Thales Blog

Defending The Enterprise From The Insider Threat

October 8, 2013

Screen Shot 2013-10-08 at 12.27.45 PMAs you will no doubt have noticed, the last few entries on the Vormetric blog have looked at the problem of insider threats from a variety of angles. How Advanced Persistent Threats (APTs) have been designed to introduce a way for attackers to masquerade as legitimate users, how privileged user accounts present all sorts of security risks, as well as how compliance can lead to a false sense of security that leaves organizations vulnerable to inside threats. Yesterday, we also released some new findings from our research with ESG into the Insider Threat – you can read about them here.

With the problem clearly identified, what can you practically do to mitigate the risks posed from within?

Well, the main thing to consider is controlling and protecting the user accounts on your network. One very interesting finding from the now infamous research that Mandiant conducted into APT1 was that 100% of the time, breaches involved stolen credentials. When you think about this from the attacker’s perspective, this makes perfect sense, as it reduces the chances of alerting anyone to their presence. The insider threat is so potent because to all intents and purposes it appears innocuous. Therefore, to practically defend your systems you must find a way to make accounts less attractive to hackers and harder to abuse by employees.

Firstly, define your current level of exposure. Are your:

  • Rights too broadly assigned? – ‘Superuser’ privileges are often assigned to users that don’t have a real “need” for a high level of access to read private and confidential data
  • Privileged accounts being shared between users? – Traditionally, many IT departments allowed unrestricted sharing of privileged user accounts (logins and passwords), leading to a loss of personal accountability
  • Cloud, virtualization and big data projects increasing your attack surface? – With each new technology layer used as part of system deployment and management new privileged user roles are created

Once your level of exposure to the threat has been defined, you can go about isolating accounts that present a risk of abuse or a target for attack, and then control the level of access that they have by introducing encryption in such a way that any files that don’t need to be read can’t be. That way, even if an account with a high level of access is taken over, it cannot practically be used for any gain. This is looking at the problem from a very high level, however, and you must think about all the ways in which systems can be bypassed. For example, if a nefarious Root user decides to create a new account with extensive data access rights (with the intention of switching to that account themselves) Vormetric’s own solution will still identify that account with the Root user and prevent access to data.

The result of this approach is that Root users can still manage systems without the risk of exposure of protected information. There’s more information on the Vormetric website here about what you can do to reduce the risks to your network.