Story image

Verizon report spotlights mitigating insider threats

06 Mar 2019

The Verizon Data Breach Investigations Report (DBIR) series has been refocused on the role of the insider - forming the Verizon Insider Threat Report.

Twenty percent of cybersecurity incidents and 15% of the data breaches investigated within the Verizon 2018 DBIR originated from people within the organisation, with financial gain (47.8%) and pure fun (23.4%) being the top motivators.

These attacks, which exploit internal data and system access privileges, are often only found months or years after they take place, making their potential impact on a business significant.

However, many organisations often treat insider threats as a taboo subject.

Companies are too often hesitant to recognise, report or take action against employees who have become a threat to their organisation.

It’s as though the insider threat is a black mark on their management processes, and their name.

The Verizon Insider Threat Report now aims to change this perception by offering organisations a data-driven view on how to identify pockets of risk within the employee base, real-life case scenarios, and countermeasure strategies to consider when developing a comprehensive Insider Threat Program.

Verizon security professional services executive director Bryan Sartin says, “For far too long data breaches and cybersecurity incidents caused by insiders have been pushed aside and not taken seriously. Often they are treated as an embarrassment or just an issue for Human Resource departments.”

“This has to change. Cyber threats do not just originate from external sources, and to fight cybercrime in its entirety we also need to focus on the threats that lie within an organisation’s walls.”

Defining the characteristics of the threat from within

Particular attention has been paid to the types of Insider Threats that organisations can face.

Profiled within specific case scenarios from Verizon’s own investigative caseload - from incident detection (and validation) to response and investigation, and then to lessons-learned (countermeasures) – five insider personalities have been identified:

  1. The Careless Worker – These are employees or partners who misappropriate resources, break acceptable use policies, mishandle data, install unauthorised applications and use unapproved workarounds. Their actions are inappropriate as opposed to malicious, many of which fall within the world of Shadow IT (i.e., outside of IT knowledge and management).

  2. The Inside Agent – Insiders recruited, solicited or bribed by external parties to exfiltrate data.

  3. The Disgruntled Employee – Insiders who seek to harm their organisation via the destruction of data or disruption of business activity.

  4. The Malicious Insider – These are employees or partners with access to corporate assets who use existing privileges to access information for personal gain.

  5. The Feckless Third-Party – Business partners who compromise security through negligence, misuse, or malicious access to or use of an asset.

Eleven building blocks for an effective Insider Threat Program

The report provides practical advice and countermeasures to help organisations deploy a comprehensive Insider Threat Program, which should involve close coordination across all departments from IT Security, legal, HR, to incident response and digital forensics investigators.

Two factors hold the key to this success – knowing what your assets are and ultimately who has access to them.

“Detecting and mitigating insider threats requires a different approach compared to hunting for external threats,” says Sartin.

“Our aim is to provide a framework that enables companies to be more proactive in this process and to slice through the fear, uncertainty and embarrassment that surrounds this form of insider cybercrime.

“Verizon sits between the sources and victims of cybercrime on a daily basis, and by sharing real scenarios from our caseload we hope that organisations can learn and adopt the countermeasures we recommend to implement their own programs.”

These 11 countermeasures can help reduce risks and enhance incident response efforts:

  1. Integrate security strategies and policies – By integrating the other 10 countermeasures (listed below), or better yet a comprehensive Insider Threat Program with other existing strategies such as a Risk Management Framework, Human Resources Management and Intellectual Property Management can help strengthen efficiency, cohesion and timeliness in addressing insider threats.

  2. Conduct threat hunting activities – Refine threat hunting capabilities such as threat intelligence, dark web monitoring, behavioural analysis and Endpoint Detection and Response (EDR) solutions to search, monitor, detect and investigate suspicious user and user account activities, both inside and outside the enterprise.

  3. Perform vulnerability scanning and penetration testing – Leverage vulnerability assessments and penetration tests to identify gaps within a security strategy, including potential ways for insider threats to manoeuvre within the enterprise environment.

  4. Implement personnel security measures – The implementation of Human Resource Controls (such as employee exit processes), Security Access Principles and Security Awareness Training can mitigate the number of cybersecurity incidents associated with unauthorised access to enterprise systems.

  5. Employ physical security measures – Employ physical methods for access such as identity badges, security doors and guards to limit physical access as well as digital access methods including card swipes, motion detectors and cameras in order to monitor, alert and record access patterns and activities.

  6. Implement network security solutions – Implement network perimeter and segment security solutions, such as firewalls, intrusions detection/prevention systems, gateway devices and Data Loss Prevention (DLP) solutions in order to detect, collect and analyse suspicious traffic potentially associated with insider threat activities. This will help highlight any unusual out-of-hours activity, volumes of outbound activity as well as the use of remote connections.

  7. Employ endpoint security solutions – Employ established endpoint security solutions, such as critical asset inventories, removable media policies, device encryption and File Integrity Monitoring (FIM) tools in order to deter, monitor, track, collect and analyse user-related activity.

  8. Apply data security measures – Apply data ownership, classification and protection, as well as data disposal measures in order to manage the data lifecycle and maintain confidentiality, integrity and availability with insider threats in mind.

  9. Employ identity and access management measures – Employ identity, access and authentication management measures to manage limit and protect access into the enterprise environment. This can be taken to the next level by employing a Privileged Access Management (PAM) solution for privileged access.

  10. Establish incident management capabilities – Establishing an incident management process to include an Insider Threat Playbook with trained and capable incident handlers, will make cybersecurity response activities more efficient and more effective in addressing insider threat activities.

  11. Retain digital forensics services – have an investigative response retained resource available which is capable of conducting a full-spectrum of deep-dive investigations ranging from the analysis of logs, files, endpoint and network traffic, in often delicate and human-related (or user account-related) cybersecurity incidents.

Hackbusters! Reviewing 90 days of cybersecurity incident response cases
While there are occasionally very advanced new threats, these are massively outnumbered by common-or-garden email fraud, ransomware attacks and well-worn old exploits.
SEGA turns to Palo Alto Networks for cybersecurity protection
When one of the world’s largest video game pioneers wanted to strengthen its IT defences against cyber threats, it started with firewalls and real-time threat intelligence from Palo Alto Networks.
Forrester names Trend Micro Leader in email security
TrendMicro earned the highest score for technology leadership, deployment options and cloud integration.
LogRhythm releases cloud-based SIEM solution
LogRhythm Cloud provides the same feature set and user experience as its on-prem experience.
One Identity named Leader in PAM and IAM by KuppingerCole
KuppingerCole lead analyst Anmol Singh evaluated the strengths and weaknesses of 20 solution providers in the PAM market for the report.
Healthcare environments difficult to secure - Forescout
The convergence of IT, Internet of Things (IoT) and operational technology (OT) makes it more difficult for the healthcare industry to manage a wide array of hard-to-control network security risks.
Bitglass appoints new cloud, business development leaders
The cloud security company has appointed vice presidents for worldwide channels and worldwide business development.
Exploring the different needs for cloud services across Europe
Although digital transformation is happening across Europe, each country continues to have its own IT needs and the different cloud markets highlight this.