Awareness Month,
a time dedicated to emphasize the importance of detecting, deterring and
reporting insider threats. This began as a collaborative effort by U.S.
government agencies, three years ago and has now grown to both the public and
private sector.
In honor of the month, industry experts have shared their
thoughts on different strategies organizations can use to protect themselves
from these threats.
##
Nabil Hannan, Managing
Director, NetSPI
"To account for internal
threats there must be a mindset shift in what constitutes an organization's
threat landscape. Most companies focus exclusively on external threats and view
their own people as trustworthy. As a result, insider threats are often under
addressed cybersecurity threats within organizations. We learned with
SolarWinds that detecting such a threat is vastly different from traditional
pen testing, code review or other vulnerability detection techniques. Security
teams need to move from only looking for vulnerabilities to also looking for
suspicious or malicious code. With a vulnerability, the threat actor interacts
with the attack surface in a way that exploits a weakness. With malicious code,
the threat actor is either choosing or creating the attack surface and
functionality because they have control over the system internally. So, instead
of the threat actor exploiting vulnerabilities in the attack surface, now the
threat actor creates the attack surface and exercises the functionality that
they implement. Failing to implement threat modeling that studies potential
threats to both vulnerabilities and malicious code can set your organization up
with a false sense of security."
++
Will LaSala, Field CTO,
Americas, OneSpan
"The rise of digitalization
and Web 3.0 has led to an exponential increase of high-value transactions
occurring online. As more processes become digitized an array of solutions have
cropped up, most void of security capabilities. These solutions are unable to
verify and authenticate the true identity of the person or business on the
other end of the contract - which creates opportunities for threat actors to
take advantage of unsuspecting employees, gain access to an organization's
network and obtain sensitive data.
Employees have become
accustomed to signing contracts quickly and digitally, they are failing to
verify whether or not the contract they have received is legitimate. As a
result, employees are signing and unknowingly sharing confidential information
with external threat actors. For example, attackers continue imitating the DocuSign
brand, sending phishing links and
documents that appear to be from DocuSign but in reality, are links and files
that expose login credentials. With insider threats becoming a prominent
security issue, organizations must take a proactive approach to mitigate
exposure opportunities. To ensure that employees do not unknowingly expose data
when signing digital documents, organizations should add enhanced
authentication to secure access to agreements as well as ‘flatten' uploaded
documents to avoid shadow attacks. Businesses who provide these solutions also
have a role to play, ensuring the identification and authentication
capabilities are built into the entire digital transaction lifecycle."
++
James Christiansen, CSO VP,
Cloud Security Transformation, Netskope
"The ‘Insider threat' has
been one of the greatest threats since the beginning of IT. It's the risk that
never goes away because insider threats involve employees - often the weakest
link in any company's security posture. Employees are not only vulnerable to
common attacks or insecure practices (e.g., email phishing), but they have
bonafide access to workplace systems and an understanding of internal
processes, providing the malicious insider a head start. For example, recent
research found that 22% of users upload, create, share or store data in
personal apps, creating an ever-increasing amount of data sprawl that puts
sensitive company data at risk.
Organizations aren't
required to report internal losses associated with insider losses, meaning this
issue is more prevalent than we know. While there is rapid change in
technology, there are a few steps to protecting against an insider threat. First,
strong background checks, general awareness, and targeted education to high
value employees is key to turning an insider from malicious to benign.
Additionally, find ways to leverage analytic systems using strong statistical
analysis to better understand normal and unusual behavior. By doing so, we can
get better visibility, control, and ability to notify the users of their
actions. Lastly, your best security monitor is your fellow staff members.
Create a culture whereby if employees see something, they feel comfortable
enough to say something."
++
Rick McElroy, Principal
Cybersecurity Strategist, VMware
"As the Great Resignation
continues and ‘quiet quitting' becomes increasingly popular, organizations find
themselves at a higher risk for insider attacks. Over the past year, 41% of
cybersecurity professionals have encountered attacks involving insiders, according
to VMware's Global IR Threat Report. These findings underscore the increasingly
critical nature of talent management when it comes to cybersecurity controls,
especially as companies are trying to manage employee turnover, onboarding and
the use of non-sanctioned apps and platforms.
