Network complexity, a dissolved perimeter, and the proliferation of alternative communications channels (instant messaging, VoIP, removable media, etc.) all make it more difficult for IT and security managers to detect, control and prevent behaviours that violate policies or create risk.
Ironically, technology — while increasing productivity — has obfuscated insider behaviour. Left unchecked or unmonitored, many of these behaviours — whether unintentional or malicious — have the potential to put the viability of the company or its business continuity at risk.
Most companies would be shocked to discover what percentage of their employees’ daily activity was geared towards non-business related activities such as online shopping, stock trading, and travel planning.
While not the kind of thing that threatens a company’s core viability, the impact on profit margins from lost productivity can be substantial — headcount is nearly always a company’s largest expense.
Even pornography — much of which easily bypasses most URL filtering solution — can become an incredible legal liability if exposed inappropriately or accidentally.
More borderline activities, such as employees making their own judgment calls for behaviour at the margin of acceptability, or even activities which appear threatening but are in fact legitimate, are almost impossible to detect without false positives.
Truly contextual activities such as sexual harassment are nearly impossible to detect, much less prove, with conventional solutions. And the true bad guys — the ones who are clearly out to cause malicious damage and will take great pains to hide or cover their tracks — require not just sophisticated detection but also court-worthy forensic evidence to support a termination or even prosecution. This is a tall order.
Already stretched to the limit, IT and security organisations must respond to the specific problem with tailored remediation to the entire range of behaviours, not generalised reactions to general threats.
In short, enterprises need to attack the root cause of the insider threat itself — activity at the endpoint, as well as monitoring broadly at the network.
Given this new landscape, organisations need to take a number of steps to regain visibility and control of their computing environments.
1) Begin at the source
Edge security such as firewalls enjoy broad acceptance not only because they are easy to deploy but also because they deliver value in a fairly quantifiable and deterministic way.
Not surprisingly, therefore, some IT organisations have reacted to the insider threat by essentially turning the firewall concept inside out. Rather than stopping bad stuff from getting in, these solutions attempt to keep good stuff protected by monitoring it preventing it from leaving the network.
The trouble is, while some of these point solutions are effective, they do little to address the root cause of insider threats — the user’s behavior.
2) Keep things in context
To deal with the risks posed by user behaviour, you need a solution that broadly monitors the type and quantity of data moving across the network in the context of activity on users’ desktops.
Without a way to analyse traffic, content, and behaviour and incidents in context, enterprises lack the means to respond appropriately with policies or practices for near-term remediation or long-term prevention of insider threats.
Truly understanding the risk posed by insider behaviour requires fairly granular situational context, such knowing what the user was doing immediately before and after the actual incident.
Were they using shareware programs to manipulate the data format? Who did they receive an IM from or what website did they visit just before they touched the data? What actually happened when they sent the data?
For example, an incident that might appear to be malicious from a data leakage standpoint—let’s say a person sending an email with sensitive information to an unauthorised recipient—might be completely legitimate or clearly accidental when view in context.
With advanced monitoring capabilities such as DVR-like replay of events on the user’s desktop, this same incident could be revealed as an accident involving type-down addressing, where the person sent an emergency email to the wrong person just one name down the list. It would just as easily show a malicious data theft in complete context.
3) Expose hidden events
With more and more data being encrypted, workforces becoming increasingly mobile and companies expanding the use of outsourcing and contractors, it becomes critical for organisation to broadly monitor user behaviours — at both the network and desktop levels — to expose hidden events.
For example, you may want the capability to view a record of the content of encrypted transmissions — such as if an employee copies the contents of an Excel spreadsheet to the clipboard and then saves it to an encrypted USB drive.
You also may want to the capability to record and track this type of activity and many other behaviors even when the user is offline. Monitoring at the network level will also allow you to keep track of incidents on unmanaged desktops such as at outsourced call centres or contract workers location, and it can spot anomalies such spikes in after-hours FTP traffic so you can implement policies or more closely monitor specific individuals.
4) Deal with complex malicious acts
Unlike accidental acts or cases where workers push the boundaries of acceptable behaviour to get their jobs done, most malicious acts involve multiple behaviors.
This means you need a solution that lets you easily search for all of a user’s other activities and easily analyse them for related behaviours or trends.
Desktop monitoring — even when the user is offline — can also help you detect users "covering their tracks" — such as changing a file name or type, or cutting and pasting data.
For example, you need to know when someone changes a potentially sensitive file such as from a CAD application to a JPEG, PDF or other unusual format, and then emails it with a name like "Wedding Pictures." You also need to monitor and detect other "multi-vector" behaviours, such as screen capturing from a custom application, dropping the result into a word file, and sending over instant messaging.
5) Get management involved
Armed with this type context-driven solution, security professionals can mitigate business risks by making informed decisions and implementing policies and training to achieve desired behaviours.
Visual tools — such as DVR-like incident replay and network content gallery displays — also allow non-technical management and staff to spot and respond to threatening behaviors.
Galleries that give a visual picture of content moving over a network can give non-technical management staff a quick and unambiguous assessment of a wide range of threatening and non-productive behaviours.
With a glance at one of these visual galleries, an HR director could, for example, see that large amounts of offensive material is being viewed inside the organisation. Or, a section manager could see that employees are spending valuable time on auction sites, online gambling or other non-productive activities.
Improve visibility and secure your business from the inside
Only by moving beyond the reverse firewall mentality and into the actual root cause of threatening behaviour, can organisations achieve the nuanced visibility required to mitigate insider threats and truly optimise business processes and procedures; making the organisations security posture fundamentally more secure, profitable, and compliant.
The ability to differentiate users, data, threats, responses and corresponding management requirements for each will enable companies to take appropriate steps to end insider threats where they begin — in the behaviour of privileged users. Anything less leaves the door open to significant risks.
Visualise behaviour to stop insider threats
By Gordon Eubanks, on Jul 30, 2007 9:59AM