The greatest threat to the security of U.S. companies is no longer the hacker attacking from beyond network walls. Now, it is the insiders already within those walls and equipped with an all-access pass. Last year, 55 percent of cyber-attacks were carried out by insiders, according to IBM. Companies overwhelmingly continue to direct security funding to traditional network defenses that fail to prevent damage from insiders. Unfortunately, the growing impact of insider threats on private sector companies not only poses a risk to the companies’ proprietary information and data, but also has a direct impact on the national and economic security of the United States. Government regulation and White House executive orders continue to positively focus on public-private partnerships and information sharing.
However, there is an overall lack of knowledge of insider threats, and the public and private sector cannot share what they do not know. If companies and the U.S. government wish to protect themselves from insider threats, they should partner on a security strategy and regulation that combines comprehensive data on user and system behavior, advanced analytic tools and automated incident-response. Luckily, there is a rapidly growing, but untapped, market of robust solutions for a variety of architectures, including cloud-based systems. While both private companies and the U.S. government will have to balance privacy and security, the government will have the added responsibility of regulating privacy.
The enemy at hand
An insider threat may be a malicious employee who consciously or unwittingly exfiltrates data, sabotages a company’s IT systems or manipulates its data and systems. Cases of trusted insiders who abused their privileges to remove data include Edward Snowden’s theft and disclosure of classified information in 2013, and Jun Xie’s exfiltration of 2.4 million files from GE Healthcare’s secure network in 2014. “More often, however, the insider is an unwitting accomplice who falls prey to social engineering and clicks malware in a phishing email. Insiders put that value at risk,” explained retired Admiral Mike McConnell, former Director of National Intelligence and former Director of the National Security Agency (NSA).
For example, in the 2015 cyber-attack against Ukrainian power companies, malware implanted through a phishing email targeting IT staff and system administrators allowed malicious outsiders to gain insider access to the system. McConnell continued, “Information of huge value measured in trillions of dollars is stored digitally. Insiders put that value at risk.”
Our current grasp
Despite this known and expanding risk from insiders, there is little attention paid to this issue. For example, the Security and Exchange Commission’s Cybersecurity Examination Initiative has not mentioned insider threats since it started issuing guidance on cybersecurity examinations in 2014. Though the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool does mention insider risk briefly, its vague recommendations for “processes to monitor potential insider activity that could lead to data theft or destruction” are insufficient given the potential, grave impact of the threat.
The most detailed discussion of the insider threat is provided by the obscure National Counterintelligence and Security Center (NCSC) — a center within the Office of the Director of National Intelligence. The NCSC’s National Insider Threat Task Force provides generalized details on how federal departments and agencies can detect an insider threat to classified information. However, this guidance is unhelpful to the corporate Chief Information Security Officer attempting to detect and prevent the theft of data or damage to corporate value by witting or unwitting insiders.
Where our grasp is slipping
The rising insider threat is exacerbated by the ever-increasing concentration of computer power and network access provided to privileged users and the inexorable increase in connectivity between systems containing valuable data and global Internet infrastructure. Malicious insiders have knowledge of and privileged access to proprietary systems, allowing their actions to go undetected by security systems built to defend against breaches from the outside.
Unfortunately, few corporate security strategies focus on this threat. Traditional network defense systems are reactive and intended to detect hacks through a firewall or other perimeter appliance. Some public and private sector security policies tangentially address the insider threat by calling out the need to limit access to information required by a person’s job — known as "role-based access control" — but few networks are adequately instrumented to detect unauthorized access by insiders or lateral movement within network segments.
