Rooting out malicious insiders

The danger of suffering a security breach has never been more of a reality for businesses across the board. Employees today access, process, and manage privileged data more than ever as part of their daily jobs, putting companies at risk of malicious activity, including data theft, property damage, and manipulation.

 

“This isn’t just a guess, in fact according to Verizon’s Data Breach Investigations Report 2017, one quarter of breaches involved internal actors,” explains Simon Campbell-Young, CEO of Intact Software Distribution.

 

He says there are several reasons a seemingly loyal staff member might decide to steal from the business. “In many cases, the motive is purely financial. There are plenty of buyers of credit card data, personal information and healthcare data on the black market. Moreover, businesses with valuable intellectual property are at risk of cyber espionage, as threat actors will pay extremely well for trade secrets.”

 

There is also the conundrum of whether an insider is malicious or careless, because employees are merely accessing data and systems as part of their job. Often it’s a case of misuse rather than malfeasance, when data falls into the wrong hands, he says. “Any employee who normally accesses documents containing privileged information can merely send those documents out of the company as attachments in an email on any web-based email platform.”

 

The only reliable way to tell the difference between a staff member doing his or her job, and a malicious insider threat, is to monitor their behaviour, says Campbell-Young. “No one is advocating Big Brother here, rather risk-based monitoring of specific user activity to lower the chances of insider threats.”

 

Because the monitoring is risk-based, the company needs to start by defining where the risk is, and assign risk levels to all employees. Levels assigned should be aligned to a specific level of monitoring and will help to decide who should be monitored, how to monitor them, and how closely. “Obviously any employee who has access to proprietary or sensitive data would have a higher risk level than someone with no access to that type of data at all.”

 

According to him, simply because a particular staff member’s role brings risk to the business, it doesn’t mean that they are up to no good, and because insider actions can be mistaken for normal job-related tasks, companies should also rely on inappropriate or anomalous behaviour as an indication of increasing risk level. It is crucial to have the means to pinpoint anomalous behaviours among staff, and this is where user behaviour analytics (UBA) comes in, Campbell-Young says.

 

These solutions work by baselining an individual’s behaviour, and then highlighting anomalies or unusual patterns when compared to the baseline. Should this behaviour be picked up, appropriate staff within the business will be notified.

 

He says UBA solutions look for several indicators. “Firstly, changes in communications. For example, a staff member who has always been positive about the company, suddenly changing sentiment, and becoming negative. This can be as subtle as moving from using ‘us’ and ‘we’ when referring to the company, to ‘I’ and ‘me’. The solution watches for sentiment and choice of words to determine if there are indicators of risk.”

 

Next, he says UBA looks for shifts in behaviour. “It will watch what resources the employee is accessing, the data they consume, how and when they move data. Any staff member who is simply doing their job will have a pattern in their behaviour, and deviations from that pattern might indicate that something funny is going on.”

 

 

There is always scope for malicious insiders within a business, and it boils down to which staff members present the highest risk, Campbell-Young adds. “By properly assigning an appropriate level of monitoring based on an individual’s risk level, a business can significantly lower the chances of falling victim to this type of crime, and are able to detect and respond to any risky behaviour.”