In the new era of information security, traditional controls designed to deter attackers and protect assets are being augmented by advanced detection methods and new capabilities for response and remediation. The fundamental idea is to monitor the activities and behaviors taking place within your organization's systems, applications, and data, then use this information to distinguish between normal and anomalous activity.
To get started, you simply establish a baseline for what is normal, since this will allow you to easily determine when something might be amiss. However, how are you supposed to know what is normal and what isn't? To demonstrate how you can do this, consider the risk of insider threat.
Establishing Baselines for Normal Insider Behavior
An insider is any current or former end user who has authorized access to the organization's IT systems or data. Insider threat gets a lot of attention, and deservedly so. In its 2015 Data Breach Investigations Report, Verizon found that 92 percent of security incidents over the past 10 years can be described by nine basic patterns, one of which is insider misuse.
Insider threat can be broken down into the following three primary categories:
- Fraud: An insider's deliberate misuse or misapplication of an organization's resources or assets for personal gain. It can also be the theft of information that leads to an identity crime such as identity theft or credit card fraud.
- Theft of Intellectual Property: When an insider uses IT to steal or otherwise expose an organization's valuable information assets.
- Sabotage of IT Infrastructure: An insider's use of IT to cause harm to an organization or one or more specific individuals, such as with a denial-of-service attack.
Understanding Insider Threat in Terms of Opportunity
When you're looking for behaviors that might be indicative of insider threat, they're most likely to be found at the intersection of motivation and opportunity-as anyone who watches crime shows can tell you. The biggest benefit of understanding insider threat in terms of opportunity is that this knowledge informs basic strategies of how to prevent the crime.
The Federal Bureau of Investigation (FBI) has compiled some of the common factors that are involved in cases of insider misuse. For instance, when technology infrastructure is perpetrated by insiders, it is often for one of the following reasons:
- Policies for safeguarding classified, proprietary, or other sensitive information are undefined or poorly communicated.
- Policies are not enforced by technical controls or security is perceived as minimal or nonexistent.
- The consequences for violation of policies are minimal or nonexistent.
- Policies conflict with other priorities or requests from management, such as time pressure or mandates to complete projects.
Common Opportunities That Enable Information Misuse
The following are several other opportunities that allow for insider misuse, many of which are related to lax company policies:
- Access Management: Insider abuse often occurs when access to classified, proprietary, or other sensitive information is available to users who do not need it.
- Data Classification: Problems can occur when classified, proprietary, or other sensitive information is not labeled or is incorrectly labeled.
- Monitoring: Employees should not be able to remove classified, proprietary, or other sensitive information from the organization's IT infrastructure in electronic form or from physical facilities in physical form without detection.
- Awareness: When end users are not trained on proper information protection protocols, they may inadvertently provide opportunities for insider misuse of data.
Spotting Suspicious User Behavior
The FBI also highlights specific behaviors that may indicate an insider is engaged in these types of activities. Many of the factors must be spotted by a manager or other superior, but the following are some of the behaviors that can be directly observed in the IT infrastructure:
- A worker inappropriately seeks or obtains information on topics not related to work duties.
- An employee copies information unnecessarily, especially classified or proprietary data.
- Someone transfers information, whether by physical document, email attachment, digital media, thumb drive, consumer-oriented file sync, file share applications, or other methods.
- An employee disregards company policies on installing hardware or software, accessing restricted websites, conducting unauthorized searches, or downloading information.
- The insider accesses the organization's IT infrastructure at odd hours, while out sick, or while on vacation.
- An individual exhibits unusual concern about being investigated.
With the help of advanced detection methods, security teams can monitor these behavioral patterns within their organizations and reduce security-related risks by distinguishing normal from abnormal activity.
Category: RSA Fundamentals, Blog Post
Keywords: Advanced Detection, Insider Threat