With insider threats consistently named a key security risk, organizations realize that managing and monitoring user access is a top priority. Insider threats can be caused by honest employees, external contractors working for trusted third parties or a cybercriminal with access to an insider’s credentials. With so many assets and information online and accessible, organizations must take a proactive approach to defending against the insider attack, starting with implementing security tools and practices that support a trusting relationship with user communities. While no one can prevent all insider attacks, adopting a proactive, intelligence-driven approach can help reduce risk, improve compliance and enable the IT organization to better support business initiatives.
Trust, but Verify
Every day, your organization is processing business transactions, collecting sensitive data and collaborating with partners. To make all this work, the modern enterprise depends on trust — trusting employees to not divulge company secrets, trusting partners to not leak customer information and trusting suppliers to protect sensitive data. If people need access to sensitive information and critical systems to do their jobs and service customers, the organization needs to establish and enforce a level of faith associated with that access. Trusting stakeholders to use their access privileges appropriately — and verifying that they do so — can be the most critical and difficult challenge of dealing with insider threats. Another challenge is user authentication: trusting and verifying that the individuals are who they really claim to be every time they try to access information.
Best Practices for Mitigating Insider Threats
To operate efficiently and securely, organizations need to back up the trusted relationships they have with security tools and intelligence that support and validate the level of confidence they place in their business constituents. This is made easier through the application of a few strategies that focus on reducing the risk of insider threats.
1. Identity Management
Let’s face it: One of the most effective ways to minimize the damage people can do to your organization’s security is to limit their access to sensitive information. Provisioning users with access beyond what they need is an unnecessary risk and should be avoided, and their access privileges should be rescinded when they leave the organization. Automated deprovisioning can ensure that orphan accounts aren’t left open for future exploitation by external cybercriminals or malicious insiders.
It takes a sensitive touch to manage this control without impacting the trusted relationship with employees, partners and others. If security controls are too strict and block access to previously available resources, some people may be offended, feeling their own company distrusts them. Partners or suppliers may get frustrated if they are blocked from accessing information needed to complete business transactions. Therefore, attempts to reign in access are often met with resistance and should be handled carefully. But it’s worth doing. Blocking user access to assets they don’t need can reduce the risk of a security breach. Automated, policy-based user provisioning and self-service tools can help strengthen established business policies tied to user entitlements.
2. Identity Governance
As people move about an organization, they can end up with overlapping roles and duplicated or inconsistent entitlements. This “entitlement creep” can lead to improper access to and use of sensitive information, which can contribute to business conflicts and separation-of-duty (SoD) violations. Identity governance tools can help verify and clean up existing user entitlements, building accurate role models and enacting policies and processes that ensure users have appropriate access privileges.
3. Access Management and Risk-Based Authentication
Verifying the identities of mobile users is a big challenge and should involve authenticating the device as well as the user. Device scanning, two-factor authentication and context-based access policies can all help protect applications against fraudulent and unauthorized access.
4. Security Intelligence
The sheer volume of audit and log data from users can actually impede forensic investigation and detection, preventing administrators from uncovering insider attacks or inappropriate user activities. Security intelligence practices, such as the use of security information and event management (SIEM) tools, can provide invaluable resources for validating access and highlighting user anomalies. This data can equip security teams with the insight they need, including an improved ability to distinguish malicious from nonmalicious behavior, so the bad guys can be identified and stopped.
Combating insider threats is a continuous process, but it’s an effective approach to improving an organization’s security posture and increasing protection from external attacks. User credentials, including privileged identities, are often used by attackers once they are inside the enterprise. Safeguarding users’ identities and implementing security intelligence can reduce the damage from external attacks.