Insider threat management
Employees and contractors have a significant advantage over the organization’s primary security mechanisms (e.g. firewalls, access controls, physical access controls) that are built for the untrusted external attacker and not for the trusted insider. Furthermore, people working for or within the organization are aware of the mechanisms in place and can use this knowledge to circumvent defenses. In order to counter this advantage and realistically address insider threats, organizations need better capabilities in such areas as context-based monitoring, advanced behavior anomaly detection, and link-analysis driven investigation.
Insider threats are influenced by technical, behavioral, and organizational issues and must be addressed by policies, procedures, and technologies, so best practices to mitigate insider threats involve organizational staff. Decision makers across the organization must understand the overall scope of the insider threat problem and communicate it to everyone.
To help guide you through this process, we have recommended best practices that mitigate IT theft, IT sabotage, and fraud. For example, your organization should implement strict password and account management policies and practices, enforce separation of duties and least privilege, define explicit security agreements for any cloud services, and institutionalize system change controls.
We recommend the following best practices for mitigating IP theft, IT sabotage, and fraud:
- Consider threats from insiders and business partners in enterprise-wide risk assessments.
- Clearly document and consistently enforce policies and controls.
- Incorporate insider threat awareness into periodic security training for all employees.
- Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior.
- Anticipate and manage negative issues in the work environment
- Know your assets
- Implement strict password and account management policies and practices
- Enforce separation of duties and least privilege
- Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities
- Institute stringent access controls and monitoring policies on privileged users.
- Institutionalize system change controls
- Use a log correlation engine or security information and event management (SIEM) system to log, monitor, and audit employee actions.
- Monitor and control remote access from all end points, including mobile devices.
- Develop a comprehensive employee termination procedure
- Implement secure backup and recovery processes.
- Develop a formalized insider threat program.
- Establish a baseline of normal network device behavior.
- Be especially vigilant regarding social media.
- Close the doors to unauthorized data exfiltration.
We offer Turn-key Insider Threat Detection and Management Services::
The solution is built to address these challenges by delivering these capabilities in an out-of-the box solution that does not require a long-term data analytics and discovery project. Using purpose-built data mining, correlation, enrichment, and analytics, the solution detects not only users with high risk identity profiles but also high-risk activity, access, and events in an organization associated with insider threats. Simply put the solution produces Insider Risk Intelligence. It does this by mining and analyzing a diverse set of user, system, application, security event, physical access, and even telephone activity to identify abnormal behavior associated with data theft/misuse, fraud, or IT sabotage. Beyond detection, the solution performs continuous monitoring, scoring, reporting, and advanced investigative capabilities. The solution provides the advanced technology needed for a complete insider threat management program that leverages organization’s existing security programs/investments.
- Purpose-Built Analytics for rapid, consistent and quality analysis across key sources
- Big Data Scale to support real-time data mining and threat detection against large data feeds
- Automated Correlation and Enrichment of identity and threat information across multiple internal and external sources
- Peer Group Analysis of users’ behavior and access against their peers for automated outlier anomaly detection
- Behavior Analysis of users, peer groups, accounts, and systems for signature-less detection of insider threats
- Application & Data Risk Visibility for monitoring insider threats at the targets
- Advanced Scoring & Visualization for effective, efficient, continuous reporting of insider risk and threat levels
Minusday Security team continually feed vulnerability feeds to its subscribers / customers even before the OEM publishes vulnerabilities and fixes.