With an insider threat prevention and mitigation team in place, you are able to quickly recognize appropriate and inappropriate behavior for employees, contractors and service providers with privileged access.
Doing so helps establish baselines that can fuel anomaly alerts, according to John Pescatore, director of emerging security trends at The Sans Institute, a security training firm.
"Setting guidelines can help vet third parties such as contractors, temporary workers and service providers, as well" as employees, says John Pescatore, director of emerging security trends at The Sans Institute.
One way to start this process is to narrow down what positions are considered sensitive because of their access and what behavior would be a red flag or intolerable.
Applying these standards to job candidates could help an organization avoid serious issues, Pescatore says. If, say, an applicant for a sensitive position belongs to hacker forums, then HR and the hiring manager immediately can determine he is not a fit. "Setting guidelines can help vet third parties such as contractors, temporary workers and service providers as well," Pescatore says.
After the employee is hired, access rules should be enforced. A customer service representative trying to download a database should cause an alert because that is outside her access rights. Similarly, a database administrator looking through one record at a time should evoke concern. Storage administrators doing backups outside of assigned windows also should be considered an anomaly.
Pescatore calls this basic security hygiene and a key element of an insider threat program.
Where technology comes into play
Once you establish guardrails for user activities, then you can start to use technology to ensure users steer clear of them.
Some companies shy away from implementing an insider threat program because they worry the cost of technology to back it up would be prohibitive or that it would be too cumbersome for employees.
But experts say insider threat programs can be implemented in most part by removing privileged access where it is not needed or too risky, and by using the tools already embedded in the network.
Robert Bigman, CEO of consultancy 2BSecure and a former CISO at the Central Intelligence Agency, points to aged applications that require privileged permissions as a good place to start shoring up your network, as they are prime targets for overseas hackers.
U.S. soldier Bradley Manning ultimately received a sentence of 35 years in prison for leaking classified documents to Wikileaks. REUTERS/Kevin Lamarque
Some legacy programs written in early versions of C, such as those used in the oil and gas industry to do calculations for market pricing, require users to be logged into Windows environments with administrative privileges. "If they need to run those applications on the internal network, then don't allow them to connect to the Internet," Bigman says.
Sign up for Computerworld eNewsletters.