Friday, September 6, 2019

How to Detect and Prevent Insider Threat

Most people believe that the threat to any organization is from people outside the organization but, in fact, it is insider threat that are difficult to detect, stop, and prevent. The false perception of outsider threat being prominent is because of media. News coverage is limited as any story about disgruntled employee does not make front page interesting.

What is insider threat?
Insider threat can be defined as any threat from actor who has some level of legitimate access to a target system. Also, has some knowledge about it. On a regular basis, Insiders have access to sensitive information. They know how particular information is being protected. It is very easier for insiders to steal or leak data if they want to, as compared to outsiders.

However, motive of breach can vary. It should be noted that insiders don't always threaten the organization's data security intentionally.

Un-intentional breach
  • Poorly designed system change. This can open the system up to an attack by accident.
  • Place data in public location un-intentionally
  • Attaching wrong file to an email being sent
  • Oversharing on social media
  • Mistakenly losing laptop/USB drive
Intentional breach
  • Disgruntled employee damaging their employer with a data breach
  • Salesperson leaving organization and taking customer database to new employer
How to Detect Insider Threat?

Such type of breach/threats are much more difficult to detect and prevent as there are no one-size-fits-all security measures. Detection capabilities are very limited while potential impact can be far-reaching. Therefore, Insider threat detection is mostly based on abnormal user behavior. For this, create a baseline of normal user behavior and alert administrator when any deviation is noticed. Alert rules can be for following like scenarios
  • Excessive amounts of failed logins attempt
  • Excessive amounts of failed logins attempt followed by access to sensitive files/folders
  • Excessive download of customer data within a short period of time
  • Unauthorized access to important files/folders
  • Unusual action to different system and databases with a short period of time
  • File transer activities to and from USB, Cloud Services (dropbox, onedrive, gdrive etc.), emails
Again, it cannot be dictated as to how we define "Excessive". Also, above rules are not enough. These are just an example. Different scenarios needs to be thought of and create a baseline. SIEM vendor can make use of Machine Learning approach to intrusion and outlier detection because writing rules to all cases won't always be possible.

How to Prevent Insider Threat?

Policies and technology can help address this risk. However, human nature is quite unpredictable and thus prevention is not always easy. Some suggested method
  • Review account and permissions
  • Train to prevent human errors
  • Principle Separation of Duties and Principle of Least Privilege is the best practice that can be applied


No comments:

Post a Comment