Are disrupted employees a new cybersecurity threat?

Are "disrupted" employees a new cybersecurity threat?

As work-from-home policies persist for many enterprises amid the global pandemic – and may become permanent in the long run – the cyber threat landscape has become much more complicated. Current work arrangements are so far from the norm that a new threat has emerged: the "disrupted" employee. We are all familiar with the concept of a malicious employee actively trying to damage the company or exfiltrate data out of financial interest or revenge. Much more common is an employee who is fully compliant and follows your security policies as second nature.

A disrupted employee is someone in between: trying to do their job right but with less secure means. He or she may face challenges in getting projects done due to no longer having access to the office's infrastructure or face-to-face interactions. Gone are the water cooler conversations or impromptu meetings in the hallways, as we rely on Zoom or WebEx calls to stay connected. Informal information exchanges are all but gone.

Another challenge is the new home office, where spouses may be working remotely, often alongside their children attending school online. Home networks lack typical protections and bifurcations of the corporate office and may be prone to attacks using lateral movement techniques. In these scenarios, after gaining initial access through an insufficiently protected device, such as a family computer, attackers move deeper into a network, searching for other devices to compromise or obtain increased privileges. This continued probing could eventually lead to the exfiltration of sensitive corporate data or high-value intellectual property.

Disrupted environments prone to sophisticated attacks

To do our jobs, we may obtain information necessary for "situational awareness," lacking in newly remote workspaces. Bits and pieces of information – source code, marketing materials for a product launch, notes from a rebranding exercise, or business development activities – may end up on a computer of a disrupted employee. Having all this information in one place may not be even necessary for a successful attack: hackers are getting increasingly more adept at generating a composite of a company's proprietary data from disparate sources to make stealing it worth their while.

Much of this activity is anomalous, such as accessing databases generally not part of one's knowledge domain or downloading software code for an unrelated product. But with the upheaval that went on in corporate networks as millions of workers suddenly relocated to home offices, these anomalies and lateral movements may be more challenging to trace and analyze. A few missed red flags may mean severe and unpredictable consequences down the road.

The need for East-West visibility

Firewalls are typically our go-to devices to detect and disable malicious North-South traffic (the traffic entering and exiting the network). But as networks evolve, more than fifty percent of the traffic in the data center, either physical or virtual, is now East-West (moving laterally from server to server). Security tools have not yet caught up with the need to inspect and analyze these movements to detect vulnerabilities and threats.

Since modern-day networks include containerized applications in highly distributed and hybrid-cloud-based environments, gaining proper visibility has become increasingly difficult, especially with East-West traffic. Accurate East-West security analytics depend on packet data as the single source of truth, especially in virtualized environments lacking a firmly established network perimeter. Thus, pervasive visibility, a foundational requirement for cybersecurity, may be effort-intensive or costly to achieve, requiring new approaches or specialized tools.

Better data for better analytics

Packet data, when converted to smart metadata and actionable insights, helps pinpoint the source of data leaks or security disruptions impacting the network. Granular analytics deal with alert fatigue by directing security teams to the most critical or time-sensitive issues.

Even if well-intentioned, a "disrupted employee" is still an insider threat, requiring a comprehensive approach of security controls, analytics, acceptable use policies, and education. Understanding a new baseline through analytics is the first and essential step in creating the proper controls and educational programs to help your employees securely accomplish their goals.

Mark Doering is Director of Technical Marketing at NetScout. Mark has over 35 years of experience leading technical engineering teams, integration technologies, security product research and development, as well as consulting for security and wireless architectures. Previous to Netscout, Mark worked for VSS Monitoring as a Security Architect. Prior to that Mark worked at Cisco with the Security Technology Group (STG), driving the Borderless Network Security and Wireless Security products as well as the Consulting Security Services at Cisco Systems for over 16 years. Mark has achieved his GIAC - Certified Incident Handler Certification, and the ISC² - Certified Information Systems Security Professional Certification (CISSP). During his tenure with Cisco he helped define best practices like the Cisco SAFE Security Blueprint as well as the development of the Cisco Certified Security CCIE.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.