Insider Threats: A CISO’s Guide

pencils in a line and a red pencil higher

Insider threats are a real and growing problem. According to the recent Verizon DBIR, insiders are complicit in 28% of data breaches in 2017. Broken down by vertical, insiders are responsible for 54% of data breaches in the Healthcare industry and 34% in the Public Administration. Hacking (48%) and malware (30%) were the top 2 tactics used to steal data, while human error (17%) and privilege misuse (12%) made the cut as well.

insider threat statistic

What does it all mean? Insiders have capabilities and privileges that can be abused by either themselves or bad actors to steal important data – making a CISO’s job to identify and build a defense against all of those attack vectors even more complicated.

What is an Insider Threat?

An insider threat is a security incident that originates within the targeted organization. This doesn’t mean that the actor must be a current employee or officer in the organization. They could be a consultant, former employee, business partner or board member.

Anyone who has insider knowledge and/or access to the organization’s confidential data, IT, or network resources should be considered a potential insider threat.

Types of Insider Threats

So who are the possible actors in an insider threat?

First, we have the Turncloak: This is an insider who is maliciously stealing data. In most cases, it’s an employee or contractor – someone who is supposed to be on the network and has legitimate credentials, but is abusing their access for fun or profit. We’ve seen all sorts of motives that drive this type of behavior: some as sinister as selling secrets to foreign governments, others as simple as taking a few documents over to a competitor upon resignation.

Next, we have the Pawn: This is just a normal employee – a do-gooder who makes a mistake that is exploited by a bad guy: whether it’s a lost laptop or mistakenly emailing a sensitive document to the wrong person.

Finally, we have the Impostor: Whereas the Turncloak is a legitimate insider gone rogue, the Imposter is really an outsider who has acquired an insider’s credentials. They’re on your network posing as a legitimate employee. Their goal is to find the biggest treasure trove of information to which their “host” has access and exfiltrate it without being noticed.

Common Behavioral Indicators of an Insider Threat

How do you identify an insider threat? There are common behaviors that suggest an insider threat – whether digitally or in person. These indicators are important for CISO’s, security officers, and their teams to monitor, track, and analyze in order to identify potential insider threats.

behavioral indicators of an insider threat

Digital Warning Signs 

  • Downloading or accessing substantial amounts of data
  • Accessing sensitive data not associated with their job function
  • Accessing data that is outside of their behavioral profile
  • Multiple requests for access to resources not associated with their job function
  • Using unauthorized storage devices (e.g., USB drives or floppy disks)
  • Network crawling and searches for sensitive data
  • Data hoarding, copying files from sensitive folders
  • Emailing sensitive data outside the organization

Human Warning Signs 

  • Attempts to bypass security
  • Frequently in the office during off hours
  • Displays disgruntled behavior toward co-workers
  • Violation of corporate policies
  • Discussions of resigning or new opportunities

While the human behavioral warnings can be an indication of potential issues, having digital forensics and analytics is one of the most powerful ways to protect against insider threats. User Behavior Analytics (UBA) and security analytics help detect potential insider threats, analyzing and alerting when a user behaves suspiciously or outside of their typical behavior.

Fighting Insider Threats

A data breach of 10 million records costs an organization around $3 million – and as the old adage says, “an ounce of prevention is worth a pound of cure”.

Because insiders are already inside, you can’t rely on traditional perimeter security measures to protect your company. Furthermore, since it’s an insider – who is primarily responsible for dealing with the situation? Is it IT, or HR, is it a legal issue? Or is it all 3 and the CISO’s team? Creating and socializing a policy to act on potential insider threats needs to come from the top of the organization.

The key to account for and remediate insider threats is to have the right approach – and the right solutions in place to detect and protect against insider threats.

Steps for an Insider Threat Defense Plan:

  1. Monitor files, emails, and activity on your core data sources
  2. Identify and discover where your sensitive files live
  3. Determine who has access to that data and who should have access to that data
  4. Implement and maintain a least privilege model through your infrastructure
    1. Eliminate Global Access Group
    2. Put data owners in charge of managing permissions for their data and expire temporary access quickly
  5. Apply security analytics to alert on abnormal behaviors including:
    1. Attempts to access sensitive data that isn’t part of normal job function
    2. Attempts to gain access permissions to sensitive data outside of normal processes
    3. Increased file activity in sensitive folders
    4. Attempts to change system logs or delete large volumes of data
    5. Large amounts of data emailed out of the company, outside of normal job function
  6. Socialize and train your employees to adapt a data security mindset

It’s equally important to have a response plan in place in order to respond to a potential data breach:

  1. Identify threat and take action
    1. Disable and/or logout the user when suspicious activity or behavior is detected
    2. Determine what users and files have been affected
  2. Verify accuracy (and severity) of the threat and alert appropriate teams (Legal, HR, IT, CISO)
  3. Remediate
    1. Restore deleted data if necessary
    2. Remove any additional access rights used by the insider
    3. Scan and remove any malware used during the attack
    4. Re-enable any circumvented security measures
  4. Investigate and perform forensics on the security incident
  5. Alert Compliance and Regulatory Agencies as needed

The secret to defending against insider threats is to monitor your data, gather information, and trigger alerts on abnormal behavior.

The Varonis Data Security Platform identifies who has access to your data, classifies your sensitive data, alerts your teams to potential threats, and helps maintain a least privilege model. With the proper resources, CISO/CIO can gain visibility of highest risk users and gather the intelligence needed to avoid insider threats.

Get the latest security news in your inbox.