Conventional strategies overemphasize protection of endpoint and mobile devices, since insider threats pose the greatest risk to corporate servers and databases. Chris Inglis, retired U.S. Air Force Brigadier General and former Deputy Director of NSA, noted that most companies undertake point-defense to protect perimeters, data links or operating systems, rather than protect their data, which is most vulnerable to insiders. A 2015 survey by Vormetric Data Security indicates that companies’ leading technical security increases in 2016 would be network defenses (52 percent), endpoint and mobile device protection (50 percent), data defenses (47 percent) and analysis and correlation tools (46 percent). Inglis contextualized this gap between threats and strategies: “We need to recognize that the thing to defend is the data. Network defenders should take heed that if they were defending their kids; they wouldn’t be in the woods trying to scout out rogue criminals.”
A preventive approach
If the U.S. government and private companies hope to stay ahead of insider threats, they will have to start with a public recognition of the significance of the risk presented by undisciplined provision of network access to individuals with no need to know. Through sharing of information and best practices, the public and private sector can collectively employ a preventive approach, establish baselines of normal system behaviors to detect relevant anomalies from this baseline, and assess user actions in real-time. As the primary victim of the illegal disclosures of classified material by Snowden, the NSA has undoubtedly made both technical and policy adjustments to better detect malicious insiders. To hedge against the potential impact of private sector insider threats on U.S. economic and national security, the NSA could share lessons learned from Snowden’s unfortunate actions and any subsequent best practices.
Time to preempt insider threats is most vital to mitigate potential corporate harm. Given the diversity of behavior for every single user, it can take months to collect data comprehensive enough to identify a baseline of normal activity, to recognize which data are most vulnerable, important, or sensitive — and therefore might need added protection or restrictions on access — and to detect anomalous behavior or determine what additional indicators could strengthen the system. Additionally, educating employees on how to spot social engineering attacks can take significant time and can require a significant culture shift. To help companies prepare for, prevent, detect, respond to and recover from insider threats, security companies are developing solutions that combine comprehensive visibility of corporate data, advanced analytic tools and automated incident-response.
Comprehensive data collection and analysis can help establish the behavior baselines necessary to detect and mitigate the insider threat. Companies have traditionally relied heavily upon single-transaction log data, such as monitoring outgoing email rates, website visits or changes in network permissions. Alone, these are weak signals. In the case of Edward Snowden, such analysis failed to raise suspicion because he took small amounts of data over a long period of time, and his various transactions were considered benign in a system designed to capture only individual events rather than alert potentially connected malicious actions over time. While these weak signals alone are generally insufficient to detect an insider threat, collecting large quantities of data from a wide variety of sources over time can be useful to help companies identify correlations and detect anomalies confidently. This means amplifying weak signals with data loss prevention that detects users sending sensitive information outside of the company network; endpoint data collected from remote devices connected to the company network, such as laptops, cellphones or remote desktops; address resolution protocol monitoring to track the physical origin of network traffic; or data on application usage, logins and logouts, or permission changes.
Applying behavioral analytics to indicators of malicious insider actions enables companies to more accurately identify risks. Patrick Gorman, former CISO at Bank of America and former Associate Director of National Intelligence, explained, “By correlating multiple sources of data, you’re more likely to reduce false positives and increase the positive hit rates.” For example, an employee’s biometric data that pinpoints where they are physically located in the building, correlated with log data that shows whether they are logged in and active on a network could reveal that someone’s credentials have been stolen.
How companies do this
Perhaps Snowden’s and other insiders’ actions would have been challenged by the presence of more focused and comprehensive data policies and the application of advanced analytic techniques. Nanda Santhana, Vice President of Securonix and head of the company’s field operations, explained his company’s process. His team first applies a basic set of behavioral and log data indicators, regardless of the client’s industry. This allows them to identify patterns and incorporate other attributes, and to subsequently determine whether a change in behavior is actually threatening. Securonix then uses specialized indicators tailored to industry-specific concerns, such as data exfiltration, IT sabotage or fraud. Santhana explained, “What we have done is create a credit score-like capability. When multiple things go wrong, you keep them on a watch list but cannot act on it. However, when a person on that list makes a request to gain access to a new system, you can have multiple levels of approval. Rather than just protective, this is proactive and predictive.” The private and public sector can both benefit from such an approach.
