Responding to insider threats

Written by

The harm caused by data breaches, like theft of intellectual property, loss of financial and other critical-value information is epidemic. Resulting damage to governments, corporations and individuals can be vast, from marred reputations, disaster recovery costs, loss of intellectual property and competitive position.

Further still, the Council of the European Union has agreed that new fines for breaches of EU privacy and data protection law could be up to €1 million or 2% of the company’s global annual turnover[1].

More than one-third of all cybercrime incidents and security breaches are caused by insiders[2]. Each insider has his or her own motivations – it could be financial, political, accidental or even emotional – but the common factor among these people is that they all inappropriately access an organization’s critical-value data. Edward Snowden and Chelsea Manning are some of the most public examples of insiders who have exploited their access to highly sensitive information to leak it to third parties. A user becomes an insider threat once they are inside the system, and it doesn’t matter whether he or she is a current or former employee or an external contractor.

It is easy to understand why some organizations have avoided the issue. Fear of cost, legal issues around monitoring and surveillance, not understanding your threat landscape and where your sensitive information is the challenge of detecting and deterring insider threats appears massive and it is hard to know where to start. The answer lies in focusing efforts on very speci?c and de?nable targets: Your critical-value data and the very limited ways in which an insider threat actor could access, gather, and ex?ltrate that data from your network.  

Focus on the Insider Threat Actor

Detecting and investigating insider leaks is a complex task. You need to focus on what the insider threat actor wants to achieve and the ways in which they can do it, and have an understanding what data is valuable to your company, and what data could be valuable to others. It is important to understand that while information technology is virtually boundless, human interaction with technology is limited. In other words, there are only so many ways to access, gather, and exfiltrate critical-value data from a system or network.

Focusing your efforts on the limited use of technology and the relatively small number of ways in which people can move data yields results much faster than a broader approach. To achieve this focus, you must bring together many disciplines from across the organization.

For example, limiting the ways people can interact with systems and networks will make it easier to identify an insider exfiltrating data. One way to achieve this is with IT usage policies and technical measures that prevent your employees from connecting USB storage devices to their workstations. Apart from that, your need to focus on protecting important information, not all data, as it is necessary to identify and locate its critical-value data - the crown jewels. This requires cooperation and often negotiation between data owners across your firm.

Developing an Insider Threat Program

You also need to create an environment hostile to an insider threat actor through an effective policy framework and by focusing energy and scarce resources on the most important data. I recommend the following phases for developing a best practice program:

Understand and Focus:  A process used to identify authorized users who have access to critical-value data. We must determine the crown jewels of the organization, where the critical-value data is located, who has access to it, and how they have access. It includes understanding who might be a threat, what options and methods insider threat actors use, and the observable indicators such threat activity creates

Protect and Disrupt: Using intelligence and analysis to clarify and focus investigations and activities in identifying insider threat actors within your systems and networks. This means attempting to identify who an insider threat actor is, how the actor is operating within a network, who the insider threat actor’s associates may be, and does the actor have past techniques that can be captured and understood.

Deter and Detect, or cyber-defense information, includes having accurate and up-to-date cybersecurity and IT policies, training, good forensic tools, and proper user banners.

The knowledge gained by combining these three elements helps bring into focus who is attempting to discover and steal your crown jewels; what method are they attempting to use and where they are attempting to take them.

The key is that this is a program; not just a piece of software. A successful program requires executive leadership and advocacy, clear policy and guidance, and workforce education and training. It must bring together stakeholders from across your organization including human resources, administration, legal, physical security, information security, and information technology. With these elements in place, your business can address insider threats before they become messy and costly public problems.


[1] http://www.theguardian.com/technology/2015/jun/15/eu-privacy-laws-data-regulations

[2] CERT Program at Carnegie Mellon University, 2014 US State of Cybercrime Survey, April 2014

What’s hot on Infosecurity Magazine?