The unusual suspects: 3 ways to deal with insider threats
Whether intentional or accidental, the threat is real and hard to predict.
When people think of the term “inside job,” they typically envision a “Thomas Crown Affair”-type Hollywood thriller, filled with crooks using their wits and technology to stealthily make off with stolen goods under the cover of night.
For DOD IT teams, the reality of an insider threat may be far more mundane, though no less critical. In a recent survey by my company, SolarWinds, 53 percent of DOD respondents said that careless or untrained inside resources posed a serious threat to security – a higher percentage than the usual suspects, including foreign governments, terrorists or external hackers. Insider data leakage and theft were also mentioned as top concerns by a significant number of respondents.
There are many reasons why insider threats have become so commonplace. For one, there’s the proliferation of personal devices on secure government networks. For another, there’s always the threat that someone on the inside – someone like Edward Snowden, for example – could be planning to use his or her internal credentials to access proprietary data. Finally, there’s also the fact that sometimes people make mistakes and simply forget to take all of the necessary precautions to lock something down.
But while the threat level is real – and rising – there are several things defense systems managers can do about it.
1. Keep a close eye on suspicious activity
It’s like going on a virtual stakeout, but hopefully without the stale donuts and cold coffee. Instead, DOD administrators can sit back comfortably – as long as they’ve implemented a continuous monitoring system that can be their eyes and ears. The system can be set to continually scour activity on the network and automatically alert IT teams to potential breaches, data leaks or suspicious activity. Security Incident and Event Management (SIEM), Network Configuration and Change Management (NCCM), and User Device Tracking are examples of popular tools employed to deliver continuous monitoring.
This is not a “nice-to-have,” but a necessity, a point that was reflected in the aforementioned survey, as more than 62 percent of respondents said they had implemented at least one continuous monitoring solution. Today’s government systems are far too complex, with the potential to be impacted by too many devices and people, for there not to be an automated system.
2. Keep monitoring for vulnerabilities
Just as a few inmates once escaped from Alcatraz, even the most heavily guarded systems can contain vulnerabilities. These can be caused by everything from personal devices being used on a network without authorization to missing network patches. This latter point is causing a great amount of angst among survey respondents – nearly 62 percent of them mentioned patch management as being either “essential” or “high priority” for network security.
It’s critical that network administrators develop a system that actively monitors for vulnerabilities and offers a simple way to patch them. A patch management system can provide managers with a means to locate potential areas of concern and patch them in minutes. It can also supply them with the flexibility to control when and where patches are applied, thereby decreasing the potential for service degradation or downtime.
3. Keep your guard up at access points
Administrators can’t afford to fall asleep like a department store night watchman, and must always keep close tabs on network access points. This is getting increasingly more difficult as the number of personal devices on networks grows, and more switches, ports and Wi-Fi access points must be monitored.
A sound continuous monitoring system can automatically monitor device connection points throughout the network and yield a wealth of information that can be used in the fight against threats. Administrators can be alerted to where users are connecting, where they’ve been, and more. Most importantly, they can immediately learn when an unauthorized or potentially threatening device hits the network – and which internal user might be behind that threat.
In most cases, insider threats are the result of accidents without malicious intent, but they must still be given serious consideration and preparation. While the threats may or may not be derived from a criminal’s master plan, they could still result in a serious data compromise.