White Paper
Insiders are responsible for almost as many losses, breaches, and thefts of
sensitive and confidential data as cybercriminals. According to a recent Intel®
Security data exfiltration study, more than 40% of data loss is caused by
insiders, roughly half intentional and half accidental. The latest insider thefts
have even prompted the US Department of Defense to require affiliated
companies to have a program that can “Gather, integrate, and report relevant
and available information indicative of a potential or actual insider threat.”1
Whether you do business with the defense industry or not, tackling insider
threats is not only a critical challenge to address, but it’s also a team effort,
necessitating work in data classification, policy development, and incident
response, backed by a strong set of data loss prevention tools.
Building a Defensive Formation
Insider activity generates a significant percentage of the incidents that security teams triage and
investigate every day. As a result of their job function and responsibilities, insiders have access to
the data and processes that the company wants to protect. This access leads to accidental data
losses when corporate policies and controls are not adequately defined or enforced. It also provides
the opportunity for intentional data theft by insiders.
Most intentional data thefts, whether insider or external, tend to be primarily motivated by some
type of financial gain. However, insiders often have secondary objectives, ranging from spying for a
competitor to revenge. As a result, intentional insider thefts by disgruntled employees present the
broadest possible threat, according to the Intel Field Guide to Insider Threat. Their range of access,
potential motivations, ability to maneuver, and social engineering opportunities combine to produce
every possible type of security event, including espionage, financial fraud, product alteration, and
sabotage. So if you can detect and protect your organization from insiders, you are well positioned
to catch externally-driven incidents as well.
Focus on the Data
Security defenses often focus on potential egress points, but with insiders, it is more important
to identify and monitor the data that you want to protect. Many of the confidential data types are
common across many organizations, such as payment card information or customers’ personal
information. Data types unique to your industry or company are at risk of being overlooked if you
rely on standard data templates. For example, companies have caught insiders illegally trading
coupons, discount codes, and product activation codes.
Focusing on the data means identifying where your sensitive and confidential data lives, and
monitoring when and where it moves. This requires checkpoints at more than just the potential
egress points. Data repositories and network switches that watch for data types and keywords can
augment endpoint and gateway monitoring, alert the security team to actions that appear to be in
violation of corporate policies, block actions that are definitely prohibited, and inform users that
their actions are considered a potential misuse of the data.
Coaching a Security Culture
In many organizations, these actions aimed at stopping unauthorized insider activity can be
perceived as a negative. If you just start monitoring and blocking actions, without discussing why
and how, you run the risk of alienating the people you are trying to protect. Instead, emphasize that
you are watching the data, not the users. Put the appropriate tools in place, such as data encryption,
and coach your users how to work with sensitive data.
Tackling Insider Threats
3
White Paper
You need to earn trust, and it takes time to change the attitude and culture. Start by discussing who
has access to confidential data, and potential threat vectors. From there, build rules and policies
that match the scenarios and support the business. For example, many organizations prevent
sensitive employee data from being put on a removable drive. However, Human Resources (HR)
works with a benefits partner that analyzes employee data twice a year. Instead of leaving HR to find
a workaround, try working together to identify the risk points and improve their business process. It
will help the HR department to understand and embrace data loss prevention, and develop a more
secure business process.
Zone and Player Coverage
Effective data loss prevention against insider threats requires more than just coaching. The
disappearance of the network perimeter means you need to cover critical zones and important
players. Expand coverage from endpoints and gateways to include the other places that data is used,
including storage, cloud apps, and user devices. Pay special attention to those areas and activities
that are difficult to monitor, such as secure shell (SSH), encrypted traffic, and USB drives. Is an SSH
session carrying a lot of data? Is this encrypted file or data stream consistent with corporate policies?
In addition to these critical zones, you also need watch the players, analyze their behavior, and build
a baseline of normal activity. Which ones have access to confidential data? How do they normally
use the data? Is this anomalous action trivial or suspicious? This eventually leads to profiling the
people in your organization, building broader and deeper visibility around their activities.
Profiling the Players
Opportunity profiling is primarily about identifying roles that have the opportunity to access
confidential or sensitive data. You have more surveillance resources and access controls around
the restricted parts of a building. You should also apply additional monitoring and more restrictive
policy on those people who have confidential data access. However, if you just enable blanket
policies you will end up with too many false positives to effectively investigate. So you need to
reduce the set of potential insider threats by also looking at potential motivations.
Opportunity profiles based on potential motivation will require collaboration with HR and Legal
departments. Carefully working with this sensitive employee information, your team will focus their
insider data loss prevention efforts on those with the highest risk. This includes attributes such
as income levels, investment activity, negative attitudes, major life events, and other behavioral
characteristics associated with potential misuse or abuse of corporate resources.
Armed with this information, the security team can correlate the threat potential against security
events. For example, developers often want to use actual data for testing applications. This is not
in itself suspicious, but does warrant additional monitoring of both groups involved. In another
example, you get a new alert that a sales person emails a confidential spreadsheet to her private
email address. Leveraging the historical records captured by your security tools, you notice that
th
Please complete the form to gain access to this content
