Technology advances have made it easier to detect subtle, anomalous end-user behavior, such as installation of unusual apps on endpoint devices, or suspicious deviations from baseline activity. This roundtable discussion examines methods to build monitoring, control and context into enterprise insider threat protection efforts both when dealing with privileged users and regular employees.
Moderator: John Dix, Network World, Editor-in-ChiefParticipants:· Eric Ogren, Analyst, Ogren Group· Feris Rifai, CEO, Bay Dynamics· Ken Ammon, Chief Strategy Officer, Xceedium
Let's start by defining the insider threat problem. How big is it?
AMMON: For a long time now there has been this grass hut/steel door approach to security, with no real policy enforcement internally, and you've seen spear phishing and credential theft approaches yield access to the internal infrastructure with little ability to prevent escalation of privileges. And with third-party access and cloud computing, it's really expanding the risk plane of the insider threat, and as a result we've seen an explosion of interest in the core problem.
OGREN: When I think of insiders I think of privileged users and intruders masquerading as privileged users. And it's not so much the frequency of these attacks but the magnitude of what they can get once they get privileged access. Big breaches come from privileged users.
RIFAI: Insider identity credentials are certainly higher risk today than ever before. Employees that have privileged access to information, or even contractors and providers with access, are now primary targets for cyber criminals. Look at Target. Most agree that that involved insider credentials that were stolen or taken advantage of.
AMMON: I think the access points mobile tools, BYOD, interconnected businesses — significantly magnify the threat and have led to this evolution of sophisticated units that are using targeted methods to take advantage of legacy security weaknesses.
OGREN: In the old days everything had to be in the building, and the perimeter kind of worked. Nowadays, not so much — with mobility and hosted apps and outsourced admin and data centers that may not even be on your own premise. So it's easier to have communications channels that bypass traditional security systems.
Have organizations shifted their resources enough to address these threats?
RIFAI: Surveys show people understand they have problems, but are preoccupied with defending the perimeter when they should be equally concerned about defending their interiors. Keep in mind that once an external attack breaches a network perimeter, it becomes an insider, so you really have to look at internal security as seriously as you do external security. And by definition an insider is a person, so you must pay attention to not only who is using your sensitive data today, but how they are using it.
Sign up for MIS Asia eNewsletters.