Last month, Special Agent Scott Mahloch, weapons of mass destruction coordinator for the Chicago division of the FBI spoke at the Food Safety Consortium about how food companies can protect themselves against terrorism by identifying the insider threat and some of the FBI’s initiatives in this area. While the focus of his talk was around protecting the food supply from intentional contamination with chemical, biological, or radiological (CBR) agents, I found that much of the advice on guarding against these types of Insider Threats directly applies to cybersecurity and it would be interesting to share how these tips can be applied in IT security -- not only for food companies, but companies in general.
An Insider threat is a malicious threat posed by people from within the organization, such as employees, contractors or even former employees who exploit their position or credentials to steal or sabotage valuable physical property, intellectual property, or computer systems. There are a variety of reasons that employees become insider threats and personal factors can play a big role. It could be related to terrorist-sympathizing beliefs, job related issues, financial need, problems at home, compulsive disorders, or even ego.
There are three areas the FBI talks about in terms of protecting an organization from insider threats: Surveillance, Being Proactive and Taking Action.
Mahloch states, “One of the biggest concerns that we have is the disgruntled employee and the FBI really isn’t in the position to identify these people. That’s going to be the frontline supervisors, the coworkers that can see somebody’s behavior that maybe deviates outside anything that they would recognize as being baseline behavior.” Looking for suspicious behaviors like people taking photographs, being in places they shouldn’t be or attempting to gain operational information in person, by phone or email are all important to watch out for in the case of a physical sabotage threats.
From a cybersecurity insider threat perspective, you need to do the same thing. Organizations should monitoring the online behaviors of people and systems. User and Entity Behavioral Analytics (UEBA) is a technology that can help companies with threat detection. It can learn the behavior of what people and entities do on a normal basis to set a baseline (where do they log in from, what systems do they access, what privileges do they have, etc). By understanding what is normal from users and entities, when something unusual or suspicious does happen, UEBA will detect it. (For example, perhaps a user is suddenly accessing a server they don’t usually access and they are doing it from a foreign location.)
The FBI advises taking preventative steps to protect the business, products and people. Along with looking for unusual behavior they suggest monitoring for tampering, securing open containers, controlling physical access to specific parts of the facility, and training employees on how to recognize, report and help improve security.
This same advice can be applied to cybersecurity as well. Security teams should look to find ways to tighten up security. Some areas to look at would be ensuring that people don’t have more privileges than they should, closing down stale accounts, making sure people have strong passwords, and training employees on how to be more secure when working online. Along with monitoring behavior, UEBA can help provide greater visibility into some of these areas so that security teams can easily identify areas where they can proactively reduce their attack surface and reduce their overall risk.
Mahloch then talks about why it’s important to take action. “Once suspicious activity is observed, the facility security officer or manager should be notified, and from there a decision can be made on whether external parties need to be involved.”
On the cyber side of insider threats, the same applies. Security teams need to take action on suspicious behavior and threats. The challenge for many security teams is that they are often inundated with alerts. Some of which are false positives and others of various severity. It can be a time consuming and mundane process to go through alerts but it’s necessary in order to prevent and catch threats that could have a monumental impact on the business.
This is another area where an intelligent UEBA solution can lend a hand. More advanced UEBA solutions, like Behavioral Firewalls, will not only detect suspicious activity but they can automatically respond to threat in variety of ways based upon the type of threat, the target and the behavior. For example, here’s a common scenario. A privileged user accesses multiple servers he doesn’t normally access. Traditionally, an alert is generated and manually reviewed by security professionals. The user would be prompted to validate their identity using multifactor authentication. If unsuccessful, they can be blocked, potentially stopping an attacker who stole someone’s credentials. This entire process is completed without a security analyst getting involved.
The parallels of detecting and preventing physical insider threats and cyber insider threats are quite similar and UEBA is a great starting point to building a solid Insider Threat program. To learn more about how UEBA can help organizations with detecting and automatically responding to insider threats, you can download this whitepaper on User and Entity Behavior Analytics and Adaptive Response.