Insider Threats: The Real Problem Is Not Knowing There’s a Problem
August 6, 2015 No CommentsSANS Report Author Thinks Better Detection Would Prove Almost All Companies Have Been Compromised by Insider Attacks
The SANS Institute recently released its latest report, “Insider Threats and the Need for Fast and Directed Response[1],” based on responses from more than 770 IT/security professionals in a range of industries. The report makes the case that although external attacks have been getting more press, attacks from within often cause the most damage: insiders typically have unfettered access to sensitive data—and with most companies not set up to detect such attacks, they can continue undetected for long periods of time, doing significant damage.
Many organizations think they haven’t suffered an internal attack, but all too often, the truth is that they just don’t know it because their security infrastructure is focused on identifying and preventing external attacks. The internal ones fly under the radar—right to the heart of the business.
First, Admit There’s a Problem
Organizations are starting to recognize the importance of protecting against the insider threat, but still, only three-quarters (74 percent) of survey respondents are concerned about negligent or malicious employees. Every one of them should be concerned. And even those who are aware of insider threats often don’t consider the threat from “accidental insiders,” people who unknowingly enable an attack. This is a growing area of threat: to circumvent externally focused security, attackers now often look to trick a legitimate user into doing something harmful.
Of the survey respondents who are aware of the insider threat, their greatest concerns—the top five of eight—all have to do with data being compromised or stolen, and the damage that results from that. Still, only 20 percent of respondents indicated they will increase their spending on the issue to seven percent or more next year.
[1] Insider Threats and the Need for Fast and Directed Response, A SANS Survey. Dr. Eric Cole, April 2015
This gap between growing awareness and lagging action is dangerous: awareness alone won’t protect a business. If users get emails that look like they legitimately come from their bosses, they will likely open them. Externally focused security aims to minimize damage by keeping the malware vector from making it to the users, but if that fails, it’s vital that the company has a second line of defense: internally focused security that can track anomalies to rapidly detect potential problems.
Detecting and shutting down an insider threat within 30 minutes is infinitely better than detecting it after 30 months—or never knowing about it at all. But in the survey, only 10 percent of respondents said they could detect a problem in less than an hour, and only 13 percent could mitigate it in that time frame. Perhaps even more disturbing, however, is that the most popular answer to “how long did it take to detect/mitigate the attack” is “don’t know.” Especially with insider attacks, what companies don’t know can and will hurt them.
Second, Realize It Might Be Your Problem
While only 34 percent of respondents in the survey said they’d experienced an insider attack, Dr. Eric Cole, author of the SANS report, is adamant that virtually every organization has experienced such an attack, in some form. “I’m certain that the other 66 percent of organizations have indeed experienced an insider attack—they just don’t know it,” he says. To back this claim, he points to the fact that those companies that know they’ve been compromised admit it took them a long time to realize it—typically 15 months. And most didn’t detect it themselves, but found out from a third party, usually a law enforcement agency.
That’s understandable. The nature of accidental insider attacks makes them almost invisible—which is why attackers are increasingly using them. Put on your black hat for a moment, and you’ll see why: an attacker that takes over the profile of a legitimate user can fly under the security radar because most organizations focus on prevention at the perimeter, not detection of anomalous internal and outbound activity.
Test, Don’t Trust
More than 68 percent of respondents consider themselves able to prevent or deter an insider attack, and half (51 percent) believe their prevention methods are “effective” or “very effective.” But it’s clear from this report that this is false confidence. Even if they had been compromised, most organizations wouldn’t know for certain because they lack tools that could detect an insider attack.
Ask yourself some uncomfortable questions. Start with the easy ones, such as, what exactly are your tools designed to detect or prevent? Have you tested how effective they are at that? And then get tough and ask yourself whether you have carefully considered all the things your tools were not designed to do. For example, if an internal system got compromised, how would you know? Can your tools detect the stealthy set up of an outbound command and control channel? Have you simulated insider threat exercises, or actually targeted users to see who clicks on what, or tried to break into a low-level internal system and leverage that to move deeper into the organization? Answer these questions as frankly as you can—and only trust tools that have proven themselves in rigorous testing.
Insider Threats Cost Money—So Invest in Stopping Them
Almost one-fifth (19 percent) of respondents believe that the potential loss from an insider threat is more than $5 million; another 15 percent put it at $1 to $5 million, and no organization can fully measure damage to its brand. The known level of damage is approximately $231 million worth of losses every year, and it’s likely that a much greater amount of damage is occurring without being detected. But still companies remain focused on the external threat, and invest more in preventing that than in detecting internal problems.
Cole gives an example of an analysis he conducted for a pharmaceutical organization, in which he was able to show that 80 percent of the damage from cyberthreats came from those that originated internally—but the company was spending 75 percent of its threat prevention budget on deflecting external threats and only 25 percent on identifying and remediating internal threats.
When you analyze your own organization, can you distinguish between the damage from external and internal attacks? Most companies can’t or don’t, and as a result they focus security spending on blocking external attacks. They don’t monitor outbound activity and user activity and look for anomalies, so they’re lulled into thinking that there’s no internal threat. Meanwhile, their organization is at serious risk.
Take Charge: Detect and Minimize the Consequences of an Insider Attack
But the news is good for organizations that acknowledge their blind spot for insider attacks and are ready to take action. The essential first step is detection. Cole is adamant: “Prevention is ideal, but detection is a must.”
Effective detection requires an integration of tools, processes, and people—and 24×7 vigilance—to seek out and identify the anomalies that point to an insider threat. Organizations need to baseline activity and then look for the anomalies that reveal attacks.
Your organization may already have tools and processes that can help protect from insider threats, such as a tool that blocks executables in web links, or a process of sandboxing and validating content that could be dangerous, or specific use cases in security incident and event management solutions. But the backbone of your defense against insider attacks has to be detection tools focused on users.
You must have the ability to monitor user behavior and system activity, continually measure it against baselines, and analyze any discrepancies carefully. A wide range of tools and techniques is available to help, such as internal auditing tools, internal network monitoring, centralized log management, SIEM tools, external network monitoring, employee monitoring, and so on.
To protect your organization against insider threats, look for any gaps in your ability to monitor activity and detect anomalies, and then seek out specific third-party solutions that can complement what you currently have in place. That way, the next time some survey asks you whether you’ve ever suffered an insider attack, you’ll be able to say—with a lot of detection and monitoring data to back you up—that you’ve been attacked many times but haven’t suffered any serious consequences. And though it sounds counter-intuitive, that will put you far ahead of the 66 percent who think they’ve never been attacked at all.
Mike Tierney is the Chief Operating Officer at SpectorSoft, a leader in user activity monitoring and an innovator in user behavior analytics. SpectorSoft develops software that helps businesses identify and detect insider threats, conduct efficient and accurate investigations, and enhance productivity. Mike is responsible for the day-to-day operations of the company, and has a strong background in product strategy and product management.