Detecting insider threats is easier than you think

When it came to the physical plant, it used to be easy with surveillance cameras and access badges to tell if an insider was up to no good. Now with a more virtual network, you can’t always know if the person sitting in the next cubicle is gaining access to confidential documents.

While the insider threat still connotes an employee of the company, the intruder is no longer someone located within the confines of the building. Accessing the network can happen from such public places as the local coffee shop.

“For companies today, where old corporate lines are disappearing more frequently, the challenges only increase. Enterprises need to adapt their policies and procedures to prevent threats by securing corporate end-point equipment and the right tools that protect and allow users to do their work,” said Matias Brutti, a hacker at Okta. “Work environments are constantly changing, so monitoring is difficult on a corporate level.”

Much of the technology has changed, but the constraints are the same, and companies have to continue to be proactive about stopping malicious attacks, he said. “They must understand their threats and adapting their technologies to serve them. More than ever, hiring the right team and building the right technologies is key to success.”

Steve Mancini, senior director of information security at Cylance, said not all insider threats are the same. “How we deter those that emanate from the careless or negligent will perhaps differ from those that emanate from the intentionally malicious. The proverbial ‘carrot and the stick’ are principles that apply as much in this area of human behavior as they do in others.”

He added that deterrence of insider threats would need to map to the type of risk you are seeking to mitigate. The question is answered based upon environmental factors about company culture, the status of the organization (healthy, failing, layoffs, etc.), and how you treat/monitor/legally manage contractors.

Security vendors chimed in on how to combat what can be the invisible threat who can virtually go anywhere within the network.

Nir Polak, Exabeam CEO and co-founder, put it succinctly: “Mini-Max” – minimize access where possible, maximize monitoring of that same access for unusual patterns.

“Work environments are constantly changing, so monitoring is difficult on a corporate level.”

Matias Brutti, a hacker at Okta.

That was the common theme among security vendors. Don’t provide employees with an open door to the entire network. Make access a privilege and not a right.

Hamesh Chawla, vice president of engineering at Zephyr, said companies should provide a “need to know” access and audit all actions taken. Audits should be implemented by those with enough power to do so, such as root and administrator roles.