Insider Threats - A Growing Concern
The insider threat risk has never been larger and carried more concern than now. A few years ago a stock trading algorithm was liberated without consent from a New York financial firm. The deviant was caught and adjudicated. More recently, an NSA contractor was arrested for stealing confidential data. This was announced on October 5, 2016.
To think this is an isolated incident and won’t happen again is a farce. There will continue to be other nation-states focused on exfiltrating proprietary and confidential data whatever means necessary. Other countries will continue to want to seek the data on our national financial system. These and other sources of data will continue to be coveted. The insider, as a vector for the attack, will continue to be used to this end.
These inside threats are continuing to be a significant threat and an act to monitor for. This is a valid information security risk, however finding this continues to be problematic due to technology, new methods to secure data and data flow, and the increasing value of certain data sets (medical records, proprietary engineering designs, financial data, etc.).
Previously, the worry and concerns were with the staff members download data onto a USB thumb drive, slipping this nonchalantly into their pocket, and walking out of the office. This was recognized as an issue and at the specific business this functionality may have been turned off. Other methods to remove data were found and utilized. This has again been modified significantly. The risk has increased with the mobile and cloud aspects. There is also the case of the hapless, yet negligent employee whose oversight exposes the company to risk.
In this new level of the Infosec fight, data analytics certainly are a benefit and can be useful in finding and predicting these issues. One important aspect regarding this involves the baseline behavior, with a margin to accommodate differences in their behavior. The behavioral points outside of this margin are to be considered anomalous and an area to review. This could be nothing to be concerned about, or could be a sign of the employee leaving soon for another company with your proprietary information. Historically there have been issues with this in the form of defining normal and by default malicious behavior. To bypass this, the data scientist would need to treat this as more of an art in comparison to the statistical science.
Another issue has been with the rule-setting for the analysis of anomalous behavior. These have tended to be rather static. In effect, these were set and not reviewed later. The rule sets need to be more dynamic and checked regularly, either by a human or more preferably automatically with the implementation of machine learning. By not reviewing the rules at some point or with regular intervals, additional noise may be added to the data set, making the analysis and subsequent threat hunting more of an issue. As a bi-product the inattentiveness may also provide for more false positives.
For this to work well, the system needs to be dynamic and involve at some level machine learning. This automation will improve the performance and lessen the need for manual intervention.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.