Light Dark
May 17, 2016 By Johnny K. Shin 4 min read
Identity & Access

Employees, contractors and partners may use some of your critical information in their daily work. Unfortunately, access to that data can pose a significant risk to your business, so it is essential to allow only the minimum necessary access while also quickly detecting and stopping threatening activity before it causes damage.

Malicious Insiders

IBM X-Force researchers estimate 60 percent of security incidents have been caused by insiders. These incidents exist in three different forms — theft, sabotage and fraud — and all have potentially long-lasting implications. In 2015, FierceCIO reported that organizations experienced an average of 3.8 insider security incidents each year.

While countless cases happen every day without detection or reporting, here are two examples in which insiders threatened global financial services institutions.

Stealing Trade Secrets

In 2013, a global bank sued a former insider and his wife to try to stop the pair from exposing trade secrets after the employee left the company for a competitor. Knowing that the company had data leakage prevention controls, the insider tried to circumvent the process by exfiltrating sensitive data to a home computer with the help of his wife. The pair was ultimately able to steal very sensitive information days before the husband submitted his resignation, and he joined a competitor shortly thereafter.

Rogue Trading Incident

In another case, a rogue trader exploited access to multiple systems at a French financial institution. He was caught creating fictitious trades; whenever they were questioned, he would simply claim that a mistake had been made and cancel the trade. However, he then replaced it with another transaction in a different program to prevent detection. This resulted in a large drop in equity indices in the markets and nearly $7 billion in estimated losses.

In both cases, the insiders were skilled, disgruntled and intent on evading detection. Their jobs required access to key systems and sensitive information, and there were no predefined signatures that could detect their malicious activities. Existing technologies, organizational policies and monitoring solutions were simply unable to uncover their schemes until it was too late.

Fortunately, this is changing. A combination of crown jewel data protection, privileged identity governance and user behavior analysis can help identify and stop malicious insiders before they cause harm.

Methods of Addressing Malicious Insiders

Although financial services companies have invested millions of dollars to protect data, control access and monitor user activity, these investments are generally driven by specific regulations and requirements. The end result is often a fragmented security infrastructure that skilled and knowledgeable insiders can exploit.

The answer to this problem is not a new tool, but rather a more integrated approach to addressing insider threats across these capability silos.

Identify and Protect Crown Jewel Data

First, companies need to know what assets are considered their most sensitive crown jewels. This means defining information classification and then labeling operational data, transactions, assets and other sensitive information accordingly.

Once completed, this will help determine the value of sensitive information (the crown jewels), where those crown jewels are located and what job functions should have access to that data.

Govern Privileged User Access

Second, companies need to know which users should have access to crown jewels — essentially the keys to the kingdom — and which users actually have access. Understanding the gap between permitted and actual access to systems across the organization is essential, and improper access must be removed.

Once user access to sensitive data has been validated, authorized access can be controlled for privileged users with strong authentication on an as-needed basis.

Analyzing User Behavior

Gaining insight into the actions of these privileged users is the third and most difficult part of addressing the insider threat. Understanding the context for changing user behavior can be essential in distinguishing between standard activity and something suspicious, and analyzing certain internal corporate data may provide clues. For example, an employee or contractor who is abruptly fired or laid off may be disgruntled and have the potential to be an insider threat.

Such insights should be gathered lawfully, pursuant to standards that may vary by jurisdiction. This concern is especially critical in global organizations that operate in multiple legal jurisdictions. Organizations must carefully consider strategies and options. The lawful and ethical use of technological solutions that analyze user behaviors should be employed.

For example, a set of logs from user activities in IT systems might be gathered and analyzed to determine baseline behaviors and detect any anomalies based on various pattern detection algorithms and analysis (e.g., statistical analysis, resource usage analysis, top-down/bottom-up comparative analysis).

Once you understand the baseline of user activity and behavior, it is possible to detect suspicious changes in behavior that might then trigger further analysis and investigation. Events such as the increase in volume of personal email sent externally from a corporate system may be considered suspicious when correlated with news about an employee’s resignation.

How to Get Started

As with any project, the key to success with an insider threat program is to start small. Many companies even start with one or two critical business applications. Using these systems as a starting point, they follow the key steps outlined above: identify and protect crown jewels, govern privileged user access and analyze user behavior. Most importantly, successful insider threat prevention programs work across these steps with an integrated approach rather than disconnected initiatives.

On one hand, malicious, skilled and motivated attackers are very difficult to detect when they have unfettered access to your crown jewels. On the other hand, some insiders legitimately need access to sensitive data to run your business. Balancing function and risk is difficult for even the most sophisticated organizations, but a structured approach can put you ahead of the game.

Learn More

Interested in learning more about how to protect against malicious insiders? Start by watching the on-demand webinar “Tech Talk: Dynamic Data Privacy Using Fine-Grained Access Control.” There’s also plenty of information in the IBM report “Battling Security Threats From Within Your Organization” and in the 2016 X-Force Cyber Security Intelligence Index.

 |  |  |  | 
Johnny K. Shin
Executive Consultant, IBM

More from Identity & Access
October 23, 2023

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

September 13, 2023

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

August 1, 2023

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature