Sage Advice - Cybersecurity Blog

How to Detect and Respond to Insider Threats

How-to-Detect-and-Respond-to-Insider-Threats.jpgIt’s not always easy to determine when your data has been compromised by an insider. When someone has approved access to sensitive data, and it's part of their job to use that data, how can you tell if something bad is happening?

Here are some tips for detecting when an incident occurs, as well as how to respond.

Insider Threat Detection Tip #1 - Be Aware

When something outside the norm happens on your network, it should send off an alarm that something isn’t right. That’s why you should: 

  • Know where your critical data is and log access and changes.
  • Know your critical applications and log access and changes.
  • Monitor Internet traffic by type and location.

Insider Threat Detection Tip #2 – Change Things Up

It may be surprising that a large number of dark-side insider threats are noticed when people take vacation. In one case we experienced, someone in charge of vendors at a large retailer started running his own business out of the same company. He created phony vendors and paid them. Because he did both things and never took a vacation, he got away with it. He actually refused vacation and his employers thought it was because of his dedication. He eventually was caught after leaving for a short 3-day holiday. That’s why to help detect insider threats you should:

  • Periodically rotate responsibilities for sensitive functions.
  • Separate responsibility for detection setup and detection monitoring – dual controls.
  • Separate responsibility for sensitive operational functions.
  • Require mandatory vacation time.

Insider Threat Detection Tip #3 – Know Indicators of Compromise

Here’s a list of data sources, and what to look for

  • Operating System – High amount of data transferred from endpoint to USB or CD/DVD.
  • File Server / Database – Abnormally high number of files downloaded to some location.
  • Email Server / Web Proxy – Abnormally large amount of data emailed, or uploaded to file sharing site (i.e., DropBox).
  • Web Proxy – User browsing web sites on a watch list (i.e., competitors, job sites).
  • Physical Access Control System – Unusual physical access attempts (i.e., after hours, secure areas without authorization).
  • Printer Logs – Employee on watch list due to demotion, poor review, or impending layoff.
  • HR Systems – Employee on watch list due to demotion, poor review, or impending layoff.
  • Active Directory / HR Systems – User name of terminated employee accessing internal systems.
  • Operating System / Active Directory – IT Admin performing excessive number of deletions on critical servers or password resets.

Insider Threat Detection Tip #4 – Implement Security Technologies

There are a variety of processes / technologies that can be implemented to help you detect and / or prevent insider attacks including:

  • Data / file encryption;
  • Data access monitoring and control;
  • Intrusion Detection / Prevention Systems (IDS/IPS);
  • Data Loss Prevention (DLP);
  • Enterprise digital rights management; and
  • Data redaction.

Elements of an Effective Response to an Insider Attack

When responding to an insider attack you should:

  • Have a process to investigate and document. Ensure your Incident Response Plan (IRP) has provisions for Insider Threats.
  • Be committed to respond based on evidence. The last thing you want to do is accuse a dedicated employee that is doing good work of doing bad things. Use detective controls and digital forensics to back up your claim.
  • Be prepared to act quickly.
  • Be prepared to restore. A disgruntled employee may just want to do damage.

It's also important to keep in mind that in the case of insider threats, a cybersecurity culture can be one of the best deterrents for both the “dark side” and the accidental. How you run your organization can discourage insiders from even trying. Learn some tactics to consider in Tips to Avoid the Insider Threat.

We can help you build a Cybersecurity Culture. One of the best defenses you can build as a company is a workforce that understands the fundamentals of cybersecurity, so that they can make everyday choices to promote it. Whether you’re looking to give your staff concise, practical training that will help them implement best practices and follow company policy, or to simply increase the cybersecurity awareness of your employees or client base, your company can benefit from one of Tyler’s targeted training sessions.

Learn More

Topics: Cybersecurity Culture, Cyber Defense

The Tyler Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

Cybersecurity Lifecycle

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More