Insider Threat: How to Properly Govern Identities & Identify Nefarious Actors
Cybersecurity threats now come in many different forms. From ransomware and malware to phishing — the list of ways into an organization’s sensitive underbelly is growing.
But a few recent breaches of federal, state, local governments and even from a few enterprises, show that the threat landscape is changing. Because these specific breaches were caused by insider threats. The millions of identities and sensitive data that have been compromised over the last few months have caused organizations to halt business operations and it was all due to a bad seed in an organization. In order to get to the bottom of insider threats, let’s look at what it is, how it operates and what to do to stop it in its tracks.
What is an insider threat?
Insider Threat is defined by Carnegie Mellon (CERT) as the potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization.
How do insider threats operate?
Insider threat actors take advantage of behaviors, practices and processes that enable them to conduct their malicious activity. Here’s two ways they go about threatening an organization.
First, the entitlement creep. Without proper visibility, organizations are faced with overexposed accounts and entitlement creep. Accounts become overloaded with privileges the longer a user is with an organization without proper controls for roles, policies and risk. These accounts can then be used to move laterally across system boundaries, elevate privileges and gain unauthorized access. Proper controls and processes remove access when lifecycle events occur such as role, job, location or suitability changes or the access is no longer required.
Second, through improper lifecycle management. During the onboarding process, new employees and contractors should be granted access to the systems and data they need for efficiency but not overloaded. Access to systems and data should be granted with a “least privilege” model and additional access should be on an as needed basis. All access should be granted with segregation of duty (SOD), suitability and risk-based policies with an approval and access certification process. On the other hand, when employees and contractors leave their accounts and entitlements should be immediately revoked, removed or disabled. The longer an account remains active with associated privileges the greater chances it may be exploited.
How do we prevent insider attacks?
An identity program is essential to the modern cybersecurity strategy. Prevention and detection of insider threats should be at the top of list in any organization as the insider can represent the most nefarious vulnerability to enterprise systems and data and for the most part mask their actions as usual business tasks.
There needs to be a govern all approach. Having a complete inventory of all users – employees, contractors, partners and processes, and all structured and unstructured data should be the No. 1 priority of organizations . Many security frameworks focus on the privileged user – or only sensitive applications and data. The attack surface is much broader, we need to establish identity context for everyone, everywhere. We need to be constantly verifying the suitability and legitimacy of users and the access they have.
In a nutshell, a identity strategy provides simple and secure access and ensures that it’s the right access efficiently. The strategy should define and govern access rights to minimize risk associated with entitlement creep, orphaned accounts and separation of duty and suitability policies. When properly implemented the solution will provide visibility to – who has access to what, who should have access, and what are they doing with that access? When these three questions are answered, the insider threat becomes a distant memory.