Privileged account misuse – either accidental or malicious – is a very real threat. From Edward Snowden accessing government systems, through to the Target hack, this type of breach is becoming increasingly common.
No firm is immune to this type of attack, and it is easy to point the finger when it does happen. But finding out who is responsible is not always straight-forward and can entail a long and arduous investigation.
However, the incident occurs, it is important to get to the bottom of it quickly and efficiently, in order to prevent it happening again. The best way to do this is not necessarily the most obvious. Rather than additional layers of security and control, it is user behaviour that is the answer to finding – and reacting to – this type of incident.
It is also important to prevent insider breaches happening in the first place – and this is where educating users and ensuring accountability for their actions is key.
The limits of block and control
But there are obstacles to this type of approach. In many cases, IT security controls can hinder both user activities – and the investigation when there is a breach. This is because many firms use a control and block based, default-deny discipline which evolved in the 1990s.
This means systems are designed not to allow certain actions in a bid to avoid errors and prevent security breaches. Of course, it has its advantages: theoretically, there is no chance for mistakes and there is no onus on the employee to get it right. However, it also means that the IT system is held responsible for damage done by the member of staff, whether this was intentional or not.
So it is obvious that this type of solution is not suitable for a modern IT environment where the user is key to staying safe. Firstly, this type of system is inflexible. Additionally, it sees an inappropriate compromise evolve between security and the ease of business, where the security systems start to hinder processes and productivity.
On top of this, while the security system serves as an obstacle against malicious attacks, it is certainly not invincible. If anyone wants to hack into a corporate environment they will.
Additionally, employees are constantly looking for opportunities to bypass the security systems in order to speed up slow processes, or to override errors. This can see irresponsible behaviour start to evolve.
Training and accountability
With an increasing number of high profile attacks in the media, it is true that employees are already more security aware than they were 10 years ago. However, this in itself, will not teach them how to behave responsibly. Of course, not every breach is intentional: some occur accidentally. But it is often employees who are responsible for a significant part of IT damages – whether this is deliberate or otherwise.
That is why, in today’s environment, employee training and accountability are the most important tools in decreasing the internal risk.
The concept of training is something companies are already familiar with, but many do not take into account that this takes time and planning. Meanwhile, maintaining accountability entails a technical approach combining written policies and an efficient monitoring system. This will provide the security team with accurate information on when and who violated the written security policies.
This type of approach can future-proof businesses from further accidental breaches caused by privileged users. The responsible behaviour learnt through training and education could see a dramatic decrease in the number of accidental errors too.
Improving things further, companies can then transform training systems according to the new discipline. It’s about recognising that employees are using systems which have their own inherent dangers and pitfalls. And just as we wouldn’t allow users to operate heavy machinery without the appropriate safety training, a similar principle applies with IT systems, in which we should build in requirements for eligibility tests and continuous training.
The system side does not have to be complex: there are next-generation security tools that can assist by analysing user activity, including malicious events, throughout IT systems.
Using these tools, organisations can track and visualise user activity in real-time to get a better understanding of what is really happening on the network. As well as shortening investigation time and helping to avoid unexpected costs, this can avoid ‘finger pointing’ issues when an incident does occur.
In fact, it makes the perpetrator very easy to track down: these interactions with IT systems leave a recognisable fingerprint – a pattern of behavior – which can be detected and learnt. Then profiles can be compared in real-time with the activities of users to detect anomalies.
For example, information on habits, such as time of day that accounts are accessed – or looking for deviations in the user’s usual routine to find anomalous behaviour – can point towards potential foul play.
As this approach demonstrates, protecting the business from insider threats does not need to be difficult. Accountability, using policies and monitoring systems, combined with thorough user training, will increase both security and business efficiency.
It will add a substantial layer of protection as threats increase, resulting in a dramatic reduction in the number of internal security incidents resulting in data breach.