[mabilkasimov]

Hi, what kind of preventive and detective controls are the most efficient for insider threats?

Topic

[Ziya]

Hello Mabilkasimov,

Insider threats usually comes from people within the organization as consciously or unconsciously and unfortunately it’s a serious problem for organization today.

The Report of Ponemon Institute “2018 Cost of Insider threats” shows that average cost of an insider-related incident is around $513,000. Insider-related incidents can cost a company up to $8.76 million a year.

There are many different solutions for this problem. First of all companies should give the right permissions to the right users to protect their data. On the other hand, they should prepare a password policy to to enhance security by strong password. It is also possible to use two factor authentication solutions to improve the security in terms of authentication. On the other hand, it is possible to use an user behaviour solutions to analyse users’ activities and for risk scoring to prevent any anomaly situation. DLP- Data lose prevention is also another solution for Insider threats problems, companies could control user & data activities to avoid from potential data leakage. It’s possible to record the sessions and create alarms in the case of threat for critical systems on behalf of proactive security. USB port usage of users’ PCs should be under the management by company as a security policy.

Of course Network and correspondingly network security is also very important and network is like a hearth of company. Users shouldn’t be connected the network without any control. All applications and systems run on the network and network could be under the attack (inside threat or external threat). Therefore, Network access control and management should be implemented by companies for data security, and business & operational continuity.

[healthdatacybersecurity]

Hi Mabilkasimov,

Similar to Ziya response, to address potential insider malicious cyber criminality you may want to consider implementing a zero-trust cybersecurity architecture (monitors all users access and data traffic) and ensure all users of the IT network are provided access based on a least-privilege principle.

Another preventive measure that is essential for all data that is maintained by the entity that aims to mitigate cybercriminal activity is to encrypt and back-up all data.

Appreciative of the question.

Gratefully,

Carlos Alberto Hernandez

[yzaw]

Hence cybersecurity is the processes implementing by combination of people, process and technology, let me add some controls and list out together suggested by @Ziya @healthdatacybersecurity

Preventive Controls

2FA, strong password policy
HR Screening potential insider threats
vendor/supplier contracts
Role based user access
DLP
Device Control, USB policy
end-to-end Encryption
identify the critical systems, IT assets and segregate

Detective control

Monitoring and logging to critical assets
User Behavior analysis
Network Admission Control / Identity awareness solution
IDS
SIEM

• This reply was modified 1 year, 7 months ago by yzaw.

[shlairshe]

The insider threat is real and unless your organization has a holistic risk management plan in place that accommodates for preventative and detective controls, then exposure to a potential threat to your system will always be possible.
There a few insider threats I will like to mention, but personally, majority of them normally fall under the same umbrella. Within an organization there is always the probability of have bad apples, sometimes these bad apples are initially not bad, but in the event of let say a person is let go, and for unsuspecting reasons the person who got fired somehow does not think they deserved the outcome. This is the sort of thing that can lead to a one kind of insider threat. There are a few categories of insider threats that I personally think exist, to mention a few.

a. A Malicious employee or persons who executes damaging things to the core business, such things such as deleting important and classified data, launching a ddos type attack, or deliberately stealing an important hardware component or offloading classified data from respective specific hardware.
b. You also have those that pretend to be someone else, such a person impersonates and uses the credentials of another unsuspecting user or employee and uses it to cause harm to the critical parts of the business operations

Preventing the insider threat is a task that involves a consistent approach to things such as regularly training employees, taking note of employee odd behavior, monitoring all data and access to data that is associated with the critical business operations. Alternatively, access controls need to be revised for existing employees, and access should be given to a very few limited persons who require access to classified or data that is consider critical to the operations of the business.

[cyberfit]

I would like to provide two more controls to the very comprehensive list highlighted above, “TIMELY” termination of user accounts and monitoring of user “PRIVILEGE ESCALATION”. Even when RBAC may be tight, when employees leave the company or change roles you need to ensure you remove those accounts or unnecessary access to any systems. This controls tends to be weak in the majority of the organizations, mainly when employees change roles within the organization. As for monitoring privilege escalation, this is a key indicator that something might be happening and you want to look at this activity a little bit deeper, set proper thresholds and alerts. This works for insider and outsider actors.

