Download the Aruba Security whitepaper to learn more about what you need to know to ensure you're secure and find out how Aruba ClearPass can enforce security throughout your enterprise.
An insider threat is a type of cyberattack that originates within your organisation. Whether it is perpetrated by a current or former employee, or a trusted business partner or contractor, insider threats are launched by people with some level of access to your IT systems and data.
Insider threats can be carried out intentionally or unintentionally. As these breaches come from within the borders of your organisation, they often have legitimate access, meaning firewalls and other external security practices offer little protection. To secure your business against insider threats effectively, your security measures and policies must understand what insider threats looks like, so that they can be detected and prevented proactively.
Common insider threats include:
DDoS attacks, malware, ransomware and other common external threats attack a business from outside of its firewall. An insider threat comes from within the digital walls of the business.
Though external threats are often more widely publicised and discussed, insider threats can be far more damaging. Most often, external attackers do not know what to look for, and fail to locate your most valuable data. Insiders, on the other hand, have all the information they need to cause significant damage to your data, systems, and business.
With traditional attack vectors rapidly disappearing, are you confident you are spending your information security budget in the right places?
‘Almost 60% of the incidents are motivated by financial gain or espionage purposes,’ Aruba research finds, ‘but there are also healthy occurrences of employees negligently mishandling data or misusing email, web and USB devices to place an organisation’s data and sensitive assets at risk.’
In these instances, accidental insider threats are typically caused by well-meaning employees unintentionally exposing data and systems to risk:
Any break from IT policy could put sensitive data at risk. But there is, of course, the need to balance strict policies with IT agility and business enablement. Stringent policies may help secure data, but if they compromise BYOD policies and other flexible working arrangements, they could cause more problems than they solve.
External threats can result in large-scale financial and reputation loss, but insider threats—particularly those conducted with malicious intent—can be far more damaging.
Because the actors carrying them out have such intimate knowledge of your systems and data, they know exactly where to hit you to maximise the impact of their attack. And unlike external attacks that leave easily identified footprints, insider threats can also be difficult to detect—meaning that often the damage is done long before you even realise an attack has been launched.
Worse still, the data leaks that often follow a successful insider attacks can result in non-compliance, hefty fines and significant customer churn for organisations, particularly in heavily regulated industries like healthcare and financial services.
Insider threats are most likely to come from three distinct groups.
1. Privileged users
Any user with access to confidential, private or privileged information can present a significant risk. According to Aruba, 28% of insider attacks in 2017 were carried out by privileged users with elevated access. If they are careless with their account or device security, other users can use their credentials to access your systems and compromise your IP.
2. Former employees
Employees pose the greatest insider threat to your business, as they often have deep access to your systems and an understanding of where to cause the greatest damage. Former employees offer an even greater threat, as many may have motive to try and harm your business, or steal IP to please a new employer.
3. Third-party organisations
Third parties that work with your business may not have the same access to your systems and inside knowledge that employees do. But they also lack the loyalty and understanding of policy that your staff have—making them a dangerous involuntary or malicious threat all businesses should consider.
‘Organisations need to worry less about job titles and more about the level of access that each user has as well as the ability to monitor them’, Aruba stated in their UEBA use case.
Case in point, consider the following: Joe, an engineer, logged into the source code repository at 10pm last night and downloaded 500MB of data. Meanwhile, the new head of the legal team, Sally, has been logging into the network from West London and Dublin—at the same time. Pete, an analyst, is accessing a critical finance application that he has never used before, and Claire, one of your sysadmins, has been accessing the customer database after normal work hours every evening for the last two weeks.
Are you confident that all of these are legitimate scenarios, or are they anomalous behaviours that threaten the brand, reputation and finances of your organisation? Could your current security tools detect these types of insider threats, and how would your staff respond?
User and entity behaviour analytics would let you discern that in this insider threat example, Joe was just going above and beyond his contracted hours in order to finish a project, while Sally, who was travelling, had shared her password with her assistant in order to stay on top of her workload. Pete clicked on a link in a malicious email and had his credentials harvested, but Claire handed in her notice two weeks ago and has gone rogue, downloading the entire customer database piece-by-piece.
Unlike external attacks, insider threats don’t often leave an obvious digital fingerprint, and can be hard to identify amongst legitimate user behaviour and activity.
There are two types of insider threat detection tools that can help organisations detect and protect themselves against threats from within:
Security Information Events Management (SIEM)
For most IT teams, the data centre is full of countless networking and security tools, and only a handful of engineers to manage them. SIEM tools make it easier for IT personnel to wade through alert fatigue by establishing alerting rules and collecting all security data and notifications under a single pane of glass.
As a rules-based system though, insiders that know the rules can manipulate or evade them. For example, if the SIEM alerts IT after seven failed login attempts in a fifteen-minute window, insiders could just wait sixteen minutes before a seventh attempt at cracking a user’s password.
User and Entity Behaviour Analytics (UEBA)
Unlike the rules-based approach of SIEM solutions, UEBA tools such as Aruba Introspect use algorithms to analyse user behaviour and flag up unusual activity patterns. As these analytics are constantly evolving, it is much harder to evade scrutiny and detection—even for insiders with privileged access and knowledge of your systems.
While UEBA systems can offer powerful, dynamic insider threat detection, there is still a place for it to work in tandem with SIEM solutions.
Even if you can detect insider threats, working out how to mitigate their impact still presents a significant challenge.
There are three common ways you can work to overcome this hurdle and reduce the damage caused:
Robust IT policies can ensure involuntary insider threats are kept to a minimum. By ensuring unauthorised portable storage cannot be connected to devices, by ensuring users can’t install potentially unsecured applications, and by making other smart policy decisions, the most common security gaps can be closed.
However, these policies can only fulfil their potential if you combine them with extensive user education. By educating users on the importance of your security policies and how to best follow them you can further cut down on involuntary insider threats.
Security tools and solutions can be used to further reduce the impact of insider attacks, even after they have begun. However, many software packages will only tell you when an attack has begun. Very few tools also help you act on trigger warnings.
By combining the right policies, education and security tools, your IT team can significantly reduce the risks of an insider threat compromising your systems and data.
Defining the best policies and education for your organisation is a complex affair that will depend on your current culture, processes, and ways of working.
Thankfully, finding the right security tool is a little simpler. You need a toolset that will enable broad, unified network access control and user behaviour analytics—preferably within a single pane of glass. Aruba ClearPass offers this, and much more. Using this insider threat detection tool, you can:
By combining Aruba ClearPass with data loss prevention (DLP) software, you can also detect when sensitive data is being used or moved and block operations before your IP can be stolen, leaked or cloned, quickly securing devices.
By mixing Aruba ClearPass, DLP software, and well-defined IT policies, you will put your organisation in the best place to predict, detect, manage, and protect against insider threats.