It’s no great surprise that insider threats account for 75% of data security breaches. After all, employees are in the best position to compromise our sensitive data, whether intentionally, or by accident. A breach could be caused by a disgruntled ex-employee, a lost or stolen device, or a naïve employee clicking on a fraudulent email. Whatever the reason, confronting insider threats needs to be our top priority.
In order to detect insider threats, we must be able to identify suspicious behaviour. However, how can we identify suspicious behaviour if we don’t have a clear picture of what kind of behaviour is considered normal. The answer is, we can’t. As such, there is a lot of groundwork that needs to be done before we can detect and manage insider threats. Below are some tips for establishing a baseline state from which we can work from.
Tip #1: We need to know exactly where our data resides and develop an inventory of our data which can be used as a reference. If our data is fragmented across multiple systems, it may be helpful to use a data discovery tool which can locate, classify and report on wide range of sensitive data. Data classification will help us to ensure that our data is located where it should be. A simple classification schema would include: Public, Internal, and Restricted data.
Tip #2: Only keep data if it is absolutely necessary.
Tip #3: Grant users the least amount of privileges necessary for them to adequately carry out their duties.
Tip #4: Ensure that all company devices are using automatic screen locking to prevent any snooping when a device is left unattended.
Tip #5: Make use of application whitelisting and blacklisting to prevent users from downloading and executing potentially malicious software.
Tip #6: Make an extensive list of all potential threats. Just as we are not able to detect anomalies without knowing what the typical system state should be, we can’t detect anomalies if we don’t know what we are looking for.
In addition to establishing a well-documented baseline, there will be many ongoing management and maintenance operations that will need to carried out. Below are some tips to help us maintain the security of our data:
Tip #1: It is very important to ensure that staff members are sufficiently trained to spot potential security threats, such as phishing emails, or any other kind of suspicious behaviour.
Tip #2: We must ensure that we dispose of old equipment securely.
Tip #3: We must ensure that staff members are logging-off their devices when they are not in use.
Tip #4: When dealing with potential employees or contractors, we must carry out background checks to ensure that they are adequately screened.
Tip #5: We must ensure that employees are not saving their passwords in their browser.
Tip #6: We must scan all new devices before they can be allowed to connect to the network.
Tip #7: Any devices that contain sensitive data should be physically secured – which can include anything from fencing, locks, security guards, access control cards, CCTV, and so on.
Tip #8: Remote-location wiping should be enabled on all work devices, in order to protect sensitive data in the event that the device gets lost or stolen.
So, we know what we’ve got, we know where to look, and we know what to look for. Our next challenge is figure out how we can detect and respond to suspicious behaviour, quickly and efficiently. Sure, we can scrutinize the native server logs in order to spot anomalous system events. However, doing so would be like finding a needle in a hay-stack. And it would completely unnecessary given the number of affordable, easy-to-use and sophisticated auditing solutions that are available us. Solutions such as LepideAuditor can enable us to detect, alert and respond to privileged account abuse, suspicious file and folder activity, anomalous logon failure, and a lot more.