[fsp666]

I would summarize it into three approaches:
1) Visibility of the behavior of the employee (monitoring) (PREVENTIVE & DETECTIVE)
2) Exit protocol when a user leaves the company (PREVENTIVE)
3) Permits and segregation of duties to minimize security risks. (PREVENTIVE)

[jmkern26]

I agree with @fsp666 that thinking about how you are managing these three processes is a good start to protect yourself from the insider threat. @mabilkasimov – The insider threat is underrated, so it’s important not to overlook this when designing your cybersecurity program. But it sounds like it’s a priority for you already.

[pnyambi]

Hi all, with most companies moving to remote setups, more employees are working outside of company premises meaning a higher level of monitoring is needed on those remote works stations.
I think access to company network should be restricted during the hours when IT or monitoring is not available ie nonoffice hours.
Thanks

Pam

[gd2009]

Since CyberSecurity is Context driven you have to understand the environment to figure out the best controls to put in place. For one when dealing with insider threats . You have to consider the CIA triad and determine how much security is enough? How much will it cost? What is the trade off?

Defense in Depth , Avoid single point of failure- Key man risk . Separation of Duties – Implement Least Privilege,And always measure your controls effectiveness.

[sidhu007]

As a manager who doesn’t do any daily IT activities, how do I make sure that my employees are not insider threats? I try to make sure my team is happy and offer flexible work schedules, but sometimes you never really know if an employee is truly happy. I was thinking of working with my IT staff to send a test email to make sure that they listen to me when I say “don’t click on the links in emails etc.” Is there something else I can do?

[jrobertson68]

There are a couple different things that companies/organizations could do to mitigate the risk of insider threats. One thing that could be done to reduce the risk of insider threats would be to conduct regular audits on employee accounts in order to determine whether there are any anomalies in the number of logins, what information has been accessed, and the frequency in which that information has been accessed. Additionally, once an employee is terminated, it is imperative that they be removed from the office immediately and not be allowed to return to their work space as they may retaliate against their employer by intentionally downloading malware onto the network. Lastly, limiting the number of employees that have access to sensitive information is important as well. This ensures that the information is only in the hands of the employees that need access to it in order to do their jobs and reduces the chances of the information getting into the wrong hands.

[baghchel6391]

Insider threats are difficult to spot… A foundational strategy is base around culture and is driven from top down. Leadership are best positioned to prevent insider threats. They set the tone for how security is perceived. Leaders also are closest to the employees and in best position to see any behavior changes before they manifest online.

Security teams should arms leaders with the security privileges of their staff and educate them on signs of insider threat. They should give them tools to proactively reduce privileges or increase monitoring of employees exhibiting these signs.

Cyber security is more psychological warfare than technical warfare when it comes to insider threats.

[skumbhat]

@mabilkasimov – Food for thought for Preventative Insider Threat protection –

Dynamic Access – Need to know and have Privileged Access. Static privileged keys are like waiting for a disaster. The distribution of static privileged credentials is very hard to control and thus dynamic credentials need to be deployed.

Tightly Scoped Authorization – Privileged Authorization and Entitlements should be on a request/approval basis. That request/response could be either automated based on the context from the user/device/application and/or depending on a case by case basis. The aim here is to limit static authorization allowances.

Privileged System Protection – Systems with the key assets, such as Databases should have fine grained security access controls deployed to prevent mass data leaks. Ability to create anonymous users and/or duplications should be strictly restricted.

[profsol]

@jrobertson68 I completely agree with you! I believe it’s absolutely important to apply all defenses proposed by @ziya @healthdatacybersecurity @yzaw but we always need to consider Human Factor, particularly in moments of contrasts or when “leaving” the company. I will consider a strong policy to notify the person the end of a contract and not to leave the person access any more any company system. All access codes or permission linked to a personal badge, to extranet etc must be blocked and put under strict security control. It’s difficult to imagine all possible scenarios when talking about insider threat and I personally feel that this is a very huge problem for companies of all-sizes. NO matter how many employees, just one of them may be capable to harm within an high-level of knowledge of internal procedures. As consultant and a trainer in security matter, I challenge involved people, at all level, to explain how they may attack their own company and most of the time, there are bad news for the management!!!

[omarahomsi]

Hello,

Can you please share your thoughts on the following:

– The best way to utilize DLP in a corporate?
– Considering DLP is implemented, how would you classify legit users accessing and sharing critical data from attack actors?
– Does DLP helps with the encryption applied on its side? Are there tools out there offering this combination?

Thank you

[basxmaty]

Insider threat is hard to control since there is a level of trust. However, creating users and restricting them access wise is one of the key methods. Users must not have access to more than they are supposed to.

[Author]

Replies