Part 1 of this blog post series explained the various types of insider threats lurking on enterprise networks. Due to their variant characteristics, each type requires a separate set of security controls. In this post we outline the different defensive measures that can be put into place to address each one.
Various measures can be used to deter negligent activity and “keep honest people honest.” Access controls can prevent people from obtaining sensitive data that they do not need in order to do their jobs. Encryption of data at rest can also help prevent data loss by negligent insiders in the event that they lose their laptops or other equipment. User education also matters here. Anything you can do to get employees to be more conscientious with company data can have a positive impact – for example, providing dummy datasets to developers so that they don’t work with real PII information on development systems. You want the path of least resistance for people to get their jobs done to also be a path that protects sensitive data.
Good access controls can also help prevent damage done by malicious insiders. Checks and balances are also extremely important in this arena, especially as it pertains to financial data. It is critical to have multiple people keeping an eye on sensitive transactions so that no one person can single-handedly circumvent company policy.
Cases of insider malice are often identified and investigated through the use of logs. It is important to collect logs from endpoint systems and network devices. Different kinds of logs might be relevant to different kinds of incidents. For example, a case of financial fraud might be detected by examining database logs from a credit card processing system, whereas a case of data theft might be noticed through monitoring of network traffic. Proactively monitoring network and system transactions can serve as a deterrent in discouraging malicious insiders from sabotaging or stealing data, since they know that their activities might be discovered.
Since they are being controlled by outsiders, typically no amount of deterrence will discourage compromised insiders from carrying out their attack. Furthermore, traditional security solutions that focus on catching malware and exploits cannot identify the unauthorized use of legitimate accounts. In this case, closely monitoring network activity is really the only way to uncover and shut down this type of threat.
As you may have noticed from the descriptions above, the use of logs for tracking network activity is a key piece of the puzzle when it comes to thwarting insider threats. In Part 3 of this series, we will go into more depth on that topic.
Previously in the series:
Insider Threats Part 1 - Who Is Attacking Your Network?