Integrated Steps to Stay Ahead of Malicious Insiders

May 17, 2016
| |
4 min read

Employees, contractors and partners may use some of your critical information in their daily work. Unfortunately, access to that data can pose a significant risk to your business, so it is essential to allow only the minimum necessary access while also quickly detecting and stopping threatening activity before it causes damage.

Malicious Insiders

IBM X-Force researchers estimate 60 percent of security incidents have been caused by insiders. These incidents exist in three different forms — theft, sabotage and fraud — and all have potentially long-lasting implications. In 2015, FierceCIO reported that organizations experienced an average of 3.8 insider security incidents each year.

While countless cases happen every day without detection or reporting, here are two examples in which insiders threatened global financial services institutions.

Stealing Trade Secrets

In 2013, a global bank sued a former insider and his wife to try to stop the pair from exposing trade secrets after the employee left the company for a competitor. Knowing that the company had data leakage prevention controls, the insider tried to circumvent the process by exfiltrating sensitive data to a home computer with the help of his wife. The pair was ultimately able to steal very sensitive information days before the husband submitted his resignation, and he joined a competitor shortly thereafter.

Rogue Trading Incident

In another case, a rogue trader exploited access to multiple systems at a French financial institution. He was caught creating fictitious trades; whenever they were questioned, he would simply claim that a mistake had been made and cancel the trade. However, he then replaced it with another transaction in a different program to prevent detection. This resulted in a large drop in equity indices in the markets and nearly $7 billion in estimated losses.

In both cases, the insiders were skilled, disgruntled and intent on evading detection. Their jobs required access to key systems and sensitive information, and there were no predefined signatures that could detect their malicious activities. Existing technologies, organizational policies and monitoring solutions were simply unable to uncover their schemes until it was too late.

Fortunately, this is changing. A combination of crown jewel data protection, privileged identity governance and user behavior analysis can help identify and stop malicious insiders before they cause harm.

Methods of Addressing Malicious Insiders

Although financial services companies have invested millions of dollars to protect data, control access and monitor user activity, these investments are generally driven by specific regulations and requirements. The end result is often a fragmented security infrastructure that skilled and knowledgeable insiders can exploit.

The answer to this problem is not a new tool, but rather a more integrated approach to addressing insider threats across these capability silos.

Identify and Protect Crown Jewel Data

First, companies need to know what assets are considered their most sensitive crown jewels. This means defining information classification and then labeling operational data, transactions, assets and other sensitive information accordingly.

Once completed, this will help determine the value of sensitive information (the crown jewels), where those crown jewels are located and what job functions should have access to that data.

Govern Privileged User Access

Second, companies need to know which users should have access to crown jewels — essentially the keys to the kingdom — and which users actually have access. Understanding the gap between permitted and actual access to systems across the organization is essential, and improper access must be removed.

Once user access to sensitive data has been validated, authorized access can be controlled for privileged users with strong authentication on an as-needed basis.

Analyzing User Behavior

Gaining insight into the actions of these privileged users is the third and most difficult part of addressing the insider threat. Understanding the context for changing user behavior can be essential in distinguishing between standard activity and something suspicious, and analyzing certain internal corporate data may provide clues. For example, an employee or contractor who is abruptly fired or laid off may be disgruntled and have the potential to be an insider threat.

Such insights should be gathered lawfully, pursuant to standards that may vary by jurisdiction. This concern is especially critical in global organizations that operate in multiple legal jurisdictions. Organizations must carefully consider strategies and options. The lawful and ethical use of technological solutions that analyze user behaviors should be employed.

For example, a set of logs from user activities in IT systems might be gathered and analyzed to determine baseline behaviors and detect any anomalies based on various pattern detection algorithms and analysis (e.g., statistical analysis, resource usage analysis, top-down/bottom-up comparative analysis).

Once you understand the baseline of user activity and behavior, it is possible to detect suspicious changes in behavior that might then trigger further analysis and investigation. Events such as the increase in volume of personal email sent externally from a corporate system may be considered suspicious when correlated with news about an employee’s resignation.

How to Get Started

As with any project, the key to success with an insider threat program is to start small. Many companies even start with one or two critical business applications. Using these systems as a starting point, they follow the key steps outlined above: identify and protect crown jewels, govern privileged user access and analyze user behavior. Most importantly, successful insider threat prevention programs work across these steps with an integrated approach rather than disconnected initiatives.

On one hand, malicious, skilled and motivated attackers are very difficult to detect when they have unfettered access to your crown jewels. On the other hand, some insiders legitimately need access to sensitive data to run your business. Balancing function and risk is difficult for even the most sophisticated organizations, but a structured approach can put you ahead of the game.

Learn More

Interested in learning more about how to protect against malicious insiders? Start by watching the on-demand webinar “Tech Talk: Dynamic Data Privacy Using Fine-Grained Access Control.” There’s also plenty of information in the IBM report “Battling Security Threats From Within Your Organization” and in the 2016 X-Force Cyber Security Intelligence Index.

Johnny K. Shin
Executive Consultant, IBM

Johnny Shin is a seasoned information security consultant with two decades of experience in Identity and Access Management (IAM) and Insider Threat Protectio...
read more