Download as PDF
The insider threat
No matter what industry or sector you are from, it’s commonly understood that the greatest risk to any organization comes from the insider threat. The threat comes from either malicious or unintentional activity of an individual with authorized access. (The full definition from CERT is here).
Also keep in mind, almost every external attack eventually looks like an insider. The use of compromised internal credentials is the most common threat action in data breaches (Verizon, Data Breach Investigation Report 2018). It’s much easier to steal a trusted insider’s credentials and bypass traditional cyber security controls than it is to break through the firewall. This underpins the value of identifying insider threats as early as possible.
No technology can completely eliminate the chance of an attack, but there is a way to drastically reduce the potential risks that stem from the exploited, careless and malicious insider.
User logon activity is the key to spotting a potential threat
Insider threats are generally, difficult to spot. Simply logging all network activity is not sufficient to protect an organization from either malicious or careless activity. The goal is to look for leading indicators of improper, malicious or careless employee behavior.
This is found in watching for abnormal user activity – but it needs to be activity that suggests a potential threat, and not necessarily activity that suggests threat activity is in progress.
For example, you can watch for excessive copying of files, or surges in upload web traffic to spot potential data theft, but the reality is once these activities occur, it’s too late – the threat action has taken place.
What needs to happen is:
- Watch for activity that occurs well before threat actions are taken. The earlier detection occurs, the less damage the threat can do.
- Create as few false positives as possible. If detection parameters are too broad, IT spend their time chasing ghosts and not stopping threats.
- Don’t just detect the threat. Stop the threat - well before any malicious action takes place.
To do this focus your efforts on the one part of the attack that can’t be bypassed – the logon.
This is more than just privileged user logons
Anyone with access to data that’s considered valuable externally is potentially a threat – not just privileged users. And when we say anyone, we do not just mean immediate employees. Consider the extended enterprise today of partners, contractors, supply chains... anyone who has access to your network.
Our independent research highlighted six common insider threat personas.
Stopping insider threats with logon security
The simplest and most common activity to every insider threat action is the logon. Nearly all threat actions require a logon using internal credentials. Endpoint access, lateral movement between endpoints, external access via VPN, remote desktop access, and more all share the common requirement of a logon.
For most employees the only security protecting access is a password, and once the attacker has it they can easily bypass most companies security controls.
The concept of enhanced logon security centers around four primary functions – all working in concert to maintain a secure environment. On a Windows Active Directory environment this is achieved with the software UserLock.
- Policy & Restrictions – Establishes who can logon when, from where, for how long, how often, and how frequent (simultaneous sessions). It can also limit specific logon types (such as console- and RDP-based logons).
- Real Time Monitoring & Reporting – Every logon is monitored and tested against existing policies to determine if a logon should be allowed. Reporting helps ensure detailed insights for any investigations.
- IT and End-User Alerting – Notifies IT and the user themselves of inappropriate logon activity and failed attempts.
- Immediate Response – Allows IT to interact with a suspect session, to lock the console, log off the user, or even block them from further logons.
In essence, enhanced logon security makes the logon itself a scrutinized and protected event. The ability to successfully logon (and remain logged on) becomes more that just whether the right credentials are used. In doing so it offers effective protection against the insider threat.
An early indicator to prevent attacks
A logon security solution will detect an abnormal access attempt based on the customized and granular logon policies that are set for that particular account (employee). It will act accordingly - either denying or approving the logon - and alert IT (or the appropriate user themselves) if stipulated.
The potential insider threat scenarios that are now thwarted include:
- It protects exploited users (from phishing attacks or malicious colleagues) with controls that makes genuine but compromised employee logins useless to attackers.
- It out-rightly restricts certain careless user behavior such as password sharing, shared workstations left unlocked or logging into multiple computers.
- Access to any data/resource is now always identifiable and attributed to one individual user. This accountability discourages an insider from acting maliciously, ensures a quick response to suspicious activity, offers evidence to address violations that do occur and makes all users more careful with their actions.
What’s more, end-users are notified with tailor-made message and alerts – including alerts on their own trusted access. Informed employees are another line of defense.
Logon Security with UserLock is a simple, efficient and effective means of thwarting potential insider threats. It provides a protective layer at the logon, which logically exists before action occurs, to stop the threat entirely. No logon, no threat.
Cost-effective insider threat software
The insider threat is real and it’s here. Today. On your network already. They are the employee’s you work with every day, where the shift to them becoming an insider may take little more than a broken-up relationship, passed up promotion, or personal hardship. So, having a proactive and cost-effective solution to address insider threats is as important as your endpoint protection, firewalls, and email gateway.
By leveraging the security software UserLock, you put the focus of your insider threat detection and response well ahead of any malicious actions that could take place.
Download this White Paper in PDF