Think headlines about data theft and leakage have nothing to do with you? Think again. Many of these incidents have a common theme: Privileged access. It's your job to make sure your organization doesn't fall victim to the same fate by at the very least examining your existing insider threat program, and perhaps doing a major revamp.
Edward Snowden's theft and release of National Security Agency data, Army Private First Class Bradley Manning's disclosure of sensitive military documents to information distributor WikiLeaks and the shooting at the Washington Navy Yard by a credentialed IT subcontractor have given IT executives across industries pause to reconsider their security policies and procedures.
Tips for insider-threat mitigation
- Build a multidisciplinary team consisting of IT, HR, legal and key lines of business
- Target people and areas with privileged access
- Look at data flows -- within the company and anything going out
- Understand the information needs of customers, employees and suppliers
- Balance the needs of employees with the company's security requirements
- Create guidelines, and communicate them in employee handbooks and elsewhere
- Use technology to enforce your guidelines
- Create whistleblowing programs to keep anonymity intact -- of both the accuser and the accused
-- Sandra Gittlen
"A crescendo of discussions is happening in boardrooms everywhere about the impact an insider could have on corporate assets," says Tom Mahlik, deputy chief security officer and director of Global Security Services at The MITRE Corporation, a government contractor that operates federally funded research and development centers.
The Washington Navy Yard incident cost 12 people their lives; the full impact of the WikiLeaks and Snowden data releases cannot yet be quantified.
"These incidents have added another dimension to the threat paradigm -- privileged access," Mahlik says.
Mahlik suggests that existing insider threat programs must increasingly be focused on users with elevated or privileged access to critical information. To that point, he is leading an overhaul of MITRE's own program. His goal is to understand the threats insiders pose and to deter those threats via a program that synchronizes people, policies, processes and technology. "We are in the nascent stage of this effort," he says.
Realizing the new threat
For a new or rehabbed insider threat program to be successful, the CIO, CISO or CSO first has to gain boardroom buy-in and illuminate the value such a program would have to a company in detecting and preventing harm to people, property and company reputation. A thorough assessment of the known or existing vulnerabilities and threats, weighed against the overall company risk appetite, is essential.
For example, if a company manufactures a unique product, then intellectual property would be a key focus area for the insider threat program. But if a company provides medical services, then protecting patient records would be the emphasis.
"A crescendo of discussions is happening in boardrooms everywhere about the impact an insider could have on corporate assets," says Tom Mahlik, deputy chief security officer The MITRE Corporation.
Don't try to create an insider threat program during an attack or suspected attack. "That is the worst time to build any program with efficacy," Mahlik says. "You can't build relationships in a time of crisis."
Instead, companies should tackle planning, design and baselining as a necessary and continuous business process. "Institutionalizing a playbook and conducting [drills] before the crisis is the ideal," Mahlik explains.
In most cases, the first place to look for gaps in security is the flow of data in and out of the company. "People can move lots of data around very quickly today," says Dan Velez, senior program manager for Raytheon Cyber Products' SureView insider threat detection and prevention product line. "While that's good for business, it's bad for risk," he notes.
Traditionally, organizations have been good about protecting the perimeter but not what's inside it. "It's time to pull the covers back and examine more closely what's happening on our networks," he says.
Focus on data flow, Velez advises, because newer technologies such as cloud computing and mobile computing are being introduced to the organization on a daily basis, potentially altering the pool of privileged users. In addition, some companies continue to outsource pieces of the business, giving access rights to humans and machines beyond the company's immediate control.
Defining the threat
"When we talk about the 'insider threat,' we are talking about someone or something with authorized access [who] could use that access to do harm," Velez says. Mahlik agrees, adding insiders could be employees, business leaders or supervisors, contractors, subcontractors or supply chain partners.
Before you can renovate your insider threat program, you have to form a multi-function team that understands the information needs of employees, contractors and service providers. The insider threat program needs to balance the protection of the company with the rights and needs of employees.
