Blog | 24By7Security

Detecting Insider Threats

Written by 24By7Security | April, 13 2017

What is an insider threat? According to the computer emergency response team (CERT), when a current or former employee or contractor who deliberately exploits or exceeds his or her authorized level of network, system or data access in a way that affects the security of the organization’s data, systems, or daily business operations, that is an insider threat to the company. The goal of a malicious insider is very often destruction, corruption or theft. While theft has monetary or other beneficiary interests behind it, destruction and corruption can originate from highly disgruntled employees and can be directed against the organization as a whole or against specific co-workers.

Insiders are by default authorized to be inside the network and are both granted access to and make use of key resources of an organization. Given the large pile of access patterns visible in an organization’s network, how is one to know which ones are negligent, harmful or malicious behavior? IT departments typically respond to the insider threat, if at all, by extensive monitoring and logging. The aim is to at least be able to do forensic analysis when a threat is happening and doing damage, and support the legal department with any investigations. As Oliver Brdiczka says - "The problem of detecting the insider threat before it actually happens is as difficult and complex to solve as the prediction of human behavior itself. What is the next action of a person? Which action will be inside the scope of assigned work for that person? Which action will indicate the preparation for an attack by that person?"

According to Ryan Francis, while the insider threat still connotes an employee of the company, the intruder is no longer someone located within the confines of the building. Accessing the network can happen from such public places as the local coffee shop. The first step of an appropriate response to an insider threat is to raise awareness of the problem. Insider threat is real and can happen anywhere in the industry. Technology alone will not solve the problem.

Sources:

CSO Online article on Detecting Insider Threats - By Ryan Francis, CSO Online

Computerworld Online article on Detecting Insider Threats - By Oliver Brdiczka, Computerworld

Summarized by: Rupal Talati