Detect and Deter: Playing Defense Against Insider Threat

Principal, Cyber Security
September 2015

Executive Summary

In cyber security, threats abound, system vulnerabilities are numerous and news of data breaches are as common as thunderstorms in summer. And yet, in this environment struggling to balance risk and privacy, the insider threat is particularly pernicious.

Insiders are individuals trusted to protect organizational secrets and intellectual property. As insiders, they are typically given privileged access and account privileges to carry out their position responsibilities. Since they have the greatest access, they also pose the greatest risk. Abuse of their privilege, most often for financial gain, can be as damaging to your organization as it is difficult to uncover.

What cuts to the bone in these situations is the violation of trust. Individuals have typically passed a background check or, over time, have proven themselves worthy of special trust; then that trust is tossed away.

As a general rule, people – not the underlying technology - are the biggest security problem organizations face. Individuals are human and therefore make errors with corporate data, forget security rules, overlook organizational policies and expose protected data. These actions can be either accidental or intentional. Both result in data exposures but malicious activity usually carries greater negative impact.

Two incidents highlight the extreme amount of damage that can be caused when insiders go rogue. In 2010, Pvt. Chelsea Manning leaked 251,000 classified and sensitive-but-unclassified diplomatic cables. These cables described in detail events which took place in 274 embassies over a 44-year period.  Many unguarded conversations on nuclear disarmament, the war on terror and sensitive interactions with foreign countries were disclosed, causing harm and embarrassment.

There were also documents such as military logs and videos of military hardware. In total, the disclosure to WikiLeaks exceeded 720,000 documents. Manning received a sentence of 35 years in prison for his actions.

In 2013, NSA contractor Edward Snowden stole an unknown quantity of documents; more than 100,000 were leaked to journalists. The volume could be substantially larger since Snowden had access to over one million documents in the course of his duty. Whatever the actual number, it is dwarfed by the sensitivity of information he conveyed to foreign sources. This is the very definition of abuse of privilege conducted by a trusted insider.

Gen. Keith Alexander, former director of the National Security Agency and former commander of US Cyber Command, identified successfully mitigating insider threat as the No. 1 lesson to be taken from the Snowden incident.

So can insiders like these be stopped? Determined adversaries who have privileged access and understand the internal security controls in place will always be the most difficult cyber security challenge.

One approach is to redefine success and reframe the expected outcome.  After all, a security incident is not a data breach until data actually leaves an organization. This point is often missed by decision makers. Simply because malware of some sort is discovered inside protected network boundary walls, does not mean organizational assets have been compromised. An investigation may be warranted, and a subsequent forensic analysis may be conducted, but not all security incidents lead to a data breach.

A successful mitigation approach requires attention to all three of these aspects: people, process and technology. Consider:

  • Having a security policy – but not following it – may lead to data breaches

  • Having great people – but not monitoring their actions – may lead to data breaches

  • Having the latest cyber software vendor tools in place – but not regularly analyzing the resulting alerts – may lead to data breaches

Organizational focus is often centered on line items contained in a budget such as firewalls, Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). Budget items can be simple to identify and quantify, but perimeter defense hardware and software systems such as these typically do not offer much protection against an adversary already inside network borders.