A hacktivist wrecks, subverts, and destroys systems and data belonging to high-profile organizations or governments in a publicly obvious fashion to make a social or political statement. Conversely, a ringleader seeks financial gain by accessing information outside his purview so he can leave with more than he invested in the company to form another business or work for a competitor. The ringleader enlists any help he can to achieve their goals. Similar to the ringleader, an entitled employee plans to walk out with their work product and compete with their former employer. He usually works alone, exploiting his work product and any knowledge of it.
Each of these archetypes is a trusted employee who is misusing the privileges or access that the company granted them.
Taking an axe to archetypes
Though least privilege, zero trust approaches can limit damage from insiders, these are not fool proof. There are cases where data requires additional protections. An entitled employee for example might have full and unrestrained access to his work product in order to do his job. Likewise, an imposter can retrieve data in a very stealthy manner, avoiding the use of readily detected system scans and brute force dictionary attacks on login screens.
Organizations should consider detection methods from the User Behavior Analytics space to deal with insiders, says Tierney. These methods apply behavioral baselines to identify attacks based on employee actions that deviate from normal, established behavior patterns. These tools can detect anomalous activity and alert the organization in a timely manner, prompting manual or automated remediation responses.
In one example where a user behavior analytics tool could have proved useful, Sutter Health, Sacramento discovered only this past August that in April 2013 a former employee emailed customer documents to a personal email address (not a normal, permissible behavior), according to California Department of Justice data breach reports.
But depending on the kinds of systems in the enterprise environment, the necessary log data and information may not be seamlessly accessible for the user behavior analytics product to draw upon to create a complete baseline in the first place, according to Rohit Gupta, CEO, Palerra, a cloud security automation firm. “Data on user behavior may not be available at all or may not be easily externalized for user behavior analytics systems to access and use it,” says Gupta.
Beyond behavior analytics, enterprises should maintain insider incident response plans that define the response, which should include an extended response team due to the fact that an employee is involved, says Tierney. “Legal, HR, and departmental management all come in to play,” says Tierney.
But remember, incident response plans are only as good as the processes set up to detect incidents for response. “If detection doesn’t take place, incident response plans are not useful,” says Gupta.
Sign up for Computerworld eNewsletters.