Security breaches are a real concern for any organization. Though any sort of malicious breach can cause harm to organizations, the immensity of the impact of the insider threat is much more than the impact of external attacks. The reason why insider attacks are more dangerous is that it is committed by people who know the organization well. They are privileged users, aware of sensitive secrets of organization and have access to it. In the past, we have also heard of insider bank frauds at some leading banks which have alerted organizations about the inside risk within their organizations. This can also hamper the corporate security of an organization that comes from within the organization. In some cases, though these attacks are unintentional, in many cases, attacks are committed due to greed or antipathy towards the organization. According to a study done by Forcepoint (a company specializing in computer security software), only 43 percent of organizations feel that they can monitor privileged user activity well, while 63 percent do not have enough information in this context. Any security breaches in the organization not only result in its organizational loss but also damage its image as a secure global partner around the globe.
Insider thefts put organization at risk
Detection of risk, responding to insider attacks and prevention is a very challenging task for the Information Security team. Though insider attacks can be caught, they are more hard to detect than an external threat. The Information Security team of any organization has the responsibility to deal with risks like IT sabotage, theft of intellectual property (IP) and fraud.
The organizations these days customize solutions to curb the risk of theft. Madhavan Satagopan, CTO, Altimetrik, says, “Altimetrik has an ISMS which is quite comprehensive in all aspects of awareness. Our ISMS policy is backed up with mandatory training for all employees, Active Directory-based authentication and authorization for all access requests backed up by a DLP which monitors all such access and notifies managers and other nominated leaders of any confidential information sent outside of Altimetrik domain. All laptops and desktops are secured with restricted and monitored access (or disablement) of USB ports and writable media with restricted Local admin rights. In addition, we have network segregation to protect highly sensitive information, HIPS (Host Intrusion Prevention System) installed in developer environments who are working on PCI and healthcare projects backed up log audits and analytics. Physical security in terms of access and authentication is also enforced. Firewall protection is enabled to guard against all unauthorized access”.
As access to information is not confined to a company’s boundaries, the challenges for the organization increase manifold. Says Subramanyam Puterevu, CIO, Mindtree, “Accessibility of information is a huge challenge for an organization to deal with. Now, we are introducing more processes and systems to detect and control theft. At an industry level, we need solutions to detect malicious and unintended attempts of employees.”
Technologies to monitor attacks
With the incidents of the insider thefts on the rise, organizations give a lot of emphasis on security awareness and risk assessment. “The insiders have more access to information as they are the trusted employees. The security awareness programs, access re-certification processes of a privileged user and technologies like DLP curtails the risk to a certain extent for protecting the data of the organization”, says Satyanandan Atyam, CISO, Bharti Axa General Insurance. Auditing and reviewing process are some of the important techniques for identifying and learning about insider theft incidents.
As most organizations buy different solutions for fulfilling different tasks (intrusion detection, firewalls, anti-virus solutions), the risk increases. Point solutions cannot identify a stealth attack, if it originates from another attack vector. This can be addressed using analytics. “The industry is moving towards predictive analytics, and this is especially important with regards to privileged users,” says Harshil Doshi, Strategic Security Solutions Consulting, India, Forcepoint LLC.
Forcepoint has a solution that combines visibility and analytics to baseline normal behavior and quickly identifies and record high risk behavior. The firm’s solution can identify high risk users and enable data protection controls to be put in place. This is complemented by a DLP solution that identifies high risk data behaviors identifying users that need to be investigation further.
Preventing unintentional threats
One another important aspect of the insider threat is the theft which is unintentionally done. According to a DSCI NASSCOM report, almost 67% service provider organizations have experienced insider incidents due to unintentional exposure of private and sensitive information. And, 75 percent of client organizations have also supported the fact that unintentional exposure of private and sensitive data is a security threat. For the thefts unknowingly done, the companies have to be even more careful as the data can be leaked without their concern and they cannot realize it immediately.
States Jagdeep Singh, CISO, Rakuten, India, “Awareness sessions and taking mock drills with relevant case studies are very important to make employees aware and test the awareness level of the organization. Gamification, role plays, and context based training sessions come in handy to ensure that the training is relevant to the specific needs of the employees. The technologies which can detect and report ‘policy non-compliance’ also come handy to report the potential misuse of data and provide warnings to employees on a case to case basis.”
Tracking forensic evidence is important
Despite seeking preventive measures sometimes, organizations have to suffer from malicious breaches. In such cases, the companies must have different solutions in place to monitor forensic evidence so that it does not repeat again in future. It is also a very important factor as the forensic evidence can be used in the court against the perpetrator. This is an important aspect, and is typically done by a team under the CRO (Chief Risk Officer) office. This is done by collecting log information to understand complications and impact on business and company reputation. Also, the SOC (Security Operating Centre) are in place which constantly monitors any network infiltration attempts, insider breaches and malware infections. Well-defined security incident management processes are available and periodic awareness communication is sent to all the employees. The application and system logs are sent to a central logging server for alerting and reporting. Based on the predefined criteria, alerts are sent to respective teams for investigation. For further investigation and analysis, the compromised system is preserved and the OS level image is taken. Apart from these factors, storing digital evidence and footprints, including the access logs and other available information for as long as possible, helps in historical analysis.
If you have an interesting article / experience / case study to share, please get in touch with us at [email protected]