September 20, 2022 Malicious Intent or Honest Mistake

Industry leaders share their perspective and tips for handling internal security alerts during Insider Threat Awareness Month.

September is Insider Threat Awareness Month, a time dedicated to focusing on the solutions and precautionary steps public and private organizations can take to minimize the damage from potential insider threats. However, it must be stated that the majority of insider threat situations do not involve a disgruntled employee. Many small mistakes or accidents can be made that leave organizations in the dark if they are not paying critical attention to their sensitive data and who has access to it.

For organizations looking to maintain a strong cybersecurity posture, it is important to look at every insider threat alert as a situation that must be investigated. Jumping to conclusions can be hurtful and insulting thus allowing for an investigative process that brings in HR and security teams when needed. For this Insider Threat September, remember to stay cyber conscious when online!

Now here is what technology leaders and experts are saying, sharing their insights and perspectives for the special month-long awareness campaign:

Raffael Marty, EVP and GM cybersecurity, ConnectWise

“To effectively prevent and stop insider crime, organizations need to have a comprehensive security program in place that focuses on both preparedness and visibility. Preparedness means having a plan in place for the day something happens. It should cover the playbooks for how to react in case of relevant organizational events and security relevant incidents – from what to do when an employee leaves the organization, to the specific procedures enacted in the event of an electronic threat such as ransomware or denial of service attack. Visibility, on the other hand, means being able to identify and effectively react to potential adverse actions. Monitoring devices can help organizations achieve greater visibility, but that’s only the first step. Visibility also expands into understanding what employees are doing and how they are interacting with an organization’s sensitive data. Lastly, and perhaps most importantly, organizations must make sure employees are trained on cybersecurity issues like phishing, which is still one of the main initial vectors of attacks. That’s why Insider Threat Awareness Month is so important for organizations of every size, despite the fact that the topic comes up most often in the context of larger organizations.”

Amit Shaked, CEO and co-founder, Laminar

“An organization’s data is its greatest asset, but also its biggest potential downfall. With the cloud allowing data to be spread around to various places data protection teams may not even be tracking, it opened companies up to even more risk than ever before by creating what is known as ‘shadow data.’ Shadow data refers to an organization’s data that is not copied, backup or housed in a data store that is not governed, under the same security structure, nor kept up to date. This data is a big target for insider threat incidents because if it is exfiltrated, it goes under the radar of traditional data protection tools.

According to recent research, more than half of organizations don’t have a public cloud data security tool in place to monitor for insider threats and data exfiltration, and more than a third can’t tell whether an internal employee has ever accidentally or maliciously accessed sensitive data. The key to preventing insider threat incidents in these environments and preventing malicious, accidental or compromised insiders from taking advantage of shadow data is using a cloud-native data security platform that uses the dual approach of visibility and protection. Doing so allows data security teams to know for certain which data stores are valuable targets to both inside and outside adversaries and ensure proper controls, which allows for the quicker discovery of data leakage.”

Gunnar Peterson, CISO, Forter

“When people think of insider threats, oftentimes their mind immediately goes to a malicious employee out for financial gains. However, the more dangerous instance (and often overlooked) is the compromised insider. A compromised insider or account takeover (ATO) is a user whose account credentials have been harvested by an adversary via phishing or similar tactics who then has easy access to sensitive company systems or assets.

With security researchers warning that phishers are having ‘remarkable’ success using text messages to steal remote access credentials and one-time passcodes from employees at some of the world’s largest tech companies and customer support firms, we will likely begin to see compromised insider incidents on the rise.

This Insider Threat Awareness Month, I want to remind security teams across all industries that the simplest defenses in our toolbelt, credential and identity management, can be the difference between a secure system and a headline-grabbing breach.

Many breaches are the result of businesses relying on automated access control and realizing too late when a user has been hijacked. With some of the new phishing scams around, the adversaries are using Telegram instant message bots to forward submitted credentials in real-time, allowing the attackers to use the compromised credentials and one-time code to log in as the employee.

To succeed against ATO attacks and prevent compromised insider incidents, organizations must build robust identity management systems and invest resources into building a learning system that evolves to identify anomalous user activity. Doing so can leave organizations protected from insider threats year round.”

Renata Budko, head of product, Traceable

“National Insider Threat Awareness Month helps demonstrate why it is so crucial to protect against, identify, and reduce the harm caused by insider threats. Whether there are internal and external bad actors committing ransomware or other forms of dangerous malware attacks, insider threats are a significant problem that needs to be addressed with a 306-degree perspective.  This is important as the cost of these attacks are not just calculated in terms of ransomware payments, but also includes the nearly unfathomable cost of operations disruption, lost sales, legal costs, legal penalties, insurance rate increases, and/or a decline in customer confidence.