It's critical for CISOs to
have visibility into their own network to track insider threat indicators, such
as data transfers and accessing unusual resources. This allows for
organizations to better protect their proprietary information, and for security
teams to more quickly detect insider threats."
++
Greg Foss, Principal Cloud
Security Researcher, Lacework
"Think of the last employer
for whom you worked. Did they have individual or shared accounts for corporate
resources? Did access to these services exist outside of the corporate
boundary, with no central means of access control? What about programmatic
access that isn't associated with an individual identity? Or better yet, cloud
management infrastructure or even just one of the many instances hosted within.
You are not alone if you answered ‘yes' to any of these questions. Former
employees will likely maintain access to some corporate resources, whether they
know it or not. It's not just the insider threat that we must understand, but
"the former insider." A possible recession brings significant
uncertainty, resulting in many people with varying access to sensitive
resources losing their jobs. Some of which become disgruntled. Organizations
must understand their infrastructure, implement robust access controls, and
monitor for misuse because once an insider, always an insider."
++
Mario Orsini, Associate
Director, Security, Raytheon Intelligence & Space
"Insider threats can take
many forms, but the top categories witnessed are typically: recruited, such as
when a foreign entity uses exploitable weaknesses to convince an individual
with access to provide information to those who do not have a need-to-know;
volunteer, when an individual may choose to sell out their country or
organization because of motivators such as greed, disgruntlement, divided
loyalties, or ideological reasons; and unwitting, which is when an individual
unwittingly gives away information through poor security procedures or clever
elicitation collection techniques.
Regardless of the motive,
it's critical for organizations and their security teams to help prevent the
next insider attack. One of the top ways to bolster protection is by adopting
Zero Trust within an organization. Zero Trust principles such as ‘Never trust, always
verify,' network micro-segmentation, and least privilege access can be
extremely effective in ensuring an organization doesn't become the next major
breach victim."
++
Daniel Elkabes,
Vulnerability Research Team Leader, Mend
"In an era widely fueled by
and dependent on data-driven tools, developers are under a lot of pressure to
get software, applications, and products out quickly. Expedited work timelines,
in tandem with increased demands and simple human error can result in
developers unintentionally using open source code that has malicious packages;
consequently opening the doors for threat actors to sneak in. For security
teams who are working diligently to protect their organizations against
external threats - addressing insider threats can be an intimidating topic to
approach, as it shines a light on any oversights or errors that were made by
colleagues. It is this hesitancy, however, that underscores the need to spread
awareness.
With open source software
providing many benefits to enterprises and development teams, their use and
deployment will not slow down. And neither will developers. However, in order
to elicit a real change in behavior and avoid risky code being used, developers
need to understand the larger implications of their actions and the project.
Hands-on, visual training will help developers see how quickly and easy it is
for something to go wrong from a simple coding mistake. This will help
reiterate the importance of regularly managing open source components and all
their dependencies, and how this helps avoid putting the organization at risk.
In addition to training,
developers should proceed carefully and dedicate more time to ensure they're
implementing the correct packages that are free of any malware or
vulnerabilities. While easier said than done, developers should approach the
process of downloading and installing packages for projects through two
different steps to eliminate cases of vulnerabilities. First, developers should
view the package to ensure that it is safe. Once the package is determined safe
and free of any malicious software, developers can then move forward with
installation. By taking off the blinders and helping developers see through an
alternative lens that examines the repercussions of insider threats and steps
that may not always be taken, security teams can provide a clearer image and
equally shed light on the larger context of how insider threats impact
businesses and customers."
++
Joe Payne, CEO and
President, Code42
"Insider threats are not a
new problem, but the problem has grown substantially because almost all
corporate data has been digitized and, with a mouse click, can be moved to a
personal email, Dropbox or Github account. Almost all malicious data theft from
insiders occurs when people change organizations, which is on the rise because
of the Great Resignation and recent layoffs. A new approach to stop theft and
reduce risk is required.
