Security Experts:

Defending Against the Insider - Strategies From the Field

The Higher the Value of the Intellectual Property of Your Enterprise, the Higher the Likelihood You will Experience an Insider Incident

Threats to enterprise security are everywhere. I don’t think I have to list out the specifics, we all read the news. Outside attackers infiltrating organizations and stealing everything they can find has become the morning headline sure as the sun will rise. What you don’t hear about, except in international headlines, is the insiders that do the same. Often times it’s the insiders that enable the external attacker – either willingly or otherwise, and the result can be even more devastating than that of an external attacker.

The threat from insiders is very real, and in many cases an insider has significantly greater potential to harm an organization than an external attacker does. It’s painfully apparent that in addition to the hackers that come at your enterprise from the outside looking to test your defenses for ways to steal, damage and disrupt, insiders need your attention as well.

Insider ThreatsBut how does an organization function when there is suspicion in every seat? How do you keep secrets, intellectual property and assets safe when you shouldn’t trust the administrator resetting your password? As my team learns from the leading practices of enterprises in various market verticals and maturity levels, we gather some things that we want to share. Here are a few of the strategies that have worked elsewhere and may work for you.

Role-Based Access – It may sound like advice from 1997, but role-based access is one of the most overlooked and under-developed pieces of many enterprise IT strategies. As companies grow, expand and add employees, roles and responsibilities tend to shift. Coupled with the cumbersome processes of provisioning and de-provisioning access which takes time and resources, many companies simply opt for an “all-access” strategy. This generally means that the administrator who is watching the front desk has access to the same human resources files containing salary information as the vice president of the human resources department. Or, someone who has changed job roles and responsibilities several times typically retains access to many of those systems and applications to which they don’t need access anymore. Clearly defining roles and responsibilities, even at the group level, allows for more ready provisioning, de-provisioning and auditing of anyone who has access to corporate electronic resources. This won’t catch all the insider threats, but it will keep them from maximizing damage across systems and applications to which they should not have access.

Privileged Access Management (PAM) – Every enterprise needs administrators and those with ‘root’ access to critical resources. These people are the watchers, and a higher level of trust is placed in them to do what is right and be good corporate stewards. But whether unintentionally or otherwise, those with privileged access can make mistakes. To combat this, organizations should have sound privileged access policies and tools in place. They should not use built-in ‘administrator’ or ‘root’ accounts in lieu of personal accounts tied to a specific person. In the event something goes wrong, the organization has a way of determining who is doing something questionable, rather than trying to understand who was using the root account. Additionally, companies should audit all built-in accounts and have alerts fired when someone logs into those accounts. A local administrator or a root account should never be used to access or administer a system.

Privileged-Role Separation – One organization not only has user and privileged accounts for each of their system administrator users, but they also have separate physical computers (now moving to virtual machines) for administrative and non-administrative activity. In their system “Raf” and “Raf—ADMIN” are completely separate roles with the regular one having base-level, role-based user access while the –ADMIN account having privileged administrative access on systems and applications. With more than ten thousand users on the network, not every action can be monitored in real-time so auditing is turned on high for the –ADMIN roles, but not the regular roles. Rolling random audits of user accounts aims to discourage or catch any user-level improprieties while administrative access is scrutinized by both human analysts and behavioral analysis tools.

Honeypots – Where allowed by local and corporate laws, honeypots can be a valuable indicator of malicious activity. A spreadsheet sitting on a financial non-public share which looks enticing and is labeled “salaries_Q4_final.xlsx” but only contains fake information can attract a malicious insider. Organizations should audit a file like that for access. Anyone who touches the file should receive a prompt phone call from HR and have their system access shut down until a personal discussion has taken place to determine malice. If this was simple curiosity, it can be used as a teachable moment. However, if there was malice in the incident, the organization can determine next steps. This approach costs nearly nothing (except time and effort) and can be incredibly effective if properly executed.

As the lines between external attacker and insider continue to blur, it makes sense to develop a solid insider threat strategy which is both cost-effective and operationally effective. The higher the value of the intellectual property of your organization, the higher the likelihood you will experience an insider incident. Even if your enterprise is lucky enough never to experience a truly malicious insider attack, these sound strategies will keep good and honest employees from making mistakes that could potentially otherwise cause significant harm to the organization. Adopting insider threat strategies is not only smart, it’s necessary.

I look forward to sharing more insights into this topic in the future. As always I value your opinions, experiences and feedback, so please share by leaving a comment or connecting with me directly.

Related Resource: Using Active Breach Detection Against Advanced Attackers

view counter
Rafal Los serves as the VP of Solution Strategy at Armor. He's responsible for leading the various technical functions associated with designing, developing and delivering next-generation cloud security-as-a-service solutions to our clients. Rafal is also the Founder & Producer of the Down the Security Rabbithole Podcast. He previously worked as the Managing Director, Solution & Program Insight at Optiv Inc.; Principal, Strategy Security Services at HP Enterprise Security Services; and Senior Security Strategist at HP Software. As an IT security professional, Rafal gained experience in some of the world's most challenging business environments. His responsibilities included budgets, risk analysis, process creating and adoption, internal audit and compliance strategies. He has been the catalyst for change in many organizations, building bridges across enterprises and developing permanent successful strategies for growth and prosperity. Follow Rafal on Twitter: @Wh1t3rabbit.