A multidisciplinary approach is essential. "The goal is preventing or intervening before the crisis, and this requires a programmatic approach, one that is not exclusive to the security department," Mahlik says.
Already, Mahlik's team is partnering with human resources, legal and business groups along with IT for MITRE's insider threat program. Team members consider the life cycle of an employee, from job candidate to exit, and brainstorm areas of risk to detect and mitigate threats.
IT has to make every effort not to institute policies or procedures that impede productivity and innovation. "The last thing you want to do is deploy a system that degrades overall performance," Mahlik says.
With an insider threat prevention and mitigation team in place, you are able to quickly recognize appropriate and inappropriate behavior for employees, contractors and service providers with privileged access.
Doing so helps establish baselines that can fuel anomaly alerts, according to John Pescatore, director of emerging security trends at The Sans Institute, a security training firm.
"Setting guidelines can help vet third parties such as contractors, temporary workers and service providers, as well" as employees, says John Pescatore, director of emerging security trends at The Sans Institute.
One way to start this process is to narrow down what positions are considered sensitive because of their access and what behavior would be a red flag or intolerable.
Applying these standards to job candidates could help an organization avoid serious issues, Pescatore says. If, say, an applicant for a sensitive position belongs to hacker forums, then HR and the hiring manager immediately can determine he is not a fit. "Setting guidelines can help vet third parties such as contractors, temporary workers and service providers as well," Pescatore says.
After the employee is hired, access rules should be enforced. A customer service representative trying to download a database should cause an alert because that is outside her access rights. Similarly, a database administrator looking through one record at a time should evoke concern. Storage administrators doing backups outside of assigned windows also should be considered an anomaly.
Pescatore calls this basic security hygiene and a key element of an insider threat program.
Where technology comes into play
Once you establish guardrails for user activities, then you can start to use technology to ensure users steer clear of them.
Some companies shy away from implementing an insider threat program because they worry the cost of technology to back it up would be prohibitive or that it would be too cumbersome for employees.
But experts say insider threat programs can be implemented in most part by removing privileged access where it is not needed or too risky, and by using the tools already embedded in the network.
Robert Bigman, CEO of consultancy 2BSecure and a former CISO at the Central Intelligence Agency, points to aged applications that require privileged permissions as a good place to start shoring up your network, as they are prime targets for overseas hackers.
U.S. soldier Bradley Manning ultimately received a sentence of 35 years in prison for leaking classified documents to Wikileaks. REUTERS/Kevin Lamarque
Some legacy programs written in early versions of C, such as those used in the oil and gas industry to do calculations for market pricing, require users to be logged into Windows environments with administrative privileges. "If they need to run those applications on the internal network, then don't allow them to connect to the Internet," Bigman says.
IT also can isolate these vulnerable applications by putting them in a virtual environment with a sandbox, in effect isolating them but still providing access to the Internet while protecting them from exploits.
Bigman adds that contractors, such as Target's HVAC company, should never be allowed to operate on the same logical network layer as sensitive customer data. "IT should be checking the Service Level Agreement to make sure it accounts for connectivity separate from corporate data," he says.
Something as simple as workstation audit logs can turn up critical information about an insider threat. "Audit logs show when processes start and stop, or when files are moved or changed and, therefore, can reveal a user that is manipulating security controls on a workstation," says Raytheon's Velez.
Also, the typical network data flow monitors can show anomalies in traffic type or volume. If a user suddenly starts transferring piles of documents, data flow monitors would pick it up.
However, Velez warns that traditional tools only go so far and that organizations need a process in place to respond to alerts. "While you can get indications and warnings that data transfer volumes have gone up, you also need the ability to peer inside and check that those activities are appropriate and authorized," he says.
Where the human meets the machine
Few people join a company with the intention of becoming an insider threat, says MITRE's Mahlik. "The majority of those who become insider threats have had some sort of life-altering incident or a developing circumstance that would push them to the brink."
