Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Getting Proactive Against Insider Threats

In light of the seemingly endless parade of high-profile breaches, it’s easy to focus on external threats, while losing sight of insider threats.

In light of the seemingly endless parade of high-profile breaches, it’s easy to focus on external threats, while losing sight of insider threats.

This could be strategic security mistake because insider threats are on the rise and have quite a bit in common with the advanced external attacks that are making headlines. Forward-leaning security teams find they can address external and insider threats in a unified way, and significantly reduce the overall risk to an organization.

The Information Security Community on LinkedIn recently completed a far-reaching survey of its members on the topic of insider threats, and the results are illuminating.

The survey (PDF) shows a clear disconnect between the rise of insider threats and resources allocated to address it, with 62% reporting that insider threats were increasing, but only 34% expected more budget to address the problem. Security professionals also felt that insider threats were even more difficult to detect than external attacks.

Insider ThreatsIt makes perfect sense. Insiders have privileged access to the network and resources. Unlike an external attacker, a malicious insider doesn’t have to find vulnerabilities, develop exploits and malware, or create covert communication channels to manage the attack. There’s no need to break in when you are already trusted with the keys.

This is where defending against malicious insiders begins to overlap with defending against highly advanced external attackers. In both cases, we these threats bypass preventive controls.

As an example, a nation-state attacker may target zero-day vulnerabilities and use sandbox-aware malware to infiltrate a network, while a malicious insider will simply logon with valid credentials.

Regardless of attackers gain their position of privilege, internal and external threats must still seek out and obtain valuable data. These actions are readily observable and can be distinguished from normal behavior, regardless of whether they are due to an infection or betrayal.

As a result, security models must hyper-vigilant about how a threat gets inside a network and what they do once they’re there. By monitoring the behavior of hosts inside the network, security teams can quickly identify the ones that are gathering data or accessing resources at an unusual rate.

For instance, is a host visiting areas of the network that it normally doesn’t go to? Are there signs that data is being moved to other locations? Maybe data is being staged internally or replicated to an external location such as Dropbox.

The savviest security teams today ensure that threat events are always in the context of key assets in the network. In addition to understanding a threat, teams need to know the impact of that threat to the organization. When threats are detected, what assets does the compromised device put at risk? Does the suspected device have direct access to vital assets?

Focusing on the critical assets within a network makes it easier for security teams to quickly see when unusual behaviors occur near the ones they care most about.

These techniques are equally adept at detecting external and internal threats. More importantly, by being aware of key internal assets, you can do far more than just chase threats – you can actually reduce risk.

The true damage to an organization occurs when assets are stolen or damaged. This is ultimately where all security teams must keep score, and as threats of all types converge on your most prized internal assets, it makes sense that your security models do as well.

Related Resource: Using Active Breach Detection Against Advanced Attackers

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...