For years, security teams
have approached insiders the same way they do malicious external threats -
blocking data movement (and therefore internal collaboration) isn't as simple
when it's a colleague. Security teams that are used to dealing with external
threats will find their tactics aren't effective for handling internal threats.
They need a new playbook and a new generation of technology.
Addressing insiders requires
collaboration between security, HR and legal teams, leading with an empathetic
approach. Often, employees are just trying to do their jobs when they create
data risk. Investigative teams must shift their mindset before contacting the
employee, get context to understand the situation and educate the employee to
avoid future incidents.
For example, it's completely
possible (and even likely) that your on-the-road sales member didn't realize
downloading her customer list from Salesforce to a personal device created risk
for the team - she just thought it would be easier to manage. Often, when a
software developer puts his source code in his personal Github account, he thinks
that this is okay and not against company policy. An empathetic approach is
required in both examples to keep the employees engaged and productive. These
simple steps can de-escalate stress for your users and help to build a culture
of trust, open communication and respect, while also perpetuating a positive
security culture."
++
Mike Scott, CISO, Immuta
"An uptick in insider threat
related incidents has ushered greater awareness around the need to not only
protect the sizeable volume of data collected and stored by organizations but
also who has access to it. While it's hard for some to believe that
someone within an organization will proceed with malicious intent, many
businesses are guilty of giving employees more access to data and privileges
than they need. As people come and go and data further cements itself as an
essential resource for modern businesses, more steps must be taken to guarantee
its security.
This Insider Threat
Awareness Month presents an opportunity for organizations to assess these
security risks, assimilate how to detect, and protect their assets before an
incident occurs, and manage the misuse of sensitive information in the event of
a breach. Insider threats are not always intentional. One way organizations can
ensure the proper protections are in place is to define what data needs to be
protected, when the data should be protected - always or time-based - and who
has access to the data. This way, businesses ensure that only the right people
can view the right data at the right times."
++
Don
Boxley, CEO and Co-Founder, DH2i
"Over
the past couple of years, work from home (WFH) has morphed into work from
anywhere (WFA). While few would argue the horrors of the pandemic, WFA could be
viewed as one small positive. Organizations and their employees have learned
that we can work from virtually anywhere given the right circumstances. And by
circumstances, I mean, support from leadership and the right technology.
Unfortunately,
the WFA paradigm has also led to an exponential increase in cybersecurity
attacks - not just from external cyber criminals but from malicious internal
bad actors as well. And what makes the internal threat even more dangerous is
that many of these bad actors are armed with knowledge of confidential internal
security procedures, which adds to their ability to cause serious harm to your
organization.
We
saw quite a bit of this at the start of the pandemic when people were first
sent home virtually overnight to work. Many organizations were forced to depend
upon their virtual private networks (VPNs) for network access and security and
then learned the hard way that VPNs were not up to the task. It became clear
that VPNs simply were not designed or intended for the way we work today. Both
external and internal bad actors could, were and are still exploiting inherent
vulnerabilities in VPNs. Instead, forward looking IT organizations have
discovered the answer to the VPN dilemma. It is an innovative and highly
reliable approach to networking connectivity - the Software Defined Perimeter
(SDP). This approach enables organizations to build a secure software-defined
perimeter and use Zero Trust Network Access (ZTNA) tunnels to seamlessly
connect all applications, servers, IoT devices, and users behind any symmetric network
address translation (NAT) to any full cone NAT: without having to reconfigure
networks or set up complicated and problematic VPNs. With SDP, organizations
can ensure safe, fast and easy network and data access; while slamming the door
on potential cybercriminals."
++
Surya
Varanasi, CTO, StorCentric
"This
September 2022 marks the fourth annual National Insider Threat Awareness month.
It aims to shine a spotlight on the critical importance of defending against,
detecting and mitigating damages from insider threats. Indeed ransomware and
other types of malicious malware attacks are not only perpetrated by external
cybercriminals, but internal bad actors as well. And, the expense is not only
measured in ransomware payments, but also the almost incalculable cost of
operations downtime, lost revenue, legal fees, regulations compliance
penalties, a rise in insurance premiums, and/or a loss of customer trust.