It's imperative, he says, to have an employee population that is sensitive to normal behaviors and that's encouraged to speak up when they see anomalies.
The federal security community has been very focused on helping businesses mitigate their insider threats and has put together several guidelines:
- An analysis of the types of insider threats collected by CERT, most of which fall into three categories: sabotage (24%), fraud (44%) and theft of intellectual property (16%)
- A list of insider-threat resources compiled by CERT
- A primer by the FBI; a downloadable (PDF) version is available
- A list of insider threat resources curated by Gideon T. Rasmussen, a security consultant
-- Sandra Gittlen
However, companies also have to ward off false positives by applying analytics to observed behavior. Executives must view the program as part of the company's risk management framework and employees must see the program as part of the company's responsibility to ensure a safe and secure work environment.
He adds: "There are effective IT tools available in the market that are passive, not intrusive, and that don't degrade productivity or network performance."
Larry Knutsen, president of the Laconia Group consultancy and a retired senior intelligence officer, likens the steps in a proactive insider threat detection program escalation process to rumble strips that alert drivers when they are straying from the road.
For instance, if someone starts to visit a hacker site on his work computer -- and is ultimately blocked from doing so -- but the insider threat detection program receives an alert from its endpoint monitoring system, is this grounds for immediate dismissal? Most likely not, says Knutsen. Instead, a representative of the insider threat team could approach the individual and explain why the behavior is unacceptable. The team could then keep an eye out for continued anomalous behavior. (Knutsen says the views he expresses are his own.)
Knutsen also believes that most employees are not out to do harm and can be deterred with education, training and well-thought-out policies. "The rumble strips/secret sauce should not be disclosed, as the goal of insider threat detection programs should be to save valued employees and quickly remove nefarious ones," Knutsen says. "This is paramount as companies expend valuable resources identifying candidates, then hire them, integrate them into the workforce, train them and promote them," he says.
"A well-defined process is critical to protect the privacy and reputation of individuals involved and intellectual property." says Larry Knutsen, president of the Laconia Group consultancy.
Also, you must have a separate process for identifying and reporting questionable behavior that is outlined along with other policies in a user handbook -- thus ensuring disclosure and consent. For instance, if an employee observes another employee doing something wrong, then he or she should be able to contact the insider threat management team via phone, email or online form or in person. And then that complaint should be worked through a well-defined process to exonerate the employee, escalate monitoring or invoke termination while protecting the privacy of both the accuser and the accused. You also want to hide the existence of the incident.
Having a proactive insider threat detection program and safe reporting structure can mitigate situations such as a hostile employee, significant data loss or even liability from false accusations.
All complaint resolution processes that require monitoring, logging or other technological activities should be carried out on a segregated network, Knutsen advises. Investigators should be audited on this segregated network to ensure they abide by corporate guidelines.
"False positives can cripple an insider threat detection program when companies don't do enough planning regarding the rumble strips and the procedures for follow-up," Knutsen says. "A well-defined process is critical to protect the privacy and reputation of individuals involved and intellectual property."
If you protect everything, you protect nothing
As Mahlik digs deeper into revamping MITRE's insider threat program, he is well aware that it is impossible to protect everything. He is prioritizing threats by helping the internal threat team pinpoint areas where problems would most likely brew.
He's optimistic that with proper planning and closely coordinated policy, human and technological systems, MITRE will have its insider threat framework in place by year-end. "The magnitude of the issue is clear, and the employee population is sensitive to the need for these programs," he says.
Along these lines, Mahlik says, it's key to understand who and what cyber thieves might be targeting within the company, "which almost always includes those in the company who have privileged access to information of value." As he says, "we all understand a threat to one is a threat to all."
Sandra Gittlen is a freelance technology writer in the Boston area. Contact her at firstname.lastname@example.org.
Read more about security in Computerworld's Security Topic Center.