Insider cyber threat: Time is of the essence
Since insiders have fewer barriers to overcome, the time-to-compromise and time-to-exfiltrate metrics for insider threat actions is grim.
The breach timeline metrics in the Verizon Data Breach Investigation Report paints a dismal picture. External attackers can compromise systems in hours or even minutes, while it can take months or more for organisations to detect intrusions. Since insiders have fewer barriers to overcome and compromises don't require circumventing controls, the time-to-compromise and time-to-exfiltrate metrics for insider threat actions is grim.
The time from an unsanctioned action to discovery represents a vast area for improvement. Most breaches that begin with an abuse of access are only found months or sometimes even years later.
When we focus on data varieties that aren't as monetisable as payment card or banking information, industries such as manufacturing, mining and professional services become more prominent.
Industries have varied threat landscapes, with some more susceptible to insider threats than others. Much of this is driven by actor motives and data types insiders can access. Threat modelling should reflect where data resides or is processed within an organisation, and how its employees and partners could potentially misuse it.
Industries have varied threat landscapes, with some more susceptible to insider threats than others.
The Verizon report goes on to detail 11 building blocks − as follows − for an effective insider breach detection programme:
Integrate security strategies and policies: Integrating the other 10 counter-measures (listed below), or better yet, a comprehensive insider threat programme with other existing strategies, such as a risk management framework, human resources management and intellectual property management, can help strengthen efficiency, cohesion and timeliness, in addressing insider threats.
Conduct threat hunting activities: Refine threat hunting capabilities such as threat intelligence, dark Web monitoring, behavioural analysis and endpoint detection and response solutions to monitor, detect and investigate suspicious operator and user account activities, both inside and outside the enterprise.
Perform vulnerability scanning and penetration testing: Leverage vulnerability assessments and penetration tests to identify gaps within a security strategy, including potential ways for insider threats to manoeuvre within the enterprise environment.
Implement personnel security measures: The application of human resource controls (such as employee exit processes), security access principles and security awareness training, can mitigate the number of cyber security incidents associated with unauthorised access to enterprise systems.
Deploy physical security measures: Implement physical methods for access such as identity badges, security doors and guards to limit physical access, as well as digital access methods including card swipes, motion detectors and cameras in order to monitor, alert and record access patterns and activities.
Apply network security solutions: Put network perimeter and segment security solutions in place. These include firewalls, intrusion detection/prevention systems, gateway devices and data loss prevention solutions to detect, collect and analyse suspicious traffic potentially associated with insider threat activities. This will help highlight any unusual out-of-hours activity, volumes of outbound activity as well as the use of remote connections.
Employ endpoint security solutions: Use established endpoint security solutions, such as critical asset inventories, removable media policies, device encryption and file integrity monitoring tools in order to deter, monitor, track, collect and analyse user-related activity.
Apply data security measures: Employ data ownership, classification and protection, as well as data disposal measures to manage the data lifecycle and maintain confidentiality, integrity and availability with insider threats in mind.
Implement identity and access management measures: Employ identity, access and authentication management measures to manage, limit and protect access into the enterprise environment. This can be taken to the next level by employing a privileged access management solution for privileged access.
Establish incident management capabilities: These are incident management processes that include an insider threat playbook with trained and capable incident handlers. This will make cyber security response activities more efficient and more effective in addressing insider threat activities.
Retain digital forensics services: Have an investigative response retained resource available. Ensure they can conduct the full-spectrum of deep-dive investigations ranging from the analysis of logs, files, endpoint and network traffic, in often delicate and human-related − or user account-related – cyber security incidents.
This is great advice for companies with unlimited resources and budget, but where does the organisation with more constrained budgets and skills begin to address the challenge?
To answer this, I have tried to highlight the fact that every industry or vertical can be affected in slightly different ways by an insider threat. Take healthcare, for instance; it is the most highly targeted industry, but not the most expensive to recover from a breach. Financial and insurance services hold that crown.
So, let's break a few things down:
Whatever industry you are in, know what data is critical to your company, customers and partners, and be aware of who has access to it. An effective insider breach detection programme, just like any other security programme, incorporates people, processes and technology.
Engage with a reputable security consultancy to ensure you embark on this journey in a logical and effective manner. There are specific quick wins that you can achieve no matter what your level of security maturity.
CTO of DRS, a Cyber1 company.
Andrew Sjoberg is CTO of DRS, a Cyber1 company. He is a graduate of the University of Witwatersrand. Post-graduation, his early experience included the implementation and management of technologies in the banking and finance arenas. Sjoberg then moved into the cyber security technology space, where over the past 19 years he has worked at the cutting-edge of the industry, staying abreast of trends, and delivering best of breed services.
Andrew Sjoberg is CTO of DRS, a Cyber1 company. He is a graduate of the University of Witwatersrand. Post-graduation, his early experience included the implementation and management of technologies in the banking and finance arenas.
Sjoberg then moved into the cyber security technology space, where over the past 19 years he has worked at the cutting-edge of the industry, staying abreast of trends, and delivering best of breed services.His responsibilities at DRS include integration, innovation and specialisation services, as well as driving the guiding principles of the company's service excellence in delivering and supporting cyber resilience strategies to clients.