A new shift has occurred within the software development industry whereas APIs are presenting new attack surfaces and therefore new opportunities for hackers. A way to protect against these insider threats is through API security technology that identifies APIs, assesses API risk posture, prevents API assaults, and offers deep analytics for threat hunting and forensic investigation. With distributed tracing and machine learning models for API security across the full development lifecycle, organizations may be more secure and resilient by using visual representations to analyze user and API patterns, identify anomalies, and stop API assaults.”

Surya Varanasi, CTO, StorCentric

“This September 2022 marks the fourth annual National Insider Threat Awareness month. It aims to shine a spotlight on the critical importance of defending against, detecting and mitigating damages from insider threats. Indeed ransomware and other types of malicious malware attacks are not only perpetrated by external cybercriminals, but internal bad actors as well. And, the expense is not only measured in ransomware payments, but also the almost incalculable cost of operations downtime, lost revenue, legal fees, regulations compliance penalties, a rise in insurance premiums, and/or a loss of customer trust.

The need to backup data has become ubiquitous. But now, as ransomware and other malware attacks continue to increase in severity and sophistication, we understand the need to protect backed up data by making it immutable and by eliminating any way that data can be deleted or corrupted.

What is required is an Unbreakable Backup solution that is able to create an immutable, object-locked format, and then takes it a step further by storing the admin keys in another location entirely for added protection. Additionally, the Unbreakable Backup solution should include policy-driven data integrity checks that can scrub the data for faults, and auto-heals without any user intervention. Ideally, it should also deliver high availability with dual controllers and RAID-based protection that can provide data access in the event of component failure. In deployment of such a solution, recovery of data will also be faster because RAID-protected disk arrays are able to read faster than they can write. With an Unbreakable Backup solution that encompasses these capabilities, users can ease their worry about their ability to recover — and redirect their time and attention to activities that more directly impact the organization’s bottom-line objectives.”

Brian Dunagan, vice president of engineering, Retrospect, a StorCentric

“During National Insider Threat Awareness month we are reminded of the multitude of reasons a sound data backup strategy and proven solutions are critical. Given today’s economic and geopolitical climate it is a given that at some point virtually all organizations will suffer a successful cyber-attack be it from internal or external forces. Given this inevitability, it makes sense that the end customers I speak with, whether they are from private, public, or government organizations, are putting an increasing focus on their ability to detect and recover as quickly, cost-effectively and painlessly as possible.

A backup solution that includes anomaly detection to identify changes in an environment that warrants the attention of IT is a must. Administrators must be able to tailor anomaly detection to their business’s specific systems and workflows, with capabilities such as customizable filtering and thresholds for each of their backup policies. And, those anomalies must be immediately reported to management, as well as aggregated for future ML/analyzing purposes.

Certainly, the next step after detecting the anomaly is providing the ability to recover in the event of a successful ransomware attack. This is best accomplished with an immutable backup copy of data (a.k.a., object locking) which makes certain that the data backup cannot be altered or changed in any way.”

Martin Rehak, CEO and founder, Resistant AI

“Shallowfakes—the dilemma facing insurers dealing with increased digital document fraud

Fraud continues to be a serious threat to the insurance industry.

Contributing to this fraudulent scenario are so-called “deepfakes”. But while these have become increasingly prevalent in fraudulent insurance claims, the insurance industry is now seeing more of what are called “shallowfakes”.

The difference between deepfakes and shallowfakes is that while deepfakes require AI to create them, shallowfakes can be created using only basic photo editing software, such as Photoshop.

While shallowfakes don’t require AI to create them, AI can significantly increase the chances of detecting them. The use of AI solutions—combined with human instinct, attention to detail, and awareness and knowledge to check the validity of what is being processed—can prove a win-win for detecting fraudulent documentation.

The cost of inaction to the insurance industry may be high. In all likelihood, few if any insurance firms have yet addressed the growing threat posed by shallowfakes. Yet it should be a high priority for them—without immediate action being taken to mitigate the impact of shallowfakes, they could be a threat that is hard to stop.”

Neil Jones, director of cybersecurity evangelism, Egnyte

“While cyberattacks are hardly a new phenomenon, they have grown in sophistication in recent years, leaving many organizations vulnerable. However, while vigilant organizations have stepped up their protection measures, many risk overlooking an important contributor to cyber attacks: insider threats.

Accounting for roughly 22% of security incidents, insider threats come from those within an organization, such as employees or business associates. While not always malicious, insider threats can be even more devastating than external attacks, because authenticated insiders are able to gain access to a much wider playing field than the average cyber-attacker.

Common contributors to insider attacks are employee turnover, poor data governance controls and user negligence. Examples can include the following: a current employee accidentally sharing confidential information with a third party, an ex-employee downloading files to take to their new job at a competitor, or a former business associate sharing privileged company insights publicly to embarrass the organization. Ransomware gangs also sometimes work with company employees directly to facilitate attacks. Whatever the cause, the impact can be significant, which is why companies must assume that everyone is a potential insider threat.

