Evolving Insider Threats and Why Security Culture Needs to Change
Written by Deborah Watson
Deborah Watson is the Resident CISO at Proofpoint with over 20 years of security experience.
Federal agencies continue to evolve their IT infrastructure to include more cloud capacity, mobile devices and remote connections. But in the push to improve the hybrid IT environment, organizations may fall behind in their ability to mitigate security risks inside their networks, especially in understanding how employees and contractors access the data.
What agencies need is a way to see their security blind spots and see specific indicators of compromise that would help them distinguish between malicious and non-malicious insider threats.
This is why we are seeing more and more organizations adopting a people-centered approach to security that provides risk-based insights into the activity that takes place in the IT environment.
Changing the mindset around security
At Proofpoint, we are witnessing a change in the way actions classified as “insider threats” evolve. In the government sector in particular, executives tend to pay more attention to insider threats that can come from an attempted espionage or a disgruntled employee. Today, however, insider threats are increasingly coming from non-malicious sources as well.
What is commonly referred to as a “careless user” – that is, an employee who has taken an action that goes against the policy on the use of data, resulting in the accidental disclosure of the data. sensitive information – can occur more frequently because employees exfiltrate data to third parties. party apps and web services as a workaround to use tools they are familiar with that will help them do their jobs better.
PDF converters are a ubiquitous example of how free web-based services are widely used as a workaround for working in an increasingly digital world. For example, if an agency doesn’t give a department access to their own SharePoint, maybe a user will be using their own storage, like Dropbox or OneDrive. Or maybe an employee wants to create a compelling presentation and uses free online graphic design tools, such as the increasingly popular Canva platform.
Unfortunately, employees don’t think about the risks of data exfiltration when using these services, which is why ignorance – not carelessness – is more often a factor in non-malicious data exfiltration.
Make data and people-centric security decisions
A modern insider threat management solution must look at analyzing user behavior and detecting anomalies to go beyond basic triggers. Using more advanced detection capabilities such as bandwidth usage and connection attempts can indicate when a security threat needs to be investigated.
Typically, when the leaders of an organization decide to implement an insider threat detection solution, they think of specific use cases. Individually, security officials may have had the idea that some things were wrong. Taking a data-driven approach to security decisions can help executives refine security policies based on the number of breaches that occur.
For example, an organization might want to prevent its employees from using USB devices. But instead of blocking all USB devices in the company, which increases the risk for employees of finding workarounds, they use a security tool to see how often USB devices are being used.
Data can show that three-quarters of employees never use a USB device, making it easy for the security team to block these users, and then focus on the remaining employees using USB devices. One solution we’ve seen in action is to implement a contextual survey tool for USB users to ask them to state why they are using the device and to collect more relevant data on user behavior.
In conjunction with a broader security platform, insider threat management tools can help an organization correlate data and activity moving across cloud environments for contextual visibility and to establish risk-based controls.
Building a better safety culture
A misconception that organizational leaders tend to believe is that security tools alone will mitigate threat risk. This is simply not the case. To effectively tackle insider threats, like any other security issue, organizations must address governance, processes, people, and culture.
Taking a risk-based approach to security requires collecting as much data as the security team needs to understand the context of a potential threat. But taken out of context, this approach to cybersecurity could be seen as an employee monitoring tool, rather than a safety monitoring tool. It is therefore increasingly important for leaders to communicate and socialize the need for a culture of safety within the organization.
Employees should also understand that the data required for a risk-based strategy is already collected in most cases for normal IT operations. The goal is to correlate this information into a single security platform, so security managers can better distinguish between malicious and non-malicious threats.
The organization identifies the criteria to be monitored by an insider threat management tool. For example, Active Directory logs, types of applications used, or other data points around a user’s activity related to data and context. The security tool then captures only the necessary metadata until an indicator shows a red flag.
So, for example, if someone logs into a financial app that’s listed as sensitive and the employee downloads data as part of their job, there’s no reason to worry. But then if the employee renames the file to something generic and sends it to their personal email address, that will throw the red flag for further investigation. If the tool’s configuration criteria would alert whenever sensitive data was uploaded, it would simply create a lot of noise, causing alert fatigue. Instead, the criteria should specify which actions are a risk – in this example, sending data using personal email.
Agency security teams need a tool to create a more informed picture of their security risks and implement adaptive security controls based on current situational intelligence. Modern security platforms, like Proofpoint’s, give security managers the information they need to make strategic policy and security decisions that best protect their data while allowing access to that information. to those who need it most.
Learn more about how Proofpoint can help you protect federal agencies and their staff from malicious attackers.