An Inside Look At Insider Threats (Part II)
How companies can deal with bad actors within their organization.
Ed. Note: In Part II of this two-part series on insider threats, I sat down with Vincas Čižiūnas, CTO and Ryan Lai, EVP of Professional Services, both at Nisos Inc. (full disclosure: I work at Nisos). They are security professionals with over 30 years of combined experience in offensive and defensive cyber security in commercial and government environments. In part 1, I explored how law firms help themselves and clients proactively mitigate the risk of bad actors inside organizations.
What is the cause of most inside threats, and is this problem worsening?
RL: Insider threats can manifest themselves in several different ways, each carrying its own set of causal factors. These factors can range from disgruntled employees stealing physical company property to adversarial nation states directing collaborative insiders to exfiltrate corporate secrets. The problem has worsened with the evolution of technology making sensitive corporate data more accessible, widening exfil vectors and enabling relative digital anonymity with baseline knowledge of operational security. On the flip side, technology is also evolving to better detect and/or defeat such threats.
Navigating Financial Success by Avoiding Common Pitfalls and Maximizing Firm Performance
VC: The problem seems to ebb and flow with the economy, but definitely seems to be worsening as technology makes the movement of data easier than ever.
What seems to be the primary motivation for these bad actors?
RL: We have conducted investigations on an array of different actors and the motivations for malicious insiders vary. Often, an individual may have a feeling of superiority and take action to sabotage the work of others or otherwise empower themselves through completing a bad action. Other times, the act may not be perceived by the individual as particularly malicious, such as an employee retaining corporate intellectual property for use during future employment. While the intent may not be malicious, the action could still be harmful to company interests.
VC: If I had to pick one primary motivation for these bad actors, I’d say it is much the same as it has always been: malcontents with a superiority complex. The employee who feels jilted, doesn’t feel the rules apply to them or feels empowered by proprietary data. The adrenaline rush of “getting away with it” is a powerful thing.
Sponsored
The Business Case For AI At Your Law Firm
Legal AI: 3 Steps Law Firms Should Take Now
Is The Future Of Law Distributed? Lessons From The Tech Adoption Curve
Is The Future Of Law Distributed? Lessons From The Tech Adoption Curve
What are the steps that companies like Nisos take when they are engaged to investigate an insider threat?
RL: Insider threat investigations generally initiate based on one of two events: (1) an incident has occurred where a company suspects a malicious insider and requires assistance in attributing the activity or (2) indicators show that an individual employee is a potential threat and merits investigation and monitoring. In the first scenario, a company representative learns that proprietary information thought to be closely held within the company has been posted to online forums. The company engages a partner such as Nisos to research the potential source of the leak through an evaluation of internal telemetry: logs and technical indicators provided by endpoint detection response (EDR) or user identity behavior analytics (UEBA). The firm conducts parallel research to attribute the forum posts and leaked information back to a potential insider.
In the second scenario, collected indicators point to a specific employee as a potential inside threat. Investigators come to examine any internal telemetry that exists, heighten controls around detecting anomalous online behavior by the individual and conduct external research to map out the individual’s digital footprint for further indicators. If the investigation warrants, in coordination with legal counsel, the firm can deploy monitoring tools. This ensures that if the potential threat materializes into actual malicious activity, there is a means to detect and stop the insider.
Do companies need an insider threat practice, and if so what does that look like?
VC: Companies should begin thinking about technical insider threat scenarios even prior to making the decision to invest in a dedicated insider threat practice. Many HR departments are accustomed to dealing with the unhappy employee scenario. These departments should involve their IT or IT security staff to supplement HR behavior monitoring with vigilance for technical threat indicators. For example, regular audits and tracking of proprietary data that may be accessible to unhappy employees is an encouraged practice.
Sponsored
Navigating Financial Success by Avoiding Common Pitfalls and Maximizing Firm Performance
Early Adopters Of Legal AI Gaining Competitive Edge In Marketplace
How much of preventing and resolving insider threats depends upon having the right technologies versus having someone on staff who understands legal process and investigation methods?
RL: Mature insider threat organizations know that a blend of all of these capabilities and domains is necessary to run an effective program. Legal and HR are key stakeholders in the ability for investigators to do their jobs. Technology relies upon human analysts to act upon flagged indicators. Investigators must use legal and process diligence to ensure the integrity of findings.
VC: In a recent engagement, and in close coordination with a client’s legal team, we deployed a proprietary data loss detection platform to the network of a company that had just completed an acquisition and was in the process of integrating the acquiree into the larger organization’s network. When operators detected and investigated customer documents being opened in an unknown network space, they discovered technical infrastructure surreptitiously procured by rogue employees. This server environment was used to share client data, and as infrastructure for an unrelated personal business. The investigation was conducted with legal and HR oversight, ensuring the findings could be used in legal/employment proceedings.
Does technology now easily allow companies to catch people in the act, so to speak, before data is leaked?
RL: Technology is maturing and insider threat detection tools are an important facet of mature programs. Technology’s primary purpose is to provide indicators. For example, a system could be tuned to detect three behavioral indicators: off-hours network access, opening of documents that are considered critical proprietary data and any emails sent to a competitor’s email domain. While just one of these indicators may be completely benign, if the system detected all three by a single employee, there may be cause for further investigation.
What is the most important thing a company could do to prevent insider threats?
RL: If starting from scratch, start by conducting employee awareness briefings on threats and data protection and ensure that some type of logging is done on every endpoint. Becoming educated on the insider threat domain is important: there are documented indicators of malicious activity that most IT/HR departments should be able to track. For example, a significant percentage of IP theft cases happen within a 90-day window before and after the departure of an employee. Monitor any attempts to escalate privileges for all employees during such a window.
Collaboration with legal and HR is critical at all stages of developing an insider threat program. Gathering input from all stakeholders helps ensure that future investigations flow seamlessly, that evidence collected can be used in legal/employment action and that security personnel and investigators can prosecute their work to the full extent allowed by internal processes and the law.
VC: We recommend robust auditing and detection technologies, such as data loss detection and prevention software, or security event and incident management (SEIM) software. Early detection helps prevent confidential data from winding up in the hands of a competitor, in a Twitter feed, or on the front page of a major newspaper. Finally, having the right partners in the rolodex to bounce ideas or when expert assistance is required can save valuable time in the event of an incident.
Jennifer DeTrani is General Counsel and EVP of Nisos, a technology-enabled cybersecurity firm. She co-founded a secure messaging platform, Wickr, where she served as General Counsel for five years. You can connect with Jennifer on Wickr (dtrain), LinkedIn or by email at dtrain@nisos.com.
