Insider Threats: What You Need to Know and Do

Threats to your data and security don’t always start on the outside, orchestrated by a shadowy group of foreign hackers. Many times, it’s actors within an organization who carry out sophisticated and malicious attacks designed to steal money or IP — or both. While visions of Edward Snowden and Chelsea Manning come to mind when people think of a typical internal threat, it’s actually the low-profile, everyday internal attackers that companies should be most worried about.

Is Your Business at Risk of Insider Attacks?

Many companies are at least partly in denial about insider threats, suffering from the “it won’t happen to us” syndrome. Unfortunately, this has led to some misguided assumptions or myths, including the following:

• The biggest threats originate outside the company.
• Insider threats are only a problem for government agencies and other highly sensitive organizations, not “regular” companies.
• Company assets that could be exposed are limited, or of little value, so a large-scale breach is less likely to happen. And even if it does, it probably won’t have a big impact.
• Employees are inherently trustworthy, and with basic security measures in place, the risk is next to none.

While only 3 percent of companies experience a catastrophic loss worth more than $1 million, insider threats are a bigger problem than most companies realize. The Ponemon Institute recently reported that insider activity is the most expensive ongoing threat, costing companies an average of $144,542 each year.

Without the right form of monitoring in place, ill-intentioned employees pose significant threats to your data, systems, and brand. Of equal concern are disgruntled ex-employees who have access to systems and who might be motivated to steal confidential information or cause other malicious damage. Having information about the company that could be used against it, current and former insiders alike are able to launch complex attacks that can take, on average, 54.4 days to be resolved, according to the same Ponemon Institute report.

With access to any number of systems, these internal actors may be able to:

• Escalate privileges of an unauthorized user
• Install unapproved software
• Add and remove users
• Run suspicious commands
• Initiate changes to security groups
• And much more

With attacks being carried out under the radar every day, it’s accurate to state that no business is immune to costly insider attack incidents. Unless you have the right defenses, that is.

Identify the Gray Areas

Before we go further, keep in mind that not all issues, at first appearance, are clearly black or white, and you might be tempted to let some pass by as insignificant and therefore not worth dealing with. But take a second look at incidents such as the following, and make a conscious decision about how to deal with them:

• Unintentional (yet damaging) behaviors, such as re-using source code from previous employers
• Violation of policies such as BYOD usage

Even seemingly innocuous lapses can cause damage when you consider:

• Today’s advanced threat landscape
• The explosion of BYOD and IoT
• Frequent employee turnover

While each of these gray areas by itself may not be significant enough to require an overhaul of your security strategy, they can be costly in aggregate. Take the practice that many companies have of allowing developers to reuse source code from previous employers for example. A seemingly harmless (and cost-effective) behavior at first glance, this can introduce significant vulnerabilities (as well as legal concerns).

As more and more small cases like this begin to pop up within an organization, it’s easy to see that it’s not just the highly publicized internal attacks that can damage your business: the “gray area” incidents can be just as dangerous if you don’t identify and deal with them.

Develop an Inside-Out Approach to Security

Regardless of whether an attack is black, white, or gray, companies need a strong cloud security strategy, one designed to catch every bad actor and dangerous activity, no matter when, where, or how it surfaces. While most companies take an outward-facing approach to cloud security to stop the bad guys from coming in, they often don’t take into account what to do if the bad guys are already in, as in the case of internal threats.

This is why cloud security monitoring must happen not only around the perimeter of your environment, but deep within it too. Specifically, monitoring should occur at the workload layer, or the “source of truth,” as we like to call it. Here, activity can be monitored across multiple areas deep within your environment to accurately identify and stop inappropriate internal behavior before it causes damage.

A good example of an inside-out security strategy is vulnerability management. Vulnerability management is used for scanning web applications, operating systems, and everyday packages for suspicious signals, three key areas prone to attacks. With access to production, for example, a misguided or malicious developer can easily install an unauthorized package in the base AMI, or worse yet, install a package directly on production environments. With vulnerability management implemented as an inside-out strategy, you can verify the attack surface of every installed package before it goes live and wreaks havoc.

Trust, But Verify

Security-aware companies understand that, when trust is involved, you also need to verify that security practices are being followed. This becomes especially important considering the growing number of internal threats facing companies today. By adopting a continuous approach to cloud security monitoring, one that baselines normal system behavior in order to identify new and suspicious activity, companies can identify internal triggers before they spiral out of control.

In today’s connected world, insider threats are ever present. A comprehensive cloud-native solution like Threat Stack, implemented as part of a cloud security strategy that’s been designed to meet the specific needs of your organization, can protect against internal bad actors or accidental exposures alike. By continuously monitoring for suspicious, anomalous, or unauthorized behaviours that could lead to a breach and by providing immediate alerts that let you rapidly plan and carry out effective remediation, such a solution can protect your data, systems, customers, and ultimately, your brand.