Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

New methods for addressing insider threats: A roundtable discussion

John Dix | March 18, 2014
Technology advances have made it easier to detect subtle, anomalous end-user behavior, such as installation of unusual apps on endpoint devices, or suspicious deviations from baseline activity. This roundtable discussion examines methods to build monitoring, control and context into enterprise insider threat protection efforts – both when dealing with privileged users and regular employees.

RIFAI: You can imagine a malicious insider potentially exploiting cloud-related vulnerabilities and stealing information from a cloud system, or someone who can use cloud systems to carry out an attack on an employer's local resources, etc. But it all adds up to additional access points that you didn't have before and greater opportunity for exploitation.

So are all the necessary tools to fight insider threats available now or are we still missing some pieces?

RIFAI: It's a people-centric problem and people are multidimensional, so you have to come at it with that mindset; you've got to have a multidisciplinary approach. And there are cutting edge solutions on the market today that can tell you what is normal versus unusual on a user-by-user case and do that at a really large scale. And certainly we have made progress, but it's not necessarily something that has been highly adopted by all companies out there. There are some at the forefront using these technologies, but not everybody in the market is aware.

AMMON: I divide the challenge into two different buckets. One is the insider threat as it relates to your standard user, and the other is the insider threat as it relates to privileged users. What we've found is the problem gets very big when you talk about trying to define what role a standard user has and how to limit their access within the enterprise. It is much easier to target and define the roles for privileged users because the audience is smaller.

But attacks require two steps: gaining access, which usually involves standard users, and then elevating rights. And it's that elevating rights step that's causing the vast majority of problems you're reading about right now. If there was no ability to elevate those rights then you couldn't access a service account to distribute malware. You couldn't hijack a system to start snooping a network interface.

You couldn't destroy data. So there are broad access capabilities for privileged users. It's a definable and solvable issue today with today's technology. 

I think the next frontier really is, "How do you deal with the standard user?" The difficulty there is identifying the rules and the rights around each user and then deploying an enterprise system, taking into consideration legacy and evolving cloud and virtualization platforms, and enforcing that.

OGREN: So much security investment has been focused on preventing and blocking and trying to understand malware, but it's kind of a Zeno's Paradox, just taking us part way each time and we never ever get to the end. Now we're in the process of shifting to a security model that is more about user authorization and data access and data traffic. So more of, what are people doing and what are they doing with the stuff they access and where are the assets of the company going? So it's a healthy change and we're starting to get more balance back into the security model. And yes, there are technologies out there that can help companies.

 

Previous Page  1  2  3  4  5  6  Next Page 

Sign up for MIS Asia eNewsletters.