Considering there was a 47% increase in insider threats between 2018 and 2020, organisations need to do more to protect against this growing threat. Utilizing a data governance platform that leverages machine learning is a good first step to prevent “data leakage,” as this ensures users have access to sensitive information on a “need to know” basis. For example, there’s no reason that everyone at the company should have access to financial growth plans or HR documents listing sensitive employee information without at least justifying their request first. Limiting file access and offering holistic awareness training will be key in combating negligence and curbing the spread of internal information.

This Insider Threat Awareness Month, and always, organizations should take a proactive approach that detects misuse before it’s too late.”

Matt Rider, VP of security engineering EMEA, Exabeam

“Although responsible for 22% of all security incidents (according to VBIR 2021) Insider threats are not all one and the same. They come in an array of shapes and sizes and each one can threaten the security of an organization in a unique way. It is helpful therefore to break these down into three distinct categories: malicious, compromised, and negligent.

“The ‘malicious insider’ is an employee who intentionally steals data, either for personal gain or to negatively impact the organization involved – mature security organizations will ensure that they work closely with HR teams to help identify and monitor potentially malicious insiders. A ‘compromised insider’, however, generally acts without malice and usually has no idea they’ve been compromised. All it takes is clicking on a link in a phishing email or opening an infected file and their credentials can become compromised. Finally, a ‘careless’ or ‘negligent insider’ is someone who leaves their laptop on the train, walks away from their unlocked workstation, or simply fails to follow cybersecurity best practices. These individuals can be particularly challenging, because their actions are very hard to predict and defend against.

“While improving general awareness of insider threats can help address some of the core risks, there are numerous other preventative steps that many organizations still don’t apply as rigorously as they should. First and foremost, organizations need to invest in relevant cybersecurity training for all employees. Next, businesses should invest wisely in technology solutions and infrastructure that enables them to see the whole picture and address the challenge of insider threats. From a technology perspective, one of the most potent weapons currently available is user and entity behavior analytics (UEBA), which allows an organization to create a baseline of ‘normal activity’ and thus flag any major deviations as potential security alerts, which security teams can then investigate.”

Dalia Hamzeh, senior principal enterprise security program manager, Progress

“Insider threat is commonly associated with malicious intent, but statistics continue to prove that attacks resulting from employee negligence, a type of insider threat, is much more likely to be the source of a security incident. These threats could include an employee downloading pirated software on a company device that contains malware or reusing a corporate password on personal accounts. Training your organizations’ workforce to identify suspicious insider behavior, and reinforcement of those efforts, should be a key initiative year-over-year. Additionally, an organizations’ awareness agenda should be sure to include role- or team- specific training for employees to detect the less obvious threats – such as timely review of employee terminations and access or the software employees are downloading.

When employees are educated on specific indicators of insider threats and the damaging impact they potentially have, they’re more likely to notice and report them. It’s also important to build a culture in your organization where employees are encouraged, and feel comfortable, to flag potential threats to the cybersecurity team.”

Richard Barretto, chief information security officer, Progress

“Recognizing Insider Threat Awareness Month is a great way to open lines of communication within your organization to combat insider risks. The remote work shift has catalyzed and changed the way we look at insider threats. What we once considered ‘insider,’ within the walls of our organization, has theoretically disappeared. That’s why in today’s age of remote connections, it’s more important than ever for organizations to take the vital actions needed to protect and defend against them. This means posturing your security and network architecture as if every person and device is a hostile threat.

The goal here is to segment access and protected information across your corporate network and have the necessary controls in place to equip your organization to identify and mitigate those threats at lightning speeds. Adapting this Zero Trust Model—granting least-privileged access, implementing sign-on verification measures where possible and practicing good cyber hygiene—should be considered a top priority for every organization in 2022. It’s also important for organizations to have an early warning system for WFH employees and ability to remotely manage their employee devices in the case there has been a compromise and a device needs to be quickly wiped.”

Tim Prendergrast, CEO, strongDM

“Virtually every major security challenge, including insider threats, requires one core element: access. While much has been done to address physical security and application access, there is one glaring vulnerability: infrastructure access. In honor of Insider Threat Awareness Month, I would like to remind company leaders that this gap is critical. After all, getting access to infrastructure is equivalent to getting the keys to the kingdom. Whether the insider was malicious, accidental, or is being compromised by a bad actor, it’s important that CISOs and other IT leaders take the necessary steps to centralize their access approach. Doing so can allow them to manage access across databases, servers, cloud service providers, and even newer tools like Kubernetes, to get the highest standards of security against inside and outside threats without compromising productivity.”

Subscribe to Industry Today