If you haven’t dealt with the threat of malicious insiders, you really haven’t figured out how to deal with internal threats to your cybersecurity program.
Here’s what I mean.
There are three faces of cybersecurity threats from within one’s own organization.
Employees, contractors, suppliers and even trusted business partners who have authorized, yet uncontrolled, access to systems and/or sensitive information all have the opportunity to do irrevocable harm to a company. But for all of this diversity, threats typically come from a few types of actors.
First are the negligent. These employees may accidentally delete or modify critical information or unwittingly share sensitive information. Unintended disclosure comes in the form of posting information on public-facing websites or social media sites, sending information to the wrong party or posting proprietary data to unapproved cloud providers and applications.
Then there are employees exploited by an external adversary via phishing, malware or other web-based attacks (for example). This adversary then finds their way into the network with compromised user credentials.
Those two groups of insiders can be detected and remediated through relatively straightforward means. Negligence can be improved through training and information technology monitoring tools. Exploited employees can be detected through User and Entity Behavior Analytics (UEBA) applications using advanced machine learning techniques effective at identifying these cyber IT-centric activities that exhibit behaviors that are out of the norm. (What is that HR employee doing accessing customer or engineering data, anyway?)
The third face of insider threat, however, are malicious insiders – and no training program and few straightforward applications will totally counter this threat. These employees deliberately steal critical company information, whether for profit, sabotage or other idiosyncratic reasons.
These cases are the most challenging to identify and can cause some of the greatest harm to an organization because these individuals are likely to already know their way around the IT infrastructure — and where critical assets are located. In many cases, the insider themselves created the information or can abuse their (valid) authoritative privileges. In most cases their IT user behavior doesn’t indicate anything out of the ordinary. Indeed, an insider with the right technical skills can rather easily thwart IT-centric monitoring applications.
An additional challenge to spotting evil-doing insiders: They typically aren’t bad apples from the start. Instead, due to many different circumstances such as financial hardship or disgruntlement, they will begin to turn their insider powers toward nefarious ends. This is why, in part, that most malicious insiders are identified after the fact by law enforcement outside of an organization’s internal security operations.
Insiders of this nature are having an impact. Overall, malicious insiders accounted for 14 percent of all known data breaches in 2015, according to Gemalto’s Data Breach Index. That included the third most impactful breach of the entire year: more than 40 million records were pilfered from the Korean Pharmaceutical Information Center by a malicious insider. That amounted to medical information on nearly 90% of the South Korean population being sold online.
In 2014, 28 percent of companies identified insiders as a major source of their cybersecurity threats over the past year according to that year’s U.S. State of Cybercrime Survey.
We almost need not remind, but any data breach is costly. Juniper Research predicts that data-breach losses will reach $2.1 trillion globally by 2019, with an average cost per incident to exceed $150 million by 2020.
We are not powerless in the face of even talented, determined foes hiding in our organizations. Companies can take these five prudent steps to be effective in mitigating the threat of a malicious insider.
- Perform a baseline vulnerability assessment across your organization (not only IT-systems) to determine your preparedness to prevent, detect and respond to malicious insider threats.
- Understand what are your critical assets you are trying to protect.
- Perform continuous and long-term monitoring of risk indicators with context across the entire enterprise complemented with IT-centric user behavior monitoring applications.
- Provide training and awareness to employees.
- Have qualified analysts with an investigative background that understand the broader security aspects of the malicious insider.
Want to learn more? Download our whitepaper to learn more about insider threats and the other ingredients that make an insider threat detection program (ITDP) successful.
Ollie Luba is a principal systems engineer at Lockheed Martin with 30 years of experience in analyzing, modeling and designing complex analytic systems for government and commercial clients. Currently, Ollie is the Product Manager and Technical lead for Lockheed Martin’s insider threat identification solution.