IT also can isolate these vulnerable applications by putting them in a virtual environment with a sandbox, in effect isolating them but still providing access to the Internet while protecting them from exploits.
Bigman adds that contractors, such as Target's HVAC company, should never be allowed to operate on the same logical network layer as sensitive customer data. "IT should be checking the Service Level Agreement to make sure it accounts for connectivity separate from corporate data," he says.
Something as simple as workstation audit logs can turn up critical information about an insider threat. "Audit logs show when processes start and stop, or when files are moved or changed and, therefore, can reveal a user that is manipulating security controls on a workstation," says Raytheon's Velez.
Also, the typical network data flow monitors can show anomalies in traffic type or volume. If a user suddenly starts transferring piles of documents, data flow monitors would pick it up.
However, Velez warns that traditional tools only go so far and that organizations need a process in place to respond to alerts. "While you can get indications and warnings that data transfer volumes have gone up, you also need the ability to peer inside and check that those activities are appropriate and authorized," he says.
Where the human meets the machine
Few people join a company with the intention of becoming an insider threat, says MITRE's Mahlik. "The majority of those who become insider threats have had some sort of life-altering incident or a developing circumstance that would push them to the brink."
It's imperative, he says, to have an employee population that is sensitive to normal behaviors and that's encouraged to speak up when they see anomalies.
The federal security community has been very focused on helping businesses mitigate their insider threats and has put together several guidelines:
- An analysis of the types of insider threats collected by CERT, most of which fall into three categories: sabotage (24%), fraud (44%) and theft of intellectual property (16%)
- A list of insider-threat resources compiled by CERT
- A primer by the FBI; a downloadable (PDF) version is available
- A list of insider threat resources curated by Gideon T. Rasmussen, a security consultant
— Sandra Gittlen
However, companies also have to ward off false positives by applying analytics to observed behavior. Executives must view the program as part of the company's risk management framework and employees must see the program as part of the company's responsibility to ensure a safe and secure work environment.
He adds: "There are effective IT tools available in the market that are passive, not intrusive, and that don't degrade productivity or network performance."
Sign up for Computerworld eNewsletters.