The
need to backup data has become ubiquitous. But now, as ransomware and other
malware attacks continue to increase in severity and sophistication, we
understand the need to protect backed up data by making it immutable and by
eliminating any way that data can be deleted or corrupted.
What
is required is an Unbreakable Backup solution that is able to create an
immutable, object-locked format, and then takes it a step further by storing
the admin keys in another location entirely for added protection. Additionally,
the Unbreakable Backup solution should include policy-driven data integrity
checks that can scrub the data for faults, and auto-heals without any user
intervention. Ideally, it should also deliver high availability with dual
controllers and RAID-based protection that can provide data access in the event
of component failure. In deployment of such a solution, recovery of data will
also be faster because RAID-protected disk arrays are able to read faster than
they can write. With an Unbreakable Backup solution that encompasses these
capabilities, users can ease their worry about their ability to recover - and
redirect their time and attention to activities that more directly impact the
organization's bottom-line objectives."
++
Brian
Dunagan, Vice President of Engineering, Retrospect, a StorCentric Company
"During
National Insider Threat Awareness month we are reminded of the multitude of
reasons a sound data backup strategy and proven solutions are critical. Given
today's economic and geopolitical climate it is a given that at some point
virtually all organizations will suffer a successful cyber-attack be it from
internal or external forces. Given this inevitability, it makes sense that the
end customers I speak with, whether they are from private, public, or
government organizations, are putting an increasing focus on their ability to
detect and recover as quickly, cost-effectively and painlessly as
possible.
A
backup solution that includes anomaly detection to identify changes in an
environment that warrants the attention of IT is a must. Administrators must be
able to tailor anomaly detection to their business's specific systems and
workflows, with capabilities such as customizable filtering and thresholds for
each of their backup policies. And, those anomalies must be immediately
reported to management, as well as aggregated for future ML/analyzing purposes.
Certainly,
the next step after detecting the anomaly is providing the ability to recover
in the event of a successful ransomware attack. This is best accomplished with
an immutable backup copy of data (a.k.a., object locking) which makes certain
that the data backup cannot be altered or changed in any way."
++
Bob Erdman, Director of Development, Threat
Intelligence, HelpSystems
"Insider threats are not only malicious,
but many times they are accidental.
A purposeful
user may be upset and want to cause damage to the organization, or they may be
motivated by monetary gains (bribes) and disclose information to third parties.
They may even be placed there by outside actors looking to gain knowledge of
practices, procedures and intellectual property. More and more there are
instances of nation states engaging in this industrial espionage.
On the other
hand, accidental compromise is also very common. Users fall victim to malicious
phishing or BEC scams and expose their credentials or other damaging
information about the organization that is then used by malicious actors to
gather intelligence and potentially cause damage to the user's company. This is
not only a problem for the employees of the organization but also can be caused
by any third party partner, contractor or member of the supply chain that can
be used as an initial entry point into the final target's enterprise."
John Grancarich, EVP, Strategy, HelpSystems
"One click - that's all it takes for an
unsuspecting user to be lured down the path of credential theft. And once the
first set of credentials has been compromised, the front door of your
organization is wide open, and it won't stop there. So, take the time to invest
in awareness and in training. It turns out that our parents' advice to us as we
were growing up is relevant to security as well: an ounce of prevention is
worth a pound of cure."
Tom Huntington, EVP of Technical Solutions, HelpSystems
"When is the greatest threat to an
organization's intellectual property? It is when that insider decides to
move on to their next career advancement and they decide to take along a little
intelligence that they deem not harmful but certainly puts the incumbent
company's property at risk to be shared to a competitor or outside threat.
End point security should be able to monitor this activity and provide
comprehensive reporting of all the ins and outs of the data. Did they
print, use a USB or email something to their external provider? What
really happened during their exit from the company? Proper data loss
prevention technology should provide the tracking of your data and the
prevention of this activity."
##