Insider threat is a risk as common as it is potentially catastrophic. High profile breaches as a result of insiders are a regular occurrence. Coupled with the ease with which large amounts of data can be removed in the digital age, insiders represent a unique place in the threat matrix, both high in likelihood and high in potential impact.

So how do you combat at threat that knows so much about your organization? We sat down with NJVC Cyber Security Principal Robert J. Michalsky, who recently released a white paper on insider threat, to discuss how to defend against the enemy within.

Q: How big a threat is the insider relative to all other threats organizations must defend against?

A: In terms of the difficulty of containing the threat, insiders determined to commit some type of malicious act are actually much more difficult to thwart than traditional "hackers."

Insiders by definition have trusted and often privileged access which grants permissions for actions an external user would not have.  (Add or delete accounts for instance). All organizations have insiders and should include explicit security controls to mitigate potential damage.

 

Q: Is insider threat something every business or agency should develop a plan to defend against? 

A: The insider threat is in some ways analogous to spies in the intelligence community or military traitors. Their knowledge and access to protected sources is very highly prized by an adversary. As such, they are often actively recruited and yes every organization should assess their risk and exposure.

Any insider in any size company with privileges can be highly damaging to an organization. The damage may be limited to embarrassment or bad publicity but could extend to financial damages or loss of trade secrets. Impacts vary greatly but every organization should take the threat seriously.

 

Q: What’s the most surprising statistic from your research?

A: The disparity between various industry surveys can be striking. Verizon and their data breach report has garnered wide praise because it is not survey based and instead dives into tens of thousands of reported data breaches to get more measure of ‘ground truth’.

Many question based surveys report findings so far apart from this real world data that it seems a very deep current of naivety or ignorance populates IT workers and leaders.  IT leaders need to consider if they are being truly realistic about their security posture and not being unrealistically optimistic because no security incidents may have yet occurred that lead to a data breach.

 

Q: Detect and Deter. How do these work together to create a continuously improving defense against insider threat?

A: Having strong cyber security in an organization is attributable to a range of factors – many of which interact with each other and reinforce each other.

If senior leadership is supportive of a strong cyber security culture, then training is typically offered. Awareness breeds better internal business workflows and process which serves to identify potential gaps and vulnerabilities which in turn enhances the implementation of security controls. Good metrics and feedback loops in operations serves to show that the engineering efforts are working, leading to a culture willing to integrate in new controls and over time an organization is ratcheting up their security profile without having to throw copious amounts of budget at the latest cyber vendor tools.

 

Q: Insider threat is an enterprise risk, but defending it is often parceled out between departments. IT may control some aspects, human resources some and physical security others. What's the best way to manage the risk of responsibilities getting lost?

A: Have a single point of responsibility.  Not every organization needs a full time cybersecurity group, but someone has to be in charge of IT security. Technical and control issues have to be addressed. Many security vulnerabilities in IT environments can be mitigated by the implementation of a solitary vendor product. Spam can be addressed through email filters and rules on an email server. That is one potential attack vector, but a modern IT environment with public internet access via numerous user gateways offers attackers literally thousands of attack points.

Defense in depth looks to have multiple security controls come into play should one vulnerability be able to circumvent the first control encountered.

 

Q: Who should be the single point of responsibility to defend against insider threat in a company? 

A: If an organization is large enough or mature enough to have a CIO, then it should have a CISO (Chief Information Security Officer). This may be a part time role for an individual, but a Point of Contact where the ‘Buck Stops Here’ is needed. That individual can then elicit help and support from the various business components to create a comprehensive policy that spans an organization. A mix of technical and business process controls are needed.

 

Q: If an agency/organization hasn’t yet developed a formal approach to insider threat, what’s the first thing they should do?

A: Write an explicit policy to address the threat.The policy should include what assets are to be protected, the methods being put in place to address the most likely threats and the security metrics used to quantify and manage the evolving threat.

Create unique triggers that cyber analysts can use to investigate security incidents. Having server log data and other security metrics available demonstrates the seriousness of the threat and provides insights for an organization to respond to it.

 

Q: What are emerging trends in insider threat?

A: Over time, given the relentless pace of public data breaches, it has become obvious that a constantly maturing set of business and IT controls needs to be put in place to protect an organization and their data assets. Having a formal policy in place on how to handle insiders does not mean an organization has lost faith with their employees and contractors and suppliers instead it is simply an extension of the very logical desire to prevent issues with external ‘hackers’ who do represent a more visible and accepted threat.

 

Q: Is the rate of insider threat increasing, or is it just that insider threat can now more easily lead to bigger breaches given the amount of data that can be exfiltrated in a digital world?

A: The impact of the damage an insider can do is leading to a much stronger focus on identifying and mitigating this explicit type of threat. Indeed, in pre digital days, paper was a limiting factor in moving secrets and conveying information to others. Digital media can have a tiny physical footprint and be incredibly information dense leading to incidents having metrics inconceivable even just a few years ago. Organizations need to take this threat seriously. 

About the Author

Robert J. Michalsky has served government and commercial customers for more than 30 years. As NJVC Principal, Cyber Security, he quantifies and pursues new business opportunities in cyber security. Mr. Michalsky spent more than 15 years providing cyber security-related IT engineering services for classified Intelligence Community and Department of Defense customers. Read More | Contact Us