Handling Insider Threat
Handling Insider Threat
Insiders are everywhere, and so are insider threats. You need to trust the people in your organization, but you can't be naive. Learn how to balance pragmatism and naivete here.
Join the DZone community and get the full member experience.Join For Free
xMatters delivers integration-driven collaboration that relays data between systems, while engaging the right people to proactively resolve issues. Read the Monitoring in a Connected Enterprise whitepaper and learn about 3 tools for resolving incidents quickly.
Threats to your data and security don’t always start on the outside, orchestrated by a shadowy group of foreign hackers. Many times, it’s actors within an organization who carry out sophisticated and malicious attacks designed to steal money or IP — or both. While visions of Edward Snowden and Chelsea Manning come to mind when people think of a typical internal threat, it’s actually the low-profile, everyday internal attackers that companies should be most worried about.
Is Your Business at Risk of Insider Attacks?
Many companies are at least partly in denial about insider threats, suffering from the “it won’t happen to us” syndrome. Unfortunately, this has led to some misguided assumptions or myths, including the following:
- The biggest threats originate outside the company.
- Insider threats are only a problem for government agencies and other highly sensitive organizations, not “regular” companies.
- Company assets that could be exposed are limited, or of little value, so a large-scale breach is less likely to happen. And even if it does, it probably won’t have a big impact.
- Employees are inherently trustworthy, and with basic security measures in place, the risk is next to none.
While only 3 percent of companies experience a catastrophic loss worth more than $1 million, insider threats are a bigger problem than most companies realize. The Ponemon Institute recently reported that insider activity is the most expensive ongoing threat, costing companies an average of $144,542 each year.
Without the right form of monitoring in place, ill-intentioned employees pose significant threats to your data, systems, and brand. Of equal concern are disgruntled ex-employees who have access to systems and who might be motivated to steal confidential information or cause other malicious damage. Having information about the company that could be used against it, current and former insiders alike are able to launch complex attacks that can take, on average, 54.4 days to be resolved, according to the same Ponemon Institute report.
With access to any number of systems, these internal actors may be able to:
- Escalate privileges of an unauthorized user
- Install unapproved software
- Add and remove users
- Run suspicious commands
- Initiate changes to security groups
- And much more
With attacks being carried out under the radar every day, it’s accurate to state that no business is immune to costly insider attack incidents. Unless you have the right defenses, that is.
Identify the Gray Areas
Before we go further, keep in mind that not all issues, at first appearance, are clearly black or white, and you might be tempted to let some pass by as insignificant and therefore not worth dealing with. But take a second look at incidents such as the following, and make a conscious decision about how to deal with them:
- Unintentional (yet damaging) behaviors, such as re-using source code from previous employers
- Violation of policies such as BYOD usage
Even seemingly innocuous lapses can cause damage when you consider:
- Today’s advanced threat landscape
- The explosion of BYOD and IoT
- Frequent employee turnover
While each of these gray areas by itself may not be significant enough to require an overhaul of your security strategy, they can be costly in aggregate. Take the practice that many companies have of allowing developers to reuse source code from previous employers for example. A seemingly harmless (and cost-effective) behavior at first glance, this can introduce significant vulnerabilities (as well as legal concerns).
As more and more small cases like this begin to pop up within an organization, it’s easy to see that it’s not just the highly publicized internal attacks that can damage your business: the “gray area” incidents can be just as dangerous if you don’t identify and deal with them.
Develop an Inside-Out Approach to Security
Regardless of whether an attack is black, white, or gray, companies need a strong cloud security strategy, one designed to catch every bad actor and dangerous activity, no matter when, where, or how it surfaces. While most companies take an outward-facing approach to cloud security to stop the bad guys from coming in, they often don’t take into account what to do if the bad guys are already in, as in the case of internal threats.
This is why cloud security monitoring must happen not only around the perimeter of your environment, but deep within it too. Specifically, monitoring should occur at the workload layer, or the “source of truth,” as we like to call it. Here, activity can be monitored across multiple areas deep within your environment to accurately identify and stop inappropriate internal behavior before it causes damage.
A good example of an inside-out security strategy is vulnerability management. Vulnerability management is used for scanning web applications, operating systems, and everyday packages for suspicious signals, three key areas prone to attacks. With access to production, for example, a misguided or malicious developer can easily install an unauthorized package in the base AMI, or worse yet, install a package directly on production environments. With vulnerability management implemented as an inside-out strategy, you can verify the attack surface of every installed package before it goes live and wreaks havoc.
Trust, But Verify
Security-aware companies understand that, when trust is involved, you also need to verify that security practices are being followed. This becomes especially important considering the growing number of internal threats facing companies today. By adopting a continuous approach to cloud security monitoring, one that baselines normal system behavior in order to identify new and suspicious activity, companies can identify internal triggers before they spiral out of control.
Published at DZone with permission of Palen Schwab , DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.