The Gartner Security and Risk Management Summit 2016
At the recent Gartner Security and Risk Management Summit 2016 which addressed the latest in cybersecurity threats, flexible new security architectures, governance strategies and the CISO role, one of the most popular sessions was entitled, “To the point: Detecting Insider Threat and Abuse” given by Avivah Litan with guest speaker Rich Malewicz. There was over 600 people in attendance for this specific seminar session. Presentations are supposed to be vendor neutral however, our Insider Threat Management solution partner ObserveIT was mentioned and featured on numerous occasions throughout the presentation. The session included strategies to mitigate insider threats both unintentional and intentional.
Insider Threats were categorised in 3 ways:
- Pawns – victims of spearfishing, ransomware and malware accidentally.
- Collaborators – active collaborators with intent to defraud or steal data for financial or personal gain
- Lone Wolf – an individual looking to defraud or steal data for financial or personal gain
Research has revealed that more than 50% of companies surveyed have acknowledged an insider threat incident, however due to the complexity of identifying insider threat breaches, that percentage is probably much higher.
One of the challenges encountered was the arduous process of finding and identifying these insider attacks; with the increased use of the Dark Web as a recruitment tool, businesses are forced to use detection and analysis tools to track and monitor structured and unstructured data, email and chats on the Dark Web.
On a positive note; 80% of insider threats can be detected by creating simple rules, making sure employees are not bypassing security policies by utilising insider threat detection management tools such as ObserveIT. The remaining 20% can be uncovered using anomaly detection.
Below are some of the slides from the presentation at the Gartner Summit
An Insider Threat Case Study:
During the conference, a case study was presented by Rich Malewicz in regards to Insider Threats he found in Livingston County, MI. He used ObserveIT to monitor the employees involved – and ultimately used the video playback from his investigation as evidence to terminate 4 employees.
Malewicz, CIO and CISO of Livingston County, detected some unusual indicators of insider threat in July 2014. Indicators included suspicious PC access, unexplained absence of employees during work hours, and poor feedback from customers. Rich had two people saying, “It seems someone used my PC last night” and the logging system confirmed those activities by unknown and unauthorised personnel. Those two PC’s were Payroll PC and Treasury PC.
Rich got his security team to investigate those suspicious activities. The team included himself, the IT manager and the IT security admin, however beyond the “human sensor” Rich did not have the tools to figure out exactly what was going on.
The Lone Wolf:
Rich installed and launched ObserveIT Insider Threat Management software on August 4th, 2014. ObserveIT is specifically designed to analyse employees’ behavioral patterns. The software observes any kind of unusual or suspicious activities and then records high risk activity.
On the same day ObserveIT was installed, alerts were triggered along with video forensic recordings of a specific worker performing out-of-policy activities on his computer during working hours. On day one, the investigation team started getting alerts and realised they had a lone wolf on their hands. “I should’ve installed ObserveIT earlier,” said Rich. An IT employee was performing “password harvesting”. He was invading the privacy of a co-worker by remotely connecting to his PC and searching for password files. He was clearly abusing his privileges to get access to passwords as well as other private data.
It Wasn’t Only Me!
On August 11th, just one week after installing ObserveIT, the investigation team found another indicator of insider threat; copyright infringement. Initially, they thought it was a lone wolf, but in time they discovered a team of collaborators:
An employee was using government property and network to download music files and movies illegally. He wasn’t only downloading music and movies, but unintentionally he was also downloading malicious code and malware which infected the environment.
The investigation team went through the email logging system and found other employees who were involved in using government property for these illegal activities.
Rich was amazed that his own investigation team, including the IT manager and IT security admin, were involved in these activities. He immediately removed both of them from the investigation team.
After removing the IT security admin from the investigation team, that person attempted to cover his tracks by deleting logs from the servers. However, his attempts were not successful as ObserveIT recorded the entire act and provided irrefutable evidence.
In the end, he did not admit his involvement until he was confronted with the video evidence from ObserveIT (a program he had helped install). Not only did he have no choice but to admit his involvement, he brought down the rest of his collaborators with him.
So what have we learned from this? Whether an insider is being recruited from the dark web or pirating movies, or an employee is unintentionally responsible for a malware or ransomware download, nearly all security incidents stem from people.
Tools that prevent unauthorised activity and enforce security policies can eliminate risk at its source, but also, don’t forget to apply insider intelligence that evaluates both internal and external information.