Tough Insider Threat Problems Identified
Two federal compliance regimens for insider threat will drive improved awareness, but not much more. They are NISPOM Conforming Change 2 regulating cleared DOD contractors, and Executive Order 13587 for Federal government departments and agencies. These standards are significant because they formally recognize the insider threat. However, they will have to evolve over time, because the initial bar is set very low.
One can, get ahead of the game and start learning about the specialized technical tools and controls that are really required to protect against the insider threat now though. Why wait? I’m referring to advanced tools that limit opportunity for abuse of insider credentials. The current thinking we are seeing for insider threat is user behavior analytics and continual monitoring for detection. This thrust by definition is still reactive. It will also likely be prone to suffer from multiple false positives, since all insiders operate under the legitimate cover of authorized privilege. This is what makes dealing with the insider threat a very tough problem.
An interesting starting point is the article “New methods for addressing insider threats: A roundtable discussion” from a few years ago. The panel provides good insights and pinpoints gaps in current security that make identification and mitigation of insider abuse problematic. The panel participants suggested looking beyond compliance minimums, and seeking out new innovations, strategies and technologies to deal with insider issues.
Insider Threat Protection Gaps
The panel identifies some hard problems for insider threat protection. Some of the good points they make are:
1) Little ability to prevent escalation of privileges:
“For a long time now there has been this grass hut/steel door approach to security, with no real policy enforcement internally, and you’ve seen spear phishing and credential theft approaches yield access to the internal infrastructure with little ability to prevent escalation of privileges.”
“ … attacks require two steps: gaining access, which usually involves standard users, and then elevating rights. And it’s that elevating rights step that’s causing the vast majority of problems”. Spear phishing and credential theft approaches yield access to the internal infrastructure; external attackers become an insider problem once in the network, “masquerading as privileged users”.
While not all attacks may originate from the insider,
… it’s almost always about insider credentials!
An enterprise that can’t prevent the abuse of authorized insiders is going to have trouble defending against attackers posing as them. Note that the inability to prevent unauthorized privilege elevation is due to a different problem, the lack of systems featuring trustworthy execution environments.
2) Difficulties preventing abuses by privileged users:
It’s noted that,
“Big breaches come from privileged users”
” … by definition an insider is a person, so you must pay attention to not only who is using your sensitive data today, but how they are using company assets, as well as controlling sensitive data flows.”
This brought up the need for better analytics and the proverbial needle-in-a-haystack search to isolate behaviors deviating from the norm, when “many companies are drowning in a sea of false positives” already”. But one of the big problems, is that network security has failed to provide the per user visibility and context awareness required to do this adequately, as I discussed here. Can behavior analytics and user risk profiling compensate for this enough?
3) Difficulty dealing with the standard user:
The panel considered privileged and standard user insider issues as two different buckets, even suggesting that the next frontier is dealing with standard users.
4) Differentiation of authentication and authorization controls:
The roundtable identified the requirement for enforcement of authorized user data access and data flows going beyond initial user access to facilitate control over follow-up behaviors once the data had been accessed.
This is an on-going problem, since authentication is generally used as a proxy for per user authorization controls. When authentication is broken, trouble starts.
5) Expanding Risk Plane:
Just as everything is adding to the attack plane for external attackers, things such as third-party access, mobile, and cloud computing means more access points and more avenues for the insider threat. These all require the ability to control access with a portable ability to enforce behavior boundaries.
“In the old days everything had to be in the building, and the perimeter kind of worked. Nowadays, not so much — with mobility and hosted apps and outsourced admin and data centers that may not even be on your own premise. So it’s easier to have communications channels that bypass traditional security systems.”
The question is asked,
“How are you going to manage insider users? How are you going to account for them? Is there a model that will scale?”
There is such a model, and it’s a scalable MLS or cross-domain solution that traditionally was too complex to be practical and affordable. How can privilege rules be designed to follow users from the enterprise to mobile and cloud space?
6) Requirement for in-line enforcement rather than post analysis:
Proactive kernel level rule enforcement is the ultimate for all security, not just for insider threat protection. With the vanishing perimeter one needs to have real-time enforcement, rather than monitoring after the fact. The deluge of data means it will be too easy for infractions to slip through the cracks. Can user monitoring deliver this?
The Insider Threat is a Tough Problem …
… and protecting against it may be a decade behind the rest of infosec. People want to believe they can trust their staff, and it’s a harder problem, etc.. The insider threat wasn’t dealt with until events such as Wikileaks and Edward Snowden took place. Then the insider threat could no longer be ignored. Are the issues this panel discussion raised able to be addressed by big data, behavior analytics and risk profiling, and user monitoring? While there will be some improvement and benefit, wouldn’t it be preferable to reduce opportunities for insider abuse, or lay authorization tripwires so unauthorized behavior attempts would flag security in real-time?