The Insider Threat Landscape: Abuse or Legitimate Use?
The Insider Threat Landscape
No one sees it coming. While all eyes and resources look outward to thwart a data breach by unknown hackers on the other side of the world, sometimes the culprit is only feet away and is, in fact, known.
Indeed, a trusted colleague or vetted third-party who has access to important documents and files shouldn’t be overlooked in your organization’s data security plans. Not that every employee harbors ill intentions, but all it takes is for one of them to accidentally release data to unauthorized users or mistakenly share a file that should be private.
Yet, monitoring the threat from within isn’t as easy as the vigilance that’s undertaken to prevent outside attacks. Three out of four information security professionals believe it’s hard to distinguish legitimate computer use from abuse because abnormal, harmful activity is usually hidden in the large volume of ordinary, harmless activity. It’s difficult to detect when an employee is performing a regular task with legitimate access or is acting out of turn, either negligently or maliciously.
AT&T learned that lesson recently when it paid a $25 million civil penalty – the largest related to data theft in FCC history – after employees at overseas call centers sold hundreds of thousands of customer records. Morgan Stanley won’t face an FCC penalty for a breach of wealth management data of 350,000 clients but it nonetheless faced unwanted publicity after a broker transferred the sensitive data from a company network to personal devices and the information landed online for all to see.
These and many other high-profile data breaches by insiders only buttress a Verizon study that found 69 percent of information security incidents are attributed to inside threat. Whether it’s through malicious behavior or carelessness, the threat is real – but somehow companies still don’t seem to understand they’re at risk. Seventy percent of audits and investments show businesses have deficiencies in monitoring insider threats, and 75 percent of all insider threats go unnoticed, according to a 2015 Sans survey.
Abuse or Legitimate Use?
It’s important to closely consider the thinking of malicious insiders and accidental insiders. Malicious insiders make a conscious decision to steal information, a knowing effort to harm their employers. Accidental insiders have no idea that their security practices cause damage, and their decisions could be innocent or simply negligent. They can also be targeted by malicious hackers and tricked into sharing a file or system access.
Even though malicious insiders are always a threat, negligent ones are the larger concern. A Sans survey of nearly 800 organizations across a wide scope of industries revealed that the majority of respondents worry far more about negligent insiders.
There Are Culprits Aplenty
Insiders can be separated into three categories. Being able to make distinctions of their computer activities can determine how to best monitor their activities.
Business Users: First, there are employees. They are the largest group, and have access to many, but not all, applications, files and programs. They can view information they’re not supposed to, make errors that open the door to data thieves, or use unauthorized cloud applications that are vulnerable to hackers.
You have to worry about employees mistakenly extracting data and having it fall into the hands of those who would profit. You also have to be on alert for employees who commit inside fraud, purposely manipulating data for their own gain or stealing customers’ personal and financial information for profit. Low-level employees who work customer support or call centers are usually the ones who perpetrate inside fraud.
Third-Party Vendors: Remote vendors, contractors and outsourced IT workers are also a cause for concern. They can quite easily inflict harm late at night or on weekends, when a privileged administrator wouldn’t notice. They can also make unauthorized changes to files and programs. And third-party users are just as likely as in-house employees to make mistakes and be careless handling data or using unapproved applications.
Privileged Users: Lastly, don’t forget to be mindful of privileged users. They maintain user accounts, perform updates and maintenance and make sure all digital trains run on time, but they also have the highest level of access and can thus cause significant damage with malicious or negligent actions.
Privileged users have access to your network, file systems and source code. They have the keys to your financial records, confidential information and intellectual property and can easily abuse their privileges. More importantly, they can make unauthorized changes to monitoring programs and cover the tracks of their misdeeds.
Not that privileged users should be overlooked in any kind of internal monitoring, but employees and third-party users outnumber them by 20 to 1. You need to have unique insight into everyone’s computer work habits – no matter how many haystacks you have to monitor – while also balancing priorities. Employees and third-party users will have the most activity to monitor but privileged users have greater access and greater ability to cause harm.
The ObserveIT Insider Threat Platform detects and mitigates the risk of insider threats across all users in an organization - privileged users, third-party vendors and business users.
ObserveIT records and monitors all user activity across the enterprise and clearly displays which users are putting the business at risk.
- User risk scoring prioritizes the highest-risk users and creates a profile of their recent behavior, application usage and risk indicators
- Field-level application monitoring tracks the viewing or editing of sensitive data within applications to distinguish legitimate user behavior from abuse
- Real-time and historic visual session recordings and user activity logs make is easy to investigate users and determine intent
- Live session response and shutdown prevent insider threats from exposing sensitive data, stealing IP or impacting system availability