As the saying goes, men may come and men may go, but an organization might go on forever – if it weren’t for its malicious insider who would eventually risk its corporate content and intellectual property and walk out the door with years of work and research.
Let’s face it. Your enterprise data is at the mercy of insiders conferred with your trust and of course, the most powerful data access rights: your privileged users and partners/contractors with internal access. At some point, you will likely be held responsible for activities you had no idea were happening within closed doors.
The chances of slipping up or giving in to the temptation can be pretty high. Phishing attacks have evolved and unsuspecting employees continue to get outfoxed.
There have been multiple instances of frustrated employees misusing user privilege to willfully pass on or destroy sensitive information. Experts claim the existence of over 800 black marketplaces for stolen data such as Darkode exposed in 2015.
Organizations need to harden their defenses against this vicious cycle of malware creation, computer infection, botnet management, harvesting of personal data, and data ‘sale’.
The makings of a practicable insider threat detection system
The real challenge facing us today is finding a solution that will enable complete threat visibility in a non-intrusive and uncomplicated way. Here are some effective behind-the-scenes measures that can discreetly illuminate shady entities and dark spots in your enterprise:
Strengthening security basics
In an enterprise characterized by unaware employees, poor information classification and policy enforcement can aggravate the ‘unintentional insider threat’ that leads to accidental data loss and infection. Mismanaged user privilege policies and departmental ‘silos’ make the best hotbeds for internal threat actors to breed.
Mitigating this risk is an exercise that calls for an all-hands-on-deck approach. Enforce strong policies for authentication and set up audit trails. Most importantly, ensure that your employees know, “this is how we do it here”.
Detect abnormal behavior by keeping real time track of suspicious activities and trails. Behavior monitoring capabilities must include Netflow analysis and packet capture features to complement and dig deeper into the alerts of the intrusion detection component.
Analyzing raw logs of user logins, server connections (to detect remote access), and web content filtering systems can increase accuracy in event analysis.
Detecting Privilege Escalation
The motive behind this attack vector is quite simply to steal or damage data that is out of bounds by posing as someone authorized to access it. A threat detection system that detects when and where a privilege escalation occurred can provide concurrent insights for better assignment of roles and entitlement.
Among other benefits, SIEM can also help you create a normalcy baseline to assess your organization’s data access policy conformity. Threat actors who prefer to keep a low profile with a stealthy and sedate expunging of sensitive data can often go undetected by conventional security controls. In such cases, an analysis of event logs can help pick out malicious activity-that may have first seemed harmless or disparate-and correlate them with reference to threat signatures.
Incorporating these practices can help you progress from reactive responses to adaptive resolution of threats.