Whatever the motivation – whether it’s a disgruntled employee out for revenge or an employer who has been coerced to obtain data by cyber criminals – these individuals pose a significant, and growing, threat to corporate security.
A key consideration for all bosses is to determine whether they consider insider risk a business or technology problem. In many companies, it’s considered a technology problem and therefore under the remit of the IT teams whereas, given it can be a major source of corporate and reputational risk, it should be the business of the C-suite and other senior management. Taking into account that the net result of an unconstrained breach is not only an embarrassment but a potential loss of confidential data and consumer confidence, it is important there is visibility at the top. Look at TalkTalk’s 2015 hack; the reason the CEO was featured heavily in the media is because it is ultimately her responsibility for the breach and subsequent lack of trust.
So how does this cascade through a business? What are the CISOs doing to prevent this? At Gartner’s recent Security and Risk Management Summit, it was revealed that corporate employees who help carry out cyber-attacks were increasingly being sought out by criminals on the dark web. These employees could make a lot of money selling information to the dark web, or may even sell their credentials for getting into a company system – there is a kind of dramatic romance about the idea of an external hacker yet it’s far more likely to be someone on the inside with legitimate access. But what can a business do about this?
Read more on cyber crime:
- Tricks of the trade to avoid cyber scammers
- Eight ways British SMEs can fight hackers and prevent cyber crime
- Ashley Madison hack could be hugely lucrative, but that’s not the only thing to fear
There is a lot of money being spent by businesses trying to be compliant and put the right systems in place for monitoring and auditing. Unfortunately, these implementations are often the result of a “check box” system designed to show what happened after a breach, rather than focusing on preventing it. There needs to be a shift in the organisational mind-set towards a more proactive method for preventing breaches in the first place.
There is technology available for stopping breaches, focusing on the privileged users most likely to be the source of an insider breach. So many of the systems in place are aimed at the general user community, keeping them out with password management and multi-factor authentication, but there are few that can do anything about a privileged user once they have access to the network. We need to reframe how we think about authentication – if anything, users should be authenticated as they move from one task to the next, albeit via an automated process. This can then be used to compare a user’s behaviour against their typical actions via User Behaviour Analysis.
Unique user behaviour
Machines are, by and large, homogenous. If they have the same spec, and are programmed the same, they behave the same. The same cannot be said of human beings – we’re all entirely unique. And in the context of privileged users going about their daily tasks, what makes them unique is their behaviour. A privileged user has a typical pattern of work behaviour, which can be recorded as metadata. What servers do they typically log onto, and when? When they are logged in, what do they typically do? Over time, if we “record” each user’s sessions, we build up a picture of their digital behaviour. If there is then an insider breach, something in that user’s pattern of behaviour will be abnormal. Perhaps it’s the commands that are used, or maybe it’s a very unusual time for that particular user to be logged into the system?
This may seem intrusive but many would argue it’s good governance. Imagine you were the manager of a nuclear power station making a decision about whether to install CCTV – there is no decision to make because the risk of something going wrong is so great, the argument overrides any concerns about invading privacy. The same is true with privileged users in large businesses; the potential implications are so significant to the company’s reputation, it would be irresponsible not to monitor users.
Tactical accountability for insider risk inevitably falls to the tech workers – the CIOs and CISOs – but understanding why it should fall under the remit of a business issue is of the utmost importance. It’s ultimately the CEO held accountable to shareholders and customers, and it’s the CEO who has to win back the trust of all those affected.
Matthew Ravden is VP at Balabit.
When we think of cyber attacks what springs to mind tends to come in the form of exterior threats. We envision far off criminals hacking systems and alien malware invading from afar – but often the biggest threats to the security of our businesses and industries come from within.
Share this story