Tackling the Insider Threat
As one who's dealt with the insider threat, I have some questions of my own:
What do you really mean by an insider? In our borderless world, the terms "insider" and "outsider" overlap. "Insiders" are not just employees and staff, but also service providers, business partners, consultants, contractors -- any number of parties who may work for companies we deal with.
If you work with a company long enough, eventually you will have access to everything, and no one will know it.
What do we really mean by an authorized versus an unauthorized insider? If you take a look at the Societe Generale situation, allegedly a fraud was committed by an authorized user with privileges he was not supposed to have. How? Well, the horribly overused clichÃ© is that if you work with a company long enough, eventually you will have access to everything, and no one will know it.
Bottom line: As people change jobs within a company, we are not good at updating their roles and responsibilities. If you look at all the efforts that have been spent on identity and access management products, the biggest challenge is trying to understand:
How do you track what is authorized and unauthorized behavior by any end user? Unauthorized insider behavior comes in three flavors: 1) Accidental, when somebody hits the wrong key/making a benign error, and you don't even know about it; 2) The person trying to do something that is within the scope of their job, but not being provided with the privileges to do it; 3) Malicious behavior - they are trying to get access to information they are not authorized to have, either to commit fraud or to cause other harm. In most cases, we don't know there is a problem until something has happened.
Our challenge: We often don't know what normal behavior is. We don't know whether a person within a group is doing something not typical for that group. We also don't know if they are doing something that is not consistent with their normal behavior patterns. (e.g., are they accessing information that they normally access in the system or information from 8 a.m. to 6 p.m. on Monday through Friday, and then suddenly they are starting to access this information at various other times and days of the week?)
So, how do we deal with the insider threat? There's the whole category of products called data loss protection (DLP), which help close up the borders by preventing data from leaking out of a corporation -- either automatically stopping it or at least warning folks that they are doing something that is against policy.
Another new product line is anomalous behavior pattern detection tools. These types of products are designed to help identify normal behavior patterns for groups and individuals and then identify behavior that differs from these patterns.
The third category of tools we can look at as something called format preserving and encryption technologies, which actually will encrypt key fields of data such as SS#, Credit Card numbers, etc. The encrypted data will appear to be normal, but is actually in encrypted form so that even if there is unauthorized access to that data, it will provide useless information.
Some basic advice for tackling the insider threat:
Look for Changes in attitude or behaviors on the job. Employees need to pay attention to what their fellow "insiders" are doing and then sound an alarm when they see something that is atypical.
Use the Available Tools. Where you are concerned about insiders with privilege access to sensitive data potentially doing something wrong, you may want to take a look at increasing your efforts at segregation of duty and or looking at the feasibility of dual controls. Also make sure that you are using access violation reports and that they go both to a security officer as well as to an audit department.
Monitor Activity and Reports. This is going to sound awfully bureaucratic, but the audit teams have to increase their vigilance in terms of staying on top of auditing processes and procedures in the information security area. And I think they also have to increase efforts in terms of ensuring that business areas really examine who has access to the data. Reviewing Access Reports has to be seen as something more than a perfunctory scanning exercise. An effort needs to be made on a regular basis to make sure that people actually examine these reports and verify that people with access to information are supposed to have it.
It really all comes down to the basic controls that should be in place -- making sure they're in place, and then making sure you actively monitor and respond to the reports these controls generate.
You can't necessarily eliminate the insider threat - not in these challenging times. But you sure can put up some effective barriers to help prevent it.