Collecting and analyzing behavioral analytic data, even anonymously, often requires cross-departmental collaboration within companies. Legal and human resources departments are critical to investigations of potential insider threats. Legal advisors can ensure that the privacy of employees is not inappropriately infringed upon and corporate policies are enforced and updated as necessary, particularly in the case of automated responses. Human resources departments are the keepers of certain behavioral indicator data — such as performance reviews, background investigations, credit scores or salary and bonus history — that is necessary for detecting anomalous behavior and responding to insider threats.
Insider threats can also be mitigated by semi-automated incident alerts and response. Automated incident-response rules and workflow management systems can help streamline and accelerate detection and response. For example, Securonix’s High-Risk Entity Dashboard provides a unified and prioritized view of all the high-risk insider and cyber threats across all users, accounts, hosts and endpoints in the enterprise. Such tools can significantly reduce response time, which is critical to reducing the damage caused by an insider.
Developing digital playbooks of the most common insider threats and fully-automated responses can help companies respond to threats at a rate closer to net speed. These playbooks identify the criteria for determining how an event qualifies as an insider threat, provide a checklist for actions to take, and lists the key company actors that must be involved, whether IT or security staff, leadership or third party providers. Automatic responses vary by company and threat, but may include denying network access to individuals below a certain credential level, denying access to the company’s most vital data, or simply referring the issue to relevant personnel. Fully automating, or at least semi-automating, these playbooks enables companies to have a quicker response time and improve response effectiveness. Resources and attention can then be reallocated to analyzing and containing less common insider threats.
Balancing privacy concerns
Collecting data on trusted employees, unsurprisingly, has caused concern about individual privacy. These concerns must be proactively and transparently addressed to sustain employee trust and to enlist employee support in the defending of corporate data and infrastructure. Achieving transparency is the easy part. Companies are increasingly requiring employees to sign a statement acknowledging that they should have no expectation of privacy when using company devices or connected to company networks. Federal and state laws specifically address an employer’s right and ability to monitor, save, record, access or otherwise conduct surveillance of employees’ use of company electronic communication resources and systems. However, most security companies, including Securonix, anonymize data until anomalous behavior is detected. Even then, only restricted individuals have access to the insider’s identity.
Balancing collective security interests with individual privacy concerns will require that leaders and employees be aware of how analytic systems work, what data are being collected, what is being done with the data, and to what extent employees may be held accountable. In addition to a company having an obligation to be transparent with employees and protect their privacy, this can also serve as a potential deterrent.
The U.S. government in particular will also be expected to set standards for balancing privacy and security, but also for regulating and helping set private industry standards. The encryption dispute between the Federal Bureau of Investigation and Apple in March 2016, and subsequent public disagreement between national policymakers, is just the first of many policy struggles. In the future, public-private partnerships on insider threats, not just cyber defense, will be vital to protecting the both companies and the U.S. government from insiders. Similar to Secretary of Defense Ashton Carter’s effort to partner will Silicon Valley companies to foster technological innovation, representatives from cyber agencies and departments — such as the NSA and U.S. Cyber Command — could hold regular meetings with private sector companies to share information on insider threats and best practices for preventing them.
Though insider threats already pose the greatest security risk to companies and the U.S. government, whether they will harness the available tools and technologies in time has yet to be determined. Inglis is hopeful that advanced analytics can help narrow potential avenues of intrusion: “For the first time in our history, the power of analytics have caught up to the complexity of the security problems and available processing power.”To effectively address the insider threat, the public sector and all business sectors must foster collaboration and information sharing, establish better insider threat policies, develop proactive and preventative strategies, and combine technical and automated incident-response.
To effectively address the insider threat, the public sector and all business sectors must foster collaboration and information sharing, establish better insider threat policies, develop proactive and preventative strategies, and combine technical and automated incident-response.