Over a million developers have joined DZone.

Can Your Security Stack Handle Insider Threats?

DZone 's Guide to

Can Your Security Stack Handle Insider Threats?

Insider threats are one of the trickiest aspects of security. Are you sure your system is ready to handle a determined bad actor on the inside?

· Security Zone ·
Free Resource

No one likes pop quizzes, so I was a little hesitant going into my presentation during (ISC)² Security Congress recently. Not only did I begin with a pop quiz, I also assigned homework for audience members to complete after they left the conference.

My first slides asked the question, “Does this security stack address the insider threat?” (Hint: the answer is “no”):

You may be asking yourself, “But I see DLP, UEBA, SIEM, and EDR solutions — how can the answer be ‘no’?”

Some of these technologies indeed can help you identify anomalous behavior within your network. DLP even attempts to block exodus of pre-defined sensitive information from within the organization. However, these tools are either blind to what’s happening on the endpoint itself or are rule-based and do not help facilitate the identification and investigation of data exfiltrations resulting from the actions of malicious or innocent internal actors.

To know how to deal with this type of threat, you first need to understand the typical behavior of insiders, especially the most dangerous type: malicious insiders. So I moved next to an examination of the Insider Threat Kill Chain, a six-step process that most insiders follow. After these bad actors identify and isolate specific sensitive data they want to steal, they attempt to hide that data from security’s eyes by converting it into formats that are less obvious and difficult to inspect (e.g., renaming files, ZIPping them, or using encryption). Next, they exfiltrate the data by moving it to a USB thumb drive or other removable media, email, cloud storage or an FTP. Finally, they try to cover their tracks by taking steps such as deleting the cache of sensitive information they have accumulated.

There are five essential components to breaking this Kill Chain:

  1. Endpoint visibility: Endpoint is the primary point of interaction between people and data, and it’s also where a lot of IP is created and stored. Hence, complete visibility into those interactions at the endpoints is critical. Especially, knowing that most corporate security tools do not have control over or visibility into employee’s personal communication channels or their personal cloud services (e.g. Google Drive, Gmail).
  2. Deep context visibility: You must gain the data-element level visibility into information stored on those endpoints. Those aren’t just files (aka unstructured data), but your company’s intellectual property, your source code, your PII or PHI.
  3. Continuous visibility: You cannot rely on one-off or scheduled “scans” or snapshots of user-data interactions. You need to continuously track all interactions with data, so you can maintain a precise historical audit log. Moreover, your visibility needs to span months, if not years.
  4. Insider behavior detection: Monitor for suspicious activities along every step of the Kill Chain. This would allow you to be more proactive in predicting exfiltration, instead of just reacting to a breach after it’s occurred.
  5. Provide business impact: It’s not a question of “if” your organization will suffer a breach, but “when.” Establishing full visibility over your data will enable you to quickly provide an accurate assessment of the breach in business terms (i.e. $$$), rather than in the number of records lost.

I wrapped up by assigning the audience members some homework: To ask themselves which tools (if any) in their security stacks address the insider threat problem, and to determine what percentage of their security budget is dedicated to this issue. Chances are the answers to both questions are inadequate.

Now, if I may be so bold, I assign the same homework to you. I understand the insider threat is the unglamorous side of security — and one that most vendors and industry professionals tend to ignore. But you do so at your organization’s financial and legal peril.

Click here to view my presentation on SlideShare, and please connect with me on LinkedIn if you have any questions about the slides, or more broadly on how to identify and mitigate the insider threat.

You can also connect with me and my colleagues at ThinAir on LinkedIn and Twitter.

security ,insider threat ,security stack ,visibility

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}