The evolution of insider threats and why security culture needs to change

Proofpoint’s resident CISO Deborah Watson discusses the growing threat of non-malicious insider threats to government data and how leaders can adapt their security approach.

Deborah Watson is the Resident CISO at Proofpoint with over 20 years’ experience in security.

Federal agencies continue to evolve their IT infrastructure to include more cloud capabilities, mobile devices and remote connections. But in the push toward improving the hybrid IT environment, organizations may be falling behind in their ability to mitigate security risks from inside their networks, especially to understand how employees and contractors access data.

Deborah Watson, Resident CISO, Proofpoint

What agencies need is a way to see their security blind spots and see specific indicators of compromise that would help them distinguish malicious and non-malicious insider threats.

That is why we see more organizations adopting a people-centric approach to security that provides risk-based insights into the activity happening across the IT environment.

Shifting the mindset around security

At Proofpoint we are seeing a shift in how actions classified as “insider threats” are evolving. In the government sector particularly, leaders tend to give more consideration to insider threats that may stem from an espionage attempt or a disgruntled employee. Today, however, insider threats are increasingly coming from non-malicious sources as well.

What is commonly referred to as a “negligent user” — meaning an employee who has taken an action that goes against policy on data usage, which results in the accidental disclosure of sensitive information — may occur more frequently because employees are exfiltrating data onto third-party applications and web-based services as a workaround to use tools they are familiar with that will help them better perform their jobs.

PDF converters are a pervasive example of how web-based free services are used rampantly as a workaround to work in an increasingly digital world. For example, if an agency won’t give a department access to their own SharePoint, maybe a user will use their own storage, like Dropbox or OneDrive. Or perhaps an employee wants to create a compelling presentation and uses free online graphic design tools, such as the increasingly popular platform Canva.

Unfortunately, employees don’t think about data exfiltration risks when they use these services, which is why ignorance — not negligence — is more often a factor for non-malicious data exfiltration.

Making data-driven and people-centric security decisions

A modern insider threat management solution needs to look at user behavior analysis and anomaly detection to go beyond basic triggers. Using more advanced detection capabilities such as bandwidth usage and login attempts can indicate when a security threat needs to be investigated.

Generally, when organization leaders decide to implement an insider threat detection solution, they come with specific use cases in mind. Individually, security leaders may have had some idea that some things weren’t right. Taking a data-driven approach to security decisions can help leaders refine security policies based on the number of violations that are occurring.

For example, maybe an organization wants to block employees from using USB devices. But instead of blocking all USB devices across the organization — opening greater risk for employees to find work-around solutions — they use a security tool to see how often USB devices are being used.

The data may show that three-fourths of employees don’t ever use a USB device, making it simple for the security team to block those users, then focus on the remaining employees using USB devices. One solution we have seen in action is implementing a pop-up survey tool for those USB users to ask them to enter why they are using the device and gather more insightful data into user behavior.

In conjunction with a larger security platform, insider threat management tools can help an organization correlate data and activity moving across cloud environments for contextual visibility and establish risk-based controls.

Building a better security culture

One misconception that organization leaders tend to believe is that security tools alone will mitigate threat risks. It is just not the case. To effectively combat insider threats — just like any other security problem — organizations need to address governance, process, people and culture.

Taking a risk-based approach to security requires gathering as much data as the security team needs to understand the context of a potential threat. But taken out of context, this approach to cybersecurity could be viewed as an employee monitoring tool — rather than a security monitory tool. That makes it increasingly important for leaders to communicate and socialize the need for a security-minded culture within the organization.

Employees also need to understand that the data required for a risk-based strategy are already collected in most cases for normal IT operations. The goal is to correlate that information into a single security platform, so security leaders can better distinguish between malicious and non-malicious threats.

The organization identifies the criteria to be monitored by an insider threat management tool. For example, logs from Active Directory, types of applications being used, or other data points around a user’s activity related to the data and context. The security tool then captures only the metadata as necessary until an indicator presents a red flag.

So, for example, if an individual logs into a financial application listed as sensitive and that employee downloads data as a part of their job, there is no cause for concern. But then, if the employee renames the file to something generic and sends it to their personal email, that would throw the red flag for further investigation. If the tool configuration criteria alerted every time sensitive data was downloaded, it would simply create a lot of noise, resulting in alert fatigue. Instead, the criteria should specify which actions are a risk — in this example, sending data out using personal email.

Agencies’ security teams need a tool to create a more informed picture about their security risks and implement adaptive security controls based on current situational intelligence. Modern security platforms, like Proofpoint’s, give security leaders the insights they need to make strategic policy and security decisions that best protect their data while still allowing access to that information from those who need it most.

Learn more about how Proofpoint can help protect federal agencies, and their people, against malicious attackers.

Latest Podcasts