The Blind Spot of Insider Threat

By Paul Calatayud, Guest Blogger, Code42

Security threats from inside the organization are increasing, but too many organizations hesitate to address the issue. They’re afraid that monitoring employee behavior implies they don’t trust employees. Today, the reality is that employees are often unintentional actors. They’re increasingly being used as vectors and vessels by sophisticated cyber organizations, which want employee credentials to access valuable data.

We’re seeing an increase in employee-targeted phishing attacks and credential theft, because the credentials allow hackers to bypass a huge amount of security investment—the firewall, the perimeter, the encryption—essentially 90% of your security strategy.

As CISOs, we need to get past the insider blind spot to adequately protect our organizations. The first step is to define insider threat more accurately and more tactfully—as either a known actor with motive and opportunity or an actor who unknowingly becomes a conduit, who is essentially a victim.

I try to take an approach that defends against both scenarios, an approach that says: “I’m not sure if your credentials were handed to the bad guy or harvested through malware. Regardless of how it happened, if there’s a deviation or situation where a credential is suspect, then we will detect and respond.”

The bigger challenge is how to detect the deviations. And that requires understanding what the normal state looks like. If you were to look at Edward Snowden and say you wanted to protect against that type of data breach, then you have to be able to understand at what point his access and his abuse occurred. At what point did he go from his normal three years as a contractor to someone behaving maliciously.

Or in the case of Anthem, in which a database administrator’s credentials were stolen, when did that administrator’s normal network behavior change. If the admin logged in every day from 9 to 5 p.m. and then all of a sudden was logging in at 3 a.m., that would tell you something.

To understand what normal looks like at Surescripts, we’ve invested in advanced analytics and other technologies that allow us to profile good behavior. So if we had an Edward Snowden, I would have been able to see and potentially detect the moment he started to abuse his privilege, because I’d have a historical view of his digital behavior over the past three years.

The key for any CISO to gain support for this type of internal profiling strategy is not to focus on distrust. Rather, focus on the need to find the anomalies that lead to internal data breaches—by both intentional and unwitting internal actors.

Paul Calatayud is the Chief Information Security Officer for Surescripts.