Security breaches are a real concern for any organization. Though any sort of malicious breach can cause harm to organizations, the immensity of the impact of the insider threat is much more than the impact of external attacks. The reason why insider attacks are more dangerous is that it is committed by people who know the organization well. They are privileged users, aware of sensitive secrets of organization and have access to it. In the past, we have also heard of insider bank frauds at some leading banks which have alerted organizations about the inside risk within their organizations. This can also hamper the corporate security of an organization that comes from within the organization. In some cases, though these attacks are unintentional, in many cases, attacks are committed due to greed or antipathy towards the organization. According to a study done by Forcepoint (a company specializing in computer security software), only 43 percent of organizations feel that they can monitor privileged user activity well, while 63 percent do not have enough information in this context. Any security breaches in the organization not only result in its organizational loss but also damage its image as a secure global partner around the globe.
Insider thefts put organization at risk
Detection of risk, responding to insider attacks and prevention is a very challenging task for the Information Security team. Though insider attacks can be caught, they are more hard to detect than an external threat. The Information Security team of any organization has the responsibility to deal with risks like IT sabotage, theft of intellectual property (IP) and fraud.
The organizations these days customize solutions to curb the risk of theft. Madhavan Satagopan, CTO,
Technologies to monitor attacks
With the incidents of the insider thefts on the rise, organizations give a lot of emphasis on security
As most organizations buy different solutions for fulfilling different tasks (intrusion detection, firewalls, anti-virus solutions), the risk increases. Point solutions cannot identify a stealth attack, if it originates from another attack vector. This can be addressed using analytics. “The industry is moving towards predictive analytics, and this is especially important with regards to privileged users,” says Harshil Doshi, Strategic Security Solutions Consulting, India, Forcepoint LLC.
Forcepoint has a solution that combines visibility and analytics to baseline normal behavior and quickly identifies and record high risk behavior. The firm’s solution can identify high risk users and enable data protection controls to be put in place. This is complemented by a DLP solution that identifies high risk data behaviors identifying users that need to be investigation further.
Preventing unintentional threats
One another important aspect of the insider threat is the theft which is unintentionally done. According to a DSCI NASSCOM report, almost 67% service provider organizations have experienced insider incidents due to unintentional exposure of private and sensitive information. And, 75 percent of client organizations have also supported the fact that unintentional exposure of private and sensitive data is a security threat. For the thefts unknowingly done, the companies have to be even more careful as the data can be leaked without their concern and they cannot realize it immediately.
States Jagdeep Singh, CISO, Rakuten, India, “Awareness sessions and taking mock drills with relevant case
Tracking forensic evidence is important
Despite seeking preventive measures sometimes, organizations have to suffer from malicious breaches. In such cases, the companies must have different solutions in place to monitor forensic evidence so that it does not repeat again in future. It is also a very important factor as the forensic evidence can be used in the court against the perpetrator. This is an important aspect, and is typically done by a team under the CRO (Chief Risk Officer) office. This is done by collecting log information to understand complications and impact on business and company reputation. Also, the SOC (Security Operating Centre) are in place which constantly monitors any network infiltration attempts, insider breaches and malware infections. Well-defined security incident management processes are available and periodic awareness communication is sent to all the employees. The application and system logs are sent to a central logging server for alerting and reporting. Based on the predefined criteria, alerts are sent to respective teams for investigation. For further investigation and analysis, the compromised system is preserved and the OS level image is taken. Apart from these factors, storing digital evidence and footprints, including the access logs and other available information for as long as possible, helps in historical analysis.