Story image

Verizon report spotlights mitigating insider threats

06 Mar 2019

The Verizon Data Breach Investigations Report (DBIR) series has been refocused on the role of the insider - forming the Verizon Insider Threat Report.

Twenty percent of cybersecurity incidents and 15% of the data breaches investigated within the Verizon 2018 DBIR originated from people within the organisation, with financial gain (47.8%) and pure fun (23.4%) being the top motivators.

These attacks, which exploit internal data and system access privileges, are often only found months or years after they take place, making their potential impact on a business significant.

However, many organisations often treat insider threats as a taboo subject.

Companies are too often hesitant to recognise, report or take action against employees who have become a threat to their organisation.

It’s as though the insider threat is a black mark on their management processes, and their name.

The Verizon Insider Threat Report now aims to change this perception by offering organisations a data-driven view on how to identify pockets of risk within the employee base, real-life case scenarios, and countermeasure strategies to consider when developing a comprehensive Insider Threat Program.

Verizon security professional services executive director Bryan Sartin says, “For far too long data breaches and cybersecurity incidents caused by insiders have been pushed aside and not taken seriously. Often they are treated as an embarrassment or just an issue for Human Resource departments.”

“This has to change. Cyber threats do not just originate from external sources, and to fight cybercrime in its entirety we also need to focus on the threats that lie within an organisation’s walls.”

Defining the characteristics of the threat from within

Particular attention has been paid to the types of Insider Threats that organisations can face.

Profiled within specific case scenarios from Verizon’s own investigative caseload - from incident detection (and validation) to response and investigation, and then to lessons-learned (countermeasures) – five insider personalities have been identified:

  1. The Careless Worker – These are employees or partners who misappropriate resources, break acceptable use policies, mishandle data, install unauthorised applications and use unapproved workarounds. Their actions are inappropriate as opposed to malicious, many of which fall within the world of Shadow IT (i.e., outside of IT knowledge and management).

  2. The Inside Agent – Insiders recruited, solicited or bribed by external parties to exfiltrate data.

  3. The Disgruntled Employee – Insiders who seek to harm their organisation via the destruction of data or disruption of business activity.

  4. The Malicious Insider – These are employees or partners with access to corporate assets who use existing privileges to access information for personal gain.

  5. The Feckless Third-Party – Business partners who compromise security through negligence, misuse, or malicious access to or use of an asset.

Eleven building blocks for an effective Insider Threat Program

The report provides practical advice and countermeasures to help organisations deploy a comprehensive Insider Threat Program, which should involve close coordination across all departments from IT Security, legal, HR, to incident response and digital forensics investigators.

Two factors hold the key to this success – knowing what your assets are and ultimately who has access to them.

“Detecting and mitigating insider threats requires a different approach compared to hunting for external threats,” says Sartin.

“Our aim is to provide a framework that enables companies to be more proactive in this process and to slice through the fear, uncertainty and embarrassment that surrounds this form of insider cybercrime.

“Verizon sits between the sources and victims of cybercrime on a daily basis, and by sharing real scenarios from our caseload we hope that organisations can learn and adopt the countermeasures we recommend to implement their own programs.”

These 11 countermeasures can help reduce risks and enhance incident response efforts:

  1. Integrate security strategies and policies – By integrating the other 10 countermeasures (listed below), or better yet a comprehensive Insider Threat Program with other existing strategies such as a Risk Management Framework, Human Resources Management and Intellectual Property Management can help strengthen efficiency, cohesion and timeliness in addressing insider threats.

  2. Conduct threat hunting activities – Refine threat hunting capabilities such as threat intelligence, dark web monitoring, behavioural analysis and Endpoint Detection and Response (EDR) solutions to search, monitor, detect and investigate suspicious user and user account activities, both inside and outside the enterprise.

  3. Perform vulnerability scanning and penetration testing – Leverage vulnerability assessments and penetration tests to identify gaps within a security strategy, including potential ways for insider threats to manoeuvre within the enterprise environment.

  4. Implement personnel security measures – The implementation of Human Resource Controls (such as employee exit processes), Security Access Principles and Security Awareness Training can mitigate the number of cybersecurity incidents associated with unauthorised access to enterprise systems.

  5. Employ physical security measures – Employ physical methods for access such as identity badges, security doors and guards to limit physical access as well as digital access methods including card swipes, motion detectors and cameras in order to monitor, alert and record access patterns and activities.

  6. Implement network security solutions – Implement network perimeter and segment security solutions, such as firewalls, intrusions detection/prevention systems, gateway devices and Data Loss Prevention (DLP) solutions in order to detect, collect and analyse suspicious traffic potentially associated with insider threat activities. This will help highlight any unusual out-of-hours activity, volumes of outbound activity as well as the use of remote connections.

  7. Employ endpoint security solutions – Employ established endpoint security solutions, such as critical asset inventories, removable media policies, device encryption and File Integrity Monitoring (FIM) tools in order to deter, monitor, track, collect and analyse user-related activity.

  8. Apply data security measures – Apply data ownership, classification and protection, as well as data disposal measures in order to manage the data lifecycle and maintain confidentiality, integrity and availability with insider threats in mind.

  9. Employ identity and access management measures – Employ identity, access and authentication management measures to manage limit and protect access into the enterprise environment. This can be taken to the next level by employing a Privileged Access Management (PAM) solution for privileged access.

  10. Establish incident management capabilities – Establishing an incident management process to include an Insider Threat Playbook with trained and capable incident handlers, will make cybersecurity response activities more efficient and more effective in addressing insider threat activities.

  11. Retain digital forensics services – have an investigative response retained resource available which is capable of conducting a full-spectrum of deep-dive investigations ranging from the analysis of logs, files, endpoint and network traffic, in often delicate and human-related (or user account-related) cybersecurity incidents.

Five things MSPs need to keep in mind in 2019
A Datto APAC channel exec outlines the most important factors for MSP to being paying attention to in the coming year.
Survey: IT pros nostalgic over on-prem data centre visibility
There are significant security and monitoring challenges faced by IT staff responsible for managing public and private cloud deployments.
61% of CIOs believe employees leak data maliciously
Egress conducted a survey to examine the root causes of employee-driven data breaches, their frequency, and impact.
Opinion: BYOD can be secure with the right measures
Companies that embrace BYOD are giving employees more freedom to work remotely, resulting in increased productivity, cost savings, and talent retention.
Sonatype and HackerOne partner on open source vulnerability reporting
Without a standard for responsible disclosure, even those who want to disclose vulnerabilities responsibly can get frustrated with the process.
OutSystems and Boncode team up for better code analysis
The Boncode and OutSystems alliance aims to help organisations to build fast and feel comfortable that the work they're delivering is at peak quality levels.
Nozomi and RIoT to deliver advanced ICS security solutions to Australia
''As a specialised integrator of robust and resilient ICT and IoT solutions within Australia, we are delighted to be partnering with Nozomi Networks."
Nuance biometrics fight back against fraud
Nuance Communications has crunched the numbers and discovered that it has prevented more than US$1 billion worth of fraud from being passed on to users of its Nuance Security Suite.