In our experience threat actors can be placed into 4 categories; hactivist, organized crime, nation state, and insiders. Cybersecurity experts are being challenged daily to mitigate the risk associated with these threat actor categories, and the arms race becomes more daunting everyday. Insiders pose an elevated risk because there are so many variables that are difficult to model against, and in many cases there is a built in trust of the insider. Zero Trust models are now creating a slant industry wide to trust nothing and verify everything, and this is done for good reason because the attack surface continues to expand. The end game that cybersecurity experts are playing for is to protect data, infrastructure assets, IP, and reputation. Doing this is no simple task and the journey is continuous, especially when it comes to insiders.
How do we reduce insider risk? Segmentation, role based access, EDR, AD hygiene, firewalling, IAM, PAM, and DLP are a few of the strategic cybersecurity principles that come to mind….All of these are important and required in any strategy for mitigating risk! Visibility is an area that we think is incredibly important and the earlier that the detection of an incident can accelerate to action, the less damage that can be done by an insider! How do you gain this visibility?
First, let’s discuss some of the variables that amplify the insider risk. Mergers, re-organizations, product launches, leadership changes, contractors, security policy gaps, privileged access gaps, infrastructure changes, security awareness or training gaps, shadow it and more. The reason we highlight this is to show the expansive risk profile that can be impacting any organization at any given time. Ring fencing this risk is daunting, but unfortunately insider threats don’t sleep.
Some of the critical areas of visibility that we are focusing on to identify insider threats quickly is by identifying critical data moving to thumb drives, zip files sent to personal email accounts, exfiltration of critical reports, MIME type changes, files being uploaded via a browser, air dropping, moving files to a personal cloud, and open/public file shares. Of course the blue ocean of risk is more comprehensive than this, but if you want visibility that accelerates your time to detection these insider acts must be considered.
The visibility referenced above can be accomplished with efficiency. It can be done without a comprehensive data classification project. It can be done with limited operational intensity. It can be done with sound integration into the investments that you have made in your security stack. It can be done to drive cybersecurity results and mitigate the risk of insider threats.