5 Technology Components for Building an Insider Threat Program
“Use of user behavior monitoring is accelerating; 94% of organizations deploy some method of monitoring users and 93% monitor access to sensitive data.”
2018 Insider Threat Report, Cybersecurity Insiders
In part one of our blog on insider threat programs, we revealed that most companies already have many insider threat program components in place. Rather than tossing aside plans to develop a formal program due to resource constraints, competing external threats, or the perception that it’s too overwhelming to tackle, you can actually use what you already have to get an Insider Threat program up and running. In part one, we outlined five organizational elements to put towards combating insider threats.
Here are five technical elements you can apply to protect your company:
1. Inventory Critical Assets
Opportunity: Before you can protect something, you first need to identify what it is you want to protect. What are your company’s critical assets that need to be protected?
Required Resource(s): Critical assets can be people, facilities, systems, and information.
Assess Gaps: How are these defined assets currently protected? Is there anything you could do better? Do you know the risks against this list? Who within your organization needs to be protected from compromise, e.g. senior leadership? What facilities need more visibility and protection from a cyber defense perspective? Do they have the proper protection? Continuously evaluate and improve measures as needed.
Beyond the Basics: Think about what can be done to reduce risk and what program elements you can implement now.
2. Improve Visibility
Opportunity: If an employee has submitted his or her resignation, it’s beneficial to monitor that employee’s web traffic history in the final weeks before they leave, as well as the past 30-60 days. Checking email activity in the same manner can identify any attempts to exfiltrate data.
Required Resource(s): If your company is already viewing enterprise traffic, such as email and web browsing, you can start monitoring for intentional and unintentional insider threat activities.
Assess Gaps: Often companies worry about encrypting all traffic to prevent outsiders from seeing their traffic. However, this may be preventing your information security professionals and detection technologies from performing their job to the fullest extent of their capabilities. If network traffic is not being decrypted for inspection and analysis, then your tools and security team are blind to detect, prevent, or respond to an insider threat. Complete visibility of the internal network is critical to see any data theft that may be occurring.
Beyond the Basics: Perform internal Red Team/Blue Team exercises to test what the team and tools can detect and respond to. Also, perform tabletop exercises and review data from internal and external network traffic to identify visibility gaps.
3. Leverage Endpoint / System-Level Protection
Opportunity: Having your technologies block actions as well as send alerts on suspicious actions can often identify insider risks before they become issues. If an employee tries to install software or programs that are not company-approved, they could be trying to find ways around existing protections. Also, to further protect against data exfiltration, set data restrictions or require an approval process for the use of removable media.
Required Resource(s): Technologies such as anti-virus, anti-malware, mobile device management, and data loss prevention (DLP) protections can be tuned to detect an insider threat and alert your information security team.
Assess Gaps: Companies often allow employees to access company email on phones and tablets without much visibility. You should treat those devices the same way you do company computers and ensure mobile device management is in place to prevent and detect data exfiltration, both unintentional and intentional.
Beyond the Basics: Performing data classification and tagging, as well as data rights management, on endpoints allows you to increase your DLP abilities and ensure company confidential data is not being stored in an unsafe manner.
4. Tighten Access Control
Opportunity: The 2018 Insider Threat Report found 37% of organizations identified too many users with excessive access privileges as an enabling risk factor to insider threat vulnerabilities. Make sure that users only have access to the things they need and nothing more. Use your currently-implemented technology stack, along with updated processes and procedures, to restrict and monitor elevated and administrative privileges.
Required Resource(s): Your existing technology stack, if configured correctly, most likely has what you need to effectively tighten access controls, e.g. integrated user directory, role-based access controls, user privilege assignment methods, single sign-on (SSO), and multi-factor authentication.
Assess Gaps: Update how you enable and prioritize alerts for those with high level access. Two gaps to address immediately include:
- Turn on alerting for privileged accounts and ensure they can't disable security features such as turning off anti-malware software.
- Ensure event logs are on for all administrative activities and accounts.
Beyond the Basics: Review all current administrative accounts and employees with elevated privileges and compare the job duties to the company's updated processes and procedures to ensure only the job functions needed are granted these privileges.
5. Extend Data Loss Prevention
Opportunity: Policies that define how and when removable media can be used are important, but administrative policies alone will not safeguard your data. Technologies that are already implemented within your environment can be used to restrict data and file transfers, as well as alert security teams to all data access, copying/downloading, and cross-boundary transfers.
Required Resource(s): Use established endpoint protections to manage removable media alerts and set file size transfer restrictions in email access. Cybersecurity and IT departments also can use DLP software to monitor, manage, and protect sensitive information, such as Personally-Identifiable Information (PII) and intellectual property.
Assess Gaps: You can't prioritize tracking if you haven’t identified and classified what you’re protecting. What constitutes intellectual property and/or PII? Customer data? Credit card information? Architectural plans? Proprietary processes or product details? Identify what information you need to protect and assign value to it with classification markings. These markings are best enforced through technical controls, such as automated watermarks and workflow management in applications that process sensitive data (e.g., automatically embedding a watermark or metadata that flags the document as “Confidential and Restricted”).
Beyond the Basics: Change how you think about controlling data and don’t assume users are safeguarding sensitive information. Set thresholds for what needs to be acted upon, such as:
- What is the maximum attachment size to send outside the organization?
- How will the external transmission of encrypted (e.g., password-protected) files be handled?
- What data classifications are leaving the organization?
- What data classifications are being saved locally?
- What data classifications are being transferred beyond approved document repositories?
- Should you have protections to ensure documents can't be transferred beyond the repository you initially uploaded them to?
Optimize the technology you already have to get started.
Download our Insider Threat Technology Evaluation Workbook