In this third part on the Insider threat / Insider risk / People risk series we move onto how we can manage this and prevent the risk from being realised.
Despite my concerns around the ‘insider threat’ terminology, I have kept it for the title as this is currently the most common term.
As I started writing this series my initial thoughts were that some of the ‘people / process’ areas would be the most important. However as I have researched this area I’ve come to realise that some of the ‘people’ things may lack in value. Some people areas like JML and IDAM (acronyms will be covered later) are indeed key, but only in conjunction with equally key technology capabilities.
While all related, for ease of reference I’ll split the ways we can work to prevent / mitigate the insider threat into ‘People Stuff’, ‘Process Stuff’, and ‘Tech Stuff’ . While there will be some overlap, these categories I think cover the main areas. This aligns with the standard security ethos of covering People, Process, Technology in order to secure an organisation.
The below is hardly an exhaustive list, but will hopefully get you thinking about the areas you need to focus on to secure your organisations systems and data.
Develop a ‘secure culture’ with strong security awareness. In line with wider security training, ensure everyone knows security is their responsibility. This training should include helping people to know the signs to look for that may contribute to the risk someone could be an insider threat. How to report these, and an awareness that it’s just as likely someone needs support and assistance rather than being malicious are important points to remember here.
Promote an open culture throughout the organisation. It is OK to discuss concerns about yourself or others. The organisation will always look to take positive, not negative steps to resolve potential issues. It is expected to challenge someone if they don’t have a valid pass on display, no matter who they are.. Even the CEO..
The most important process area in order to mitigate the insider threat is JML (Joiners, Movers, Leavers) and ensuring all users have only the correct permissions to perform their current role. Organisations often have reasonable ‘joiners’ and ‘leavers’ parts of the process, but many struggle with ‘movers’. This is often highlighted when you look at the permissions of staff who have been with the organisation for sometime and through several roles. It is not uncommon to find they have an accumulation of the permissions of all the roles they have performed, rather than just those required for their current position.
As a recommendation, RBAC (Role Based Access Control) where each identified role in the organisation has an approved permissions template is a better method than trying to copy a others users permissions in the hope they are correct.
There may be an argument for having periodic background checks on key staff in addition to the checks performed at the start of employment. This is another area where many companies perform reasonable due diligence on employees prior to the start of employment, but then the checks are never performed again. Personally I am not 100% convinced on this one as most checks are in reality not that in depth, and would only flag a concern at best – do we actually know how many insider threats are realised by someone who has more debt than before for example? By all means do these, but ensure it is realised they are at best an indicator that risk may be increased, and will likely miss many people more likely to realise the risk.
Ensure key processes, especially those with material impact like moving money around are 4 or even 6 eyes processes. This means that no one person can authorise certain transactions or processes, someone would initiate it and at least one other person would review and confirm. These different people should not be in the same team to reduce chances of collusion.
Implement job rotation where it makes sense / is feasible as this reduces the chance of someone planning and committing fraudulent activity over a long period. Some organisations also implement enforced periods of holiday, e.g. at least one 2 week block must be taken each year where there is no contact with business systems. While not infallible this does ensure a period where someone else performs the role making it more likely discrepancies would be spotted.
A first area to think about here would be how you can implement technology to support the above mentioned process improvements. Examples would be Identity and Access management solutions to support the creation and use of business roles, and a solution to interrogate systems and report on existing permissions and group membership etc.
The next thing to realise is that ‘standard’ monitoring and controls likely do not cut it when you are trying to protect your systems and data from users and accounts that are legitimately permitted access. It may be possible to pick up on some simple behaviours like an account attempting to access a lot of directories it is not permitted to, or port scans, or data exfiltration so large it impacts services. However these would not be the most likely behaviours unless the insider / compromised account really was not trying to hide their tracks at all, in fact they would almost be trying to get spotted with actions like these!
In order to detect more subtle malicious behaviour, Some form of UBA – User Behaviour Analytics capability must be employed. It should be noted that is is a relatively new area in the security space that is currently fairly high in the ‘hype cycle’. As such considerable due diligence is recommended in terms of both clearly defining your requirements, and understanding the detailed capabilities of the solutions you assess. Many companies are badging existing and new solutions as having UBA capabilities in order to capitalise on the current hype in this space.
To understand if an account is behaving in a potentially malicious manner, it is critical to not only understand it’s actions in detail, but also to have some understanding of what is normal. The best way to do this is to ensure there is an understanding of roles and teams within the organisation so that the solution can compare behaviours across groups that you would expect to perform similar actions. Another key point here is that a lot of behaviour that could be malicious from viewing extra records to changing data may all happen within an application, so consider solutions that are able to integrate with your applications, or at least have a detailed understanding of your applications logging.
Other more ‘standard’ capabilities such as DLP, web proxies and email gateways can also play a role in both reducing the risk of insider threat, and also detecting it by ensuring their log files that detail user and system behaviour, web sites visited and emails sent are incorporated into the broad behaviour analysis capability.
On a final tech point consider some sort of secure browsing capability. If you can prevent any malware from the web from even getting to your end points, and simultaneously prevent uploads to the web you will have dramatically reduced the risk from malicious users, phishing and account compromise.
I hope the above is useful guidance and thought provoking. It would be great to hear your ideas and things you think are critical in minimising the risk from insiders and compromised accounts.