Malicious Insider Threat Detection – a Persistent Problem in Data Security

You’ve most likely heard of a contractor turned whistleblower at one of our government agencies. Regardless of whether or not you hail him as a hero or a villain, he highlights a persistent problem in enterprise data security – the difficulty associated with insider threat detection.

Insider threats come in several flavors: user error, well-intentioned employees who violate policy to “get the job done,” and malicious insiders who purposefully set out to do damage.

For the purpose of this blog, we will focus on addressing malicious insiders.

Malicious Insiders – a Threat in Your Organization

A malicious insider is probably one of the highest risks a modern organization can face. They are users who are generally authorized and granted access to sensitive information and plan to use that access in a malevolent manner. Proactive threat detection and protection is the key to preventing malicious insiders from abusing their privileges.

Analyzing Computer Security Threats

Enter CINDER. Wikipedia defines CINDER as

“…a philosophy of analyzing computer security threats that assumes the threats are from ‘insiders’ who already have access to a system, rather than attackers outside the system.”

Governments around the world are scrambling to develop programs that can be used to identify these malicious insiders and their behavior before they can cause the type of damage we’ve previously seen in the news.


Identifying Malicious Users

There are a number of programs built to scan instant messages, texts and e-mails. This data is then compiled and anomalies are sought. With the advances of Big Data where petabytes of data can be stored and processed, these programs can be valuable for identifying potential malicious activities.

Monitoring user behavior isn’t strictly a government function for identifying potential leakers, terrorists and criminals; accountants and financial auditors have been using behavioral analysis techniques to combat financial fraud and theft as well. Accounting departments use a technique called dual control that prohibits accounts receivable and accounts payable functions to reside with the same person.

In higher security environments, sensitive positions can require vacation time use, allowing someone else to function in a sensitive position. With both these examples, the thought is; it is harder to get two people to collude to commit theft or fraud than a single person.

It is the same idea about having an administrator/root account with two different people with a portion of the password.

Enhanced Security with Data Classification

The key to knowing when to apply enhanced levels of security controls is through data classification. If you don’t know where your data is, where it resides, who has access to it and what can be done with it, it’s difficult to identify appropriate security controls.

Data classification falls within the authority of the system owner. System ownership is also an important aspect of assuring appropriate privilege management.

System owners are responsible for having a deep, clear understanding of the business and security requirements and are responsible for ensuring that only appropriate individuals that require access to the system have access to the system and its data.

Takeaways for Insider Threat Detection

The key takeaway for insider threats is: classify your data and apply appropriate access controls, monitor the activity associated of that data and secure that data with intrusion detection systems—in both the public and private sectors.