Insider Threats

By Samuel Visner

The insider threat challenges not just the public sector but the commercial sector as well, placing in peril personal information, operational data, and critical intellectual property, which can be as valuable to some as the public sector’s classified information.

We have seen in the retail world how clever cyber adversaries can be, using a company’s supply chain and point of sale network to identify and exploit dangerous vulnerabilities.

Adversaries use insiders in a number of ways—to gain intelligence about network topologies, to find out who is working on what vital projects, and to find and elevate administrative privileges useful to cyber exploits. An insider may be someone with or without malicious intent whose access and credentials give an adversary the edge they need. An insider may also come from a supply chain or mission associate; in other words, any partner with a network linked to yours. With administrative privileges, clever adversaries can elevate those privileges, implant malware, and then wait to activate that malware for maximum payload effect. As a result, we’re seeing advanced threats coupled with the network intelligence, patience, and discipline that characterize sophisticated operational tradecraft, made all the more possible by insiders, witting or not.

Dealing effectively with insider threats requires practices old and new. Old practices include education for nonmalicious insider threats. This education includes watchfulness regarding personal information and credentials and exercising caution when sharing information on the Internet generally and via social media in particular.

Newer practices include using and enforcing good governance policies; continuous monitoring can be used to detect unusual user or system behavior. New technologies offer visibility into our overall state of governance, risk, and compliance, allowing us to aggregate, analyze, and take action on data throughout an enterprise, thereby making the actions of malicious and unwitting insiders more detectable. Coupling effective cybersecurity governance policies with these tools is an effective one-two punch in reducing the threat these insiders pose.

Continuous logging and monitoring is an approach of particular value in detecting and deterring insider threats. The tools associated with this approach allow us to understand user and system behavior to an extent not possible in years past, particularly in situations where enterprises are connected to supply chain and other partner systems. These approaches and associated tools also aid in post-event detection, forensics, recovery, and prevention of additional incidents.

CSC is a leader in applying these approaches, knowing as we do that advanced malware can be difficult to detect using traditional, signature-based approaches. As a global managed security services provider, our portfolio of services allows us to help companies retool their networks, achieve enterprisewide visibility into the state of security policy enforcement, and detect cases in which policy is not being applied and anomalous behavior is present. We couple these tools with a comprehensively designed cybersecurity information management architecture, one that allows a company to immediately assess the state of security in its networks using advanced data aggregation, correlation, and analysis. As systems serve wider needs—including the devices associated with the “Industrial Internet”—CSC’s researchers are working on ways to extend these approaches to the new, integrated enterprises now emerging.

Making sure you’re prepared is the best way to protect yourself from cybersecurity breaches and insider threats. Being prepared means working with a cybersecurity partner that has the latest information management and monitoring tools. Knowing who has access to your systems and why, developing and applying rigorous security policies, detecting lapses in those policies, and tracking departures in user and system behavior from baseline conditions are steps every company can and should take. Having a partner that understands how to apply these steps is the right move.

Samuel Visner is vice president, and general manager of CSC Global Cybersecurity. As one of the world’s largest IT services providers, CSC offers cybersecurity services with 20+ years of experience in the most sophisticated and challenging environments, serving business and government clients by leveraging its global integrated security operations centers to offer consulting, security services, and specialized incident response capabilities. Visner can be reached at svisner@csc.com or (703) 641-2317.
Please login or register to comment on this article.