Gaby Friedlander, Co-founder and Chief Technology Officer at ObserveIT, talked about addressing the human component in mitigating insider threats.
“When I was doing troubleshooting about 10 years ago and asked a customer, ‘Who was the last person to access this computer and what did he/she do?’ there was no answer because developers were writing debug logs rather than logs of what the user did,” observed Friedlander at the outset of his thought leadership presentation at the 2016 Chief Information Security Officer Leadership Forum held on September 13 in Dallas. “So, the idea was to create a tool to capture what a user did, and I’m going to take you on a journey of where we’ve come from there.”
“When I asked a customer, ‘Who was the last person to access this computer and what did he/she do?’ there was no answer because developers were writing debug logs rather than logs of what the user did.”
“Insider threats aren’t mythical, but 75% of insider threats go unnoticed," observed Friedlander. "Insider threats are twice as costly as external threats. One in five employees will sell their password for less than a thousand dollars. People are responsible for 90% of security incidents. This is mostly negligent activity that puts companies at risk, not people intending to do harm. However, there are marketplaces on the dark web where insiders can be recruited for a few thousand dollars. The economics of having an insider is very favorable to individuals wishing to do harm. Ten years ago, the data and applications were inside the company. Today, the perimeters aren’t defined and many things are cloud-based, which significantly enhances the risk."
“Insider threats are twice as costly as external threats. One in five employees will sell their password for less than a thousand dollars. People are responsible for 90% of security incidents.”
Friedlander continued, "Insiders aren’t just company employees but all trusted users—contractors, IT users, and business users. Most of the activity I’m talking about isn’t malicious; it’s people bringing their own apps from home or working around security controls. People care more about their productivity than they do about security," he noted.
Friedlander provided these examples of negligent users:
• Employees using a personal cloud drive
• Employees bypassing corporate email by using YouSendIt, WeTransfer, etc.
• Remote vendors using gmail to send logs
• Bitcoin mining on company servers
• People accessing the dark web out of curiosity
• Using servers for downloading movies
"With insider threats, you can’t infer; you have to have concrete evidence, for legal reasons," stated Friedlander. "Most security solutions aren’t doing a good job of dealing with insiders because they were designed with the hacker in mind. The attack chain for hackers is reconnaissance, exploitation, infection, and so on until they get their hands on your keyboard. With insiders who have malicious intent, it’s different. We’re talking about a tipping point—a point at which an employee’s ethics become compromised. There are indicators for identifying these tipping points having to do with productivity, HR, behavior, etc. Employees start searching for data they don’t usually search for, and then they capture it and hide it by encrypting it or offloading it to another machine. The last step is exfiltration," he explained.
“I think insider threat is easier to deal with than external threat because we can proactively prevent it in negligent users," said Friedlander. "We know who we’re dealing with—our employees and other trusted users—and we can change their behavior. When people’s perception about getting caught is changed, they start acting differently. For example, homes with security stickers and signs are 80% less likely to be targeted. To change negligent behavior, we need to monitor and educate, and we need to do this frequently, not once a year.”
“When people’s perception about getting caught is changed, they start acting differently. For example, homes with security stickers and signs are 80% less likely to be targeted.”
Friedlander identified the key components of the insider threat-management lifecycle as detection, investigation, education, and deterrence. He presented three steps to shaping user behavior:
• detecting negligent behavior
• informing the user of the security policy
• enforcing a change in behavior
“We also need to allow users to give us feedback about security controls that aren’t working for them and why not, so we can fix these to enhance the likelihood that users will comply.”
In summary, Friedlander explained that the ROI for implementing an insider threat-management program is that monitoring and enforcing user behavior results in fewer security and compliance incidents, which, in return, requires less labor to maintain security and compliance. “Behavior management must take center stage,” he emphasized. “Don’t look for needles in haystacks. Reduce the haystack by education and monitoring.”
ABOUT GABY FRIEDLANDER:
Gaby Friedlander co-founded ObserveIT in 2006 with the singular goal of detecting insider threats and stopping data loss for Security Officers, CIOs, and IT managers. Since then, he has built ObserveIT into the world’s leading provider of Insider Threat Management Software. He has expertise in IT security and databases.
Gaby spends most of his days working with customers, helping them understand the growing risk of insider threats and how to prevent them. When not working with customers, he's driving product direction and the future vision of the company. Gaby is a frequent speaker on the topic of IT security and risk and has presented throughout the world in over 25 countries.