Organizations have historically implemented external-facing technologies such as firewalls and proxies to deal with external threats, but with the emerging prominence of insider threats, technologies are being developed to deal with these new problems. Imagine the threat posed by disgruntled IT personnel with full understanding of the organization’s network structure, systems, vulnerabilities, policies and procedures. It is thus important that organizations put in place measures to mitigate insider threats. The following are the most commonly-used technologies.
Database Activity Monitoring
Monitoring logs within your databases allows you to keep track of every database transaction made and block unauthorized ones from being performed. Security departments monitor these logs for events that could signal an attack and fix it before any real damage is done.
For example, constant database queries being performed at odd hours of the night or off working days might be an indication that suspicious activity is taking place. Errors and invalid database requests should also be monitored. Even though having database-monitoring solutions installed is mostly achieved through compliance mandates, most organizations are deploying database-monitoring solutions to prevent insider threats.
Organizations are embracing whitelisting technologies more to handle the insider threat problem. Whitelisting allows authorized software binaries to be executed within nodes on the network. This simply means that any unauthorized program on any platform on or being introduced onto the network is blocked. For instance, organizations may only allow core applications necessary for daily work to be installed, and any other to be revoked.
The biggest challenge with this technology is managing all the executable software at the organization, deciding how risk profiles can be defined and specifying how applications can be white- or blacklisted according to the organization’s preferences.
Network Flow Analysis
Solutions that monitor data packets for malicious activity allow security teams to determine whether communication from the network is, for example, taking place between malware and a command-and-control server, and thus determine the kind of information leaving the network. This is important since insiders might set up rogue servers that communicate with the outside network, collaborating with malicious agents to siphon information away. RSA’s NetWitness platform collects traffic from the network, applying threat feeds to it and allowing security teams to perform analytics and determine the intent and context of traffic within the organization.
Security Information Management, Log Analysis
Organizations can employ SIEMs as a line of defense and also for monitoring activities within the network. This allows security departments to effectively determine where to focus while responding to insider threats. Some SIEMs employ data-analytics capabilities and threat intelligence, allowing security departments to determine points within the network that have configuration or security weaknesses and suggest methods to correct these. The ability to consume logs from multiple devices on the network means that security departments are capable of handling insider threats before they can cause damage within the organization.
Data Loss Prevention
DLP solutions are perhaps the most sought-after for managing insider threats, as they allow organizations to ensure that data is handled securely across endpoints. These solutions can determine confidential data and note the data owners, effectively preventing data leaks.
Security teams can also define policies that, for instance, prevent emails containing certain information from leaving or getting through into the organization. Flash drives can also be restricted across the organization, using DLP software. This prevents intellectual property from leaving the organization. In case there is a heavy reliance on the internet, cloud-based DLPS may be deployed to ensure that traffic leaving the network is encrypted.
What Are Some Best Practices to Prevent Insider Threats?
There are a few best practices that you can follow to ensure that your organization remains ready to fight insider threats. In order to remain ahead, you need to:
Perform a Risk Assessment
The best way to understand your security posture is to perform regular risk assessments. These allow you to determine the weak spots within the organization and determine the “crown jewels” (such as intellectual property) that attackers may be aiming for. Determining this allows you to restrict this information to only trusted individuals.
Establish an Effective Security Policy
Having outlined security rules at the organization ensures that all employees conform to the accepted regulations, from top to bottom. The policies can, for instance, prohibit employees from bringing their own devices to work, sharing credentials or using unencrypted removable media such as flash disks and external hard drives. This will prevent the sharing of confidential information.
Create Proper Termination Procedures
Most insider threats take place through privileged accounts that have not had their access to critical systems revoked. It is important that departing accounts are effectively withdrawn from systems they no longer require access to.
Conduct Background Checks
Background checks allow you to determine the character of employees before they can be onboarded into the organization. Background checks can also be used to determine moles acting from the organization. For instance, sudden changes in employee lifestyles, such as a surge in the standards of living, extravagant expenditures and trips might be a cause for concern.
Monitor Employee Activity
Monitoring employee activity allows you to determine the actions performed by privileged-access employees. This presents every employee’s actions as fully visible and transparent to you, so that you can determine whether their actions are warranted or if you need to take certain measures to contain leaks.
In this article we have explored the very real possibility of insider threats. Organizations must always consider the possibility that sensitive information (such as the crown jewels) will be attractive to competitors and insiders, and thus, that organizations need to ensure they are vigilant and adhere to the best practices that prevent insider threats. Solutions that mitigate insider threats are also being improved, and it would prove beneficial to keep ahead of the problem with the newest software and innovations that curb the insider threat.