The Gartner summits are some of the most renowned and highly valued conferences in the world. As a leading information technology research and advisory company, Gartner offer incredible insight into practically all areas of IT. The recent Security and Risk Management Summit 2016 was no exception, addressing the latest cybersecurity threats and introducing flexible new security architecture and governance strategies that can be implemented to combat them. One area we found extremely interesting was a session entitled ‘To the point: Detecting Insider Threat and Abuse’. This particular presentation was given by distinguished Gartner analyst, Avivah Litan, with a talk from guest speaker and Chief Information Security Officer (CISO), Rich Malewicz.
The reason we were so drawn to this particular session was not only due to the reputation of the speakers, or the importance of the subject, but also the regular references to our insider threat management solution partner, ObserveIT.
Our partner was mentioned throughout the presentation, as Avivah outlined the strategies that can be used to mitigate both intentional and inadvertent threats. The Insider Threat itself was sectioned into three main categories. These were:
- Pawns – Accidental victims of spearfishing, ransomware and malware
- Collaborators – Active collaborators with intent to defraud or steal data for financial or personal gain
- The Lone Wolf – An individual looking to defraud or steal data for financial or personal gain
Although initially, the statistics looked grim, with 50% of companies surveyed admitting to an insider threat incident (and the number assumed to be much higher), there were positive figures delivered too. For example, Avivah’s summation that 80% of insider threats can be detected through the creation of simple rules, as well as the integration of threat detection management tools such as those delivered by ObserveIT. The remaining 20% were not completely unavoidable either, with Avivah recommending anomaly detection.
Rich Malewicz’s introduction meant a real-life case study for the assembled attendees to consider. The CIO and CISO of Livingston County, Michigan, explained how he used ObserveIT software to investigate suspicious activity. These unusual activities came in the form of unauthorised access to PC’s, namely the Payroll and Treasury systems, as well as unexplained absences during work hours.
ObserveIT software analyses employee behavioural patterns, recording high-risk activity and alerting management to these actions. On the same day that it was installed, out-of-policy activities were detected. It immediately became clear that the company had a ‘Lone Wolf’ on their team. After further investigation, it was found that the employee was performing ‘password harvesting’, collecting private data from his colleagues through remote access to his PC.
A week later, copyright infringement threats were also detected. Rather than the lone wolf, this appeared to be a group of collaborators who were illegally downloading music and movie files, and with it malicious code and malware. These being activities that were both illegal and inadvertently allowing viruses into the system, Rich quickly worked to find the perpetrators involved. Two of those involved were part of his investigation team and had helped install the software that was eventually their downfall.
All three of the collaborators and the lone wolf had their contracts terminated, thanks to the irrefutable evidence supplied by ObserveIT’s tool. The moral? That no matter whether intentional or accidental, almost all security incidents come as a result of people’s actions. By monitoring and reacting to these actions, the insider threat can be neutralised. ObserveIT offers the perfect software to achieve just that.
For more information on Insider Threat Protection please get in touch, call 0844 586 0040, email [email protected] or fill in the contact form and we will contact you directly