Connect with us

Hi, what are you looking for?


Management & Strategy

Defending Against the Insider – Strategies From the Field

The Higher the Value of the Intellectual Property of Your Enterprise, the Higher the Likelihood You will Experience an Insider Incident

The Higher the Value of the Intellectual Property of Your Enterprise, the Higher the Likelihood You will Experience an Insider Incident

Threats to enterprise security are everywhere. I don’t think I have to list out the specifics, we all read the news. Outside attackers infiltrating organizations and stealing everything they can find has become the morning headline sure as the sun will rise. What you don’t hear about, except in international headlines, is the insiders that do the same. Often times it’s the insiders that enable the external attacker – either willingly or otherwise, and the result can be even more devastating than that of an external attacker.

The threat from insiders is very real, and in many cases an insider has significantly greater potential to harm an organization than an external attacker does. It’s painfully apparent that in addition to the hackers that come at your enterprise from the outside looking to test your defenses for ways to steal, damage and disrupt, insiders need your attention as well.

Insider ThreatsBut how does an organization function when there is suspicion in every seat? How do you keep secrets, intellectual property and assets safe when you shouldn’t trust the administrator resetting your password? As my team learns from the leading practices of enterprises in various market verticals and maturity levels, we gather some things that we want to share. Here are a few of the strategies that have worked elsewhere and may work for you.

Role-Based Access – It may sound like advice from 1997, but role-based access is one of the most overlooked and under-developed pieces of many enterprise IT strategies. As companies grow, expand and add employees, roles and responsibilities tend to shift. Coupled with the cumbersome processes of provisioning and de-provisioning access which takes time and resources, many companies simply opt for an “all-access” strategy. This generally means that the administrator who is watching the front desk has access to the same human resources files containing salary information as the vice president of the human resources department. Or, someone who has changed job roles and responsibilities several times typically retains access to many of those systems and applications to which they don’t need access anymore. Clearly defining roles and responsibilities, even at the group level, allows for more ready provisioning, de-provisioning and auditing of anyone who has access to corporate electronic resources. This won’t catch all the insider threats, but it will keep them from maximizing damage across systems and applications to which they should not have access.

Privileged Access Management (PAM) – Every enterprise needs administrators and those with ‘root’ access to critical resources. These people are the watchers, and a higher level of trust is placed in them to do what is right and be good corporate stewards. But whether unintentionally or otherwise, those with privileged access can make mistakes. To combat this, organizations should have sound privileged access policies and tools in place. They should not use built-in ‘administrator’ or ‘root’ accounts in lieu of personal accounts tied to a specific person. In the event something goes wrong, the organization has a way of determining who is doing something questionable, rather than trying to understand who was using the root account. Additionally, companies should audit all built-in accounts and have alerts fired when someone logs into those accounts. A local administrator or a root account should never be used to access or administer a system.

Privileged-Role Separation – One organization not only has user and privileged accounts for each of their system administrator users, but they also have separate physical computers (now moving to virtual machines) for administrative and non-administrative activity. In their system “Raf” and “Raf—ADMIN” are completely separate roles with the regular one having base-level, role-based user access while the –ADMIN account having privileged administrative access on systems and applications. With more than ten thousand users on the network, not every action can be monitored in real-time so auditing is turned on high for the –ADMIN roles, but not the regular roles. Rolling random audits of user accounts aims to discourage or catch any user-level improprieties while administrative access is scrutinized by both human analysts and behavioral analysis tools.

Honeypots – Where allowed by local and corporate laws, honeypots can be a valuable indicator of malicious activity. A spreadsheet sitting on a financial non-public share which looks enticing and is labeled “salaries_Q4_final.xlsx” but only contains fake information can attract a malicious insider. Organizations should audit a file like that for access. Anyone who touches the file should receive a prompt phone call from HR and have their system access shut down until a personal discussion has taken place to determine malice. If this was simple curiosity, it can be used as a teachable moment. However, if there was malice in the incident, the organization can determine next steps. This approach costs nearly nothing (except time and effort) and can be incredibly effective if properly executed.

Advertisement. Scroll to continue reading.

As the lines between external attacker and insider continue to blur, it makes sense to develop a solid insider threat strategy which is both cost-effective and operationally effective. The higher the value of the intellectual property of your organization, the higher the likelihood you will experience an insider incident. Even if your enterprise is lucky enough never to experience a truly malicious insider attack, these sound strategies will keep good and honest employees from making mistakes that could potentially otherwise cause significant harm to the organization. Adopting insider threat strategies is not only smart, it’s necessary.

I look forward to sharing more insights into this topic in the future. As always I value your opinions, experiences and feedback, so please share by leaving a comment or connecting with me directly.

Related Resource: Using Active Breach Detection Against Advanced Attackers

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...