Insider Threats: Tackling the Threat Within
By Carolyn Crandall, CMO
When it comes to security threats, focus is often put on external hackers deploying a host of attacks including Trojans, phishing attacks and APTs, among others. However, it may be time for organizations to stop only looking externally and think about the internal threats that may be lurking within their networks coming from employees. According to the 2016 Insider Threat Spotlight Report, 74% of organizations feel vulnerable to insider threats, and 56% of security professionals say insider threats have become more frequent in the prior 12 months. It has also been reported that 43% of all data loss is attributed to internal threat actors.
A recent example of this is AT&T, where the company sustained a devastating breach involving workers in Mexico, Colombia, and the Philippines – resulting in the accessing and distribution of 280,000 AT&T customer names, full or partial Social Security numbers and wireless account information. This attack (and others similar to it) is becoming increasingly more common. According to IBM’s 2015 Cyber Security Intelligence Index, 55% of cyber attacks were due to insiders – demonstrating the need for organizations to take a closer look at internal security protocols.
Insider Threats – An Increasing Problem for Organizations
When it comes to insider threats, they usually fall into three camps:
- Malicious:Malicious insider behavior combines a motive to harm with a decision to act inappropriately. For example, keeping and turning over sensitive proprietary information to a competitor after being terminated or for financial or other personal gain.
- Negligent:Negligent behavior can occur when people look for ways to avoid policies they feel impede their work. While most have a general awareness of security risks and recognize the importance of compliance, their workarounds can be risky.
- Accidental:Accidental behavior can occur as a result of individual’s careless actions that inadvertently cause security breaches. This can commonly occur when employees don’t actively patch their systems, use BYOD devices or accidently get hit with attacks like man-in-the-middle while connected to free Wi-Fi.
Typically, when thinking about insider threats, malicious insiders out for their own gain come to mind, but actually, the greatest volume of security breaches (36%) come from careless user actions that inadvertently cause security breaches, according to Forrester Research. When it comes to exposing critical data, those guilty often include employees, contractors, and third-party suppliers – with the data being stolen typically being office documents via physical media including USB drives and laptops.
What is Fueling the Boom in Insider Threats?
According to the U.S. Department of Health and Human Services Office for Civil Rights, in the first few months of 2016, theft, loss, improper disposal and unauthorized email access or disclosure were behind the largest incidents in 2016.
While this could be attributed to a variety of reasons, the mass adoption of cloud computing technology and bring-your-own-device (BYOD) have also increased the likelihood of insider threats. Now, more than ever, employees are being provided with increased network access – allowing malicious insiders to go undetected by security systems built to defend against outside threats. Despite an increase in the frequency of these types of breaches, many organizations are overlooking the severity of this issue, resorting to traditional defense systems that are solely designed to prevent attacks hacks through a firewall, anti-virus or other perimeter solutions. According to a 2015 survey by Vormetric Data Security, technical security spending continues to be focused on end-point and mobile device protection – regardless of the fact that corporate servers and databases pose the highest risk. This lack of focus on the importance of securing critical data demonstrates the need for a new approach to dealing with insider threats. One that provides detection for inappropriate reconnaissance for detecting unauthorized access to assets and accidental risks associated to misconfigurations and credentials mishandling.
Mitigating Insider Threats – A Preventative Approach
When it comes to mitigating insider threats, acknowledgment of the risk these attacks pose for organizations will help with ensuring steps are taken to prevent these attacks. To adequately address these threats, organizations need to employ preventative strategies and solutions that can stave off devastating insider attacks, but they also need to be able to detect the threats that evade prevention systems quickly and accurately. The Attivo approach assumes that attackers will get inside the network and focusses on providing early visibility and accelerated response to detected incidents. Attivo has created advanced in-network detection security solutions that use deception techniques to help organizations dramatically increase the speed at which threats inside the network are uncovered, raise high fidelity alerts, simplify the correlation of data, and accelerate incident response actions to automate the blocking and quarantine of attacks . The Attivo ThreatMatrix Deception and Response platform makes the entire network a trap of decoys and deceptions designed to lure an attacker into interacting with its BOTsink engagement server and away from production assets. Camouflage dynamic deception is designed for the highest authenticity and will self-learn the environment, automatically update deceptions, and respin to avoid attacker fingerprinting after an attack. This paired with highly interactive decoys that are 100% customizable to a company’s production environment will make the environment indistinguishable to both external and internal threat actors. Adding deception for internal threat actors does not add burden to security teams since the design is not reliant on having to “learn to get good”, signatures, pattern matching or big data analytics. Since alerts are engagement-based and include substantiated attack activities, there are no false positives and the infected systems are easily identified for prompt quarantine and remediation. Because of its high efficacy, deception technology is growing in popularity for detecting internal and supplier threats targeted at exfiltrating company’s IP, personnel records financial, and other sensitive information stored in data centers or shared between third parties
While external attacks will continue to plague organizations, it would be a mistake to overlook the threats that your employees and suppliers represent. Early threat visibility and detection solutions such as deception technology combined with employee-training programs will defend against these insider threats and strengthen the protection of critical assets.