In light of the seemingly endless parade of high-profile breaches, it’s easy to focus on external threats, while losing sight of insider threats.
This could be strategic security mistake because insider threats are on the rise and have quite a bit in common with the advanced external attacks that are making headlines. Forward-leaning security teams find they can address external and insider threats in a unified way, and significantly reduce the overall risk to an organization.
The Information Security Community on LinkedIn recently completed a far-reaching survey of its members on the topic of insider threats, and the results are illuminating.
The survey (PDF) shows a clear disconnect between the rise of insider threats and resources allocated to address it, with 62% reporting that insider threats were increasing, but only 34% expected more budget to address the problem. Security professionals also felt that insider threats were even more difficult to detect than external attacks.
It makes perfect sense. Insiders have privileged access to the network and resources. Unlike an external attacker, a malicious insider doesn’t have to find vulnerabilities, develop exploits and malware, or create covert communication channels to manage the attack. There’s no need to break in when you are already trusted with the keys.
This is where defending against malicious insiders begins to overlap with defending against highly advanced external attackers. In both cases, we these threats bypass preventive controls.
As an example, a nation-state attacker may target zero-day vulnerabilities and use sandbox-aware malware to infiltrate a network, while a malicious insider will simply logon with valid credentials.
Regardless of attackers gain their position of privilege, internal and external threats must still seek out and obtain valuable data. These actions are readily observable and can be distinguished from normal behavior, regardless of whether they are due to an infection or betrayal.
As a result, security models must hyper-vigilant about how a threat gets inside a network and what they do once they’re there. By monitoring the behavior of hosts inside the network, security teams can quickly identify the ones that are gathering data or accessing resources at an unusual rate.
For instance, is a host visiting areas of the network that it normally doesn’t go to? Are there signs that data is being moved to other locations? Maybe data is being staged internally or replicated to an external location such as Dropbox.
The savviest security teams today ensure that threat events are always in the context of key assets in the network. In addition to understanding a threat, teams need to know the impact of that threat to the organization. When threats are detected, what assets does the compromised device put at risk? Does the suspected device have direct access to vital assets?
Focusing on the critical assets within a network makes it easier for security teams to quickly see when unusual behaviors occur near the ones they care most about.
These techniques are equally adept at detecting external and internal threats. More importantly, by being aware of key internal assets, you can do far more than just chase threats – you can actually reduce risk.
The true damage to an organization occurs when assets are stolen or damaged. This is ultimately where all security teams must keep score, and as threats of all types converge on your most prized internal assets, it makes sense that your security models do as well.
Related Resource: Using Active Breach Detection Against Advanced Attackers