Insider Threat: Three Steps to Restoring User Accountability

How to protect your organization from the most prevalent insider threat: legitimate users with access to confidential information

Compliance controls and initiatives drive the majority of today’s IT solutions and processes. However, when we look specifically at insider threats, we remain subject to continued incidents stemming from a lack of accountability.

Although accountability is frequently listed with authentication and access control as three key tenets of security, it is often the weak link. Here’s why: in terms of authentication, we have seen a great deal of activity in the identity management space from major vendors offering a variety of device-based and multi-factor authentication methodologies. From an access control perspective, modern operating systems are relatively solid, and compliance initiatives have driven adoption rates of logging and audit tools that systematically validate user activity.

Despite such protection, we face no shortage of examples where authentication and access controls have been entirely disregarded, demonstrating a weakness in the area of the third key tenet, accountability. The first two controls only get us to the point of implicit trust. It is, after all, accountability that really prevents users from performing malicious or illegal activities. After all, it may be the “trusted” employee who downloads data he shouldn’t have access to—such as that on a stolen laptop.

Step 1: Create Awareness and Educate Users

The first step in achieving accountability is user awareness. Users must clearly understand what the organization expects from them in terms of security, and they must recognize the threats that they could potentially face.

Unfortunately, many organizations simply distribute a policy document to users—which may or may not be updated based on emerging threats—after which it is assumed the employee understands and will abide by the published guidelines. End users in such an environment can deny responsibility, profess ignorance, and take legitimate refuge behind the proverbial excuse of “I did not know.” By actively engaging users in continuing education in threat and risk management, and by including some form of personal sign-off acknowledging an understanding of what is expected of the user, organizations can achieve a true benchmark of how well their employees understand the security policy.

Step 2: Enforce Consequences

Moving beyond simple policy awareness, there must be a sense of responsibility imparted to users. Users must understand that there are serious consequences to infractions so that they think long and hard before attempting something malicious. Likewise they must realize that carelessness and an inadvertent action could lead to a policy breach with serious ramifications for the organization.

Equally important to accepting responsibility is understanding the consequences that result from a policy infraction. It is critical that users realize that they are accountable for actions that lead to security incidents. Nothing must be left to question in user’s minds as to what the result of an infraction will be. Regulations that are enacted but not enforced have novalue. If a situation deserves a place in organizational policies, management must be committed to following through on resulting infractions. While there will certainly be varying degrees of severity for actions, the consequences of any given incident must be outlined in clear language, and enforced consistently and fairly at all levels of the business.

Step 3: Increase Visibility into User Activity

“Familiarity breeds contempt” is a widely applicable notion in today’s information security realm. With just a broad understanding of company processes and the presumable limits about what may be detectable in a literal flood of data, users feel invisible, obscured by the massive amounts of daily transactions in a typical organization.

While plenty of audit controls and logging activity may be going on, noting who has accessed what, the proverbial needle in a haystack provides a relative level of comfort that unauthorized activities will go unnoticed. Given the state of active insider threats today, it is evident that users have little concern for such controls and continue to abuse their granted trust.

To address the issue of visibility into user activity, we must move from simply logging every time data is accessed, to concentrated efforts on what is happening with the data once it is accessed. Additionally, once we start gaining visibility into user activity, we must be willing to change and evolve policies to defend against the specific policy violations, as they are uncovered.

Your Next Steps

All organizations have intellectual property to defend. The depth and level of detail to which an organization is willing to go to protect its sensitive data is likely to be determined by the associated business drivers.

As a baseline, you could start with vertically focused content filtering tools for outgoing e-mail, browser activity, or instant messaging. That may suffice for some organizations.

If you are interested in protecting a broader array of potential dissemination points, a network-based content filter may provide some focused insight into specific areas where your data may be going.

Companies with critical information that are truly dedicated to stopping the insider threat will require a greater degree of granular control over what is filtered. In addition, they need a means to protect against localized extraction methodologies such as removable media or printing. Such visibility requires a holistic approach. For example, a comprehensive approach should offer real-time monitoring of user desktops and rich tools for establishing a clearly delineated rule set that addresses what type of data is allowed to move and to where it may move. With the vast majority of insider threats coming from legitimate users who are allowed access to confidential information, you need this level of user and data monitoring to restore user accountability and create policies to enforce it on an ongoing basis.

About the Author

Sam Fleming is the CTO of NextSentry. Mr. Fleming drives the development of the company’s flagship security products. Prior to NextSentry, he was the founder and CTO at A Perfect Web. Fleming’s security interests include data management, social engineering, encryption, and disaster recovery.