Mitigating the Angry Insider Threat

Michael Vizard
Slide Show

Five Security Budget Tips for 2011

Five tips that IT organizations should use to remind the business side why it needs to invest in security.

People have always been concerned about potential insider threats to sensitive data and intellectual property. But their willingness to do something about mitigating those security threats has never been really strong enough to be really proactive about access management, even in the face of pressure from any number of compliance requirements.

But as the economy starts to recover, a more insidious issue is now at work within the four walls of the enterprise: A lot of employees are fundamentally angry. This is because many of them have felt abused over the last three years and as the economy recovers, they're not seeing any real improvement in their own situations. Profits are up at a lot of companies, but new hires are still scarce. That basically means that companies are getting a lot more productivity per employee. That's not a bad thing per se, but it is creating a climate where some insider might take it into their head to "punish" their employer in much the same way governments around the world are now being punished by any number of WikiLeaks postings stemming from a lack of access management.

For those reasons, companies might want to take a second look at their current access management policies, says Gijo Mathew, vice president of security product marketing for CA Technologies. Much of the security focus these days is on external threats, but most security experts will tell you that it's the insider that consistently does the most damage. And right now, a lot of people with access to all kinds of information are bearing some serious grudges.

In particular, Mathew notes that it has become a lot easier to apply more granular controls to data across the enterprise. So that means that there are now various degrees of "privileged user" access that can be granted to employees based on their role in the organization. In addition, it's also a lot easier to give people temporary access to files and systems in a way where that access is automatically revoked after a set period of time.

None of this means that employers should view every employee with suspicion. But an ounce of prevention can go quite a long way in a world where, as the saying goes, we should learn to "expect the unexpected."

Add Comment      Leave a comment on this blog post
Feb 25, 2011 6:25 AM Andy Feit Andy Feit  says:

Totally agree Mike that the insider threat needs monitoring... in addition to the points you make, there is an additional element where external influences get an insider to do their work.  So, instead of doing the hard work of breaching a firewall and getting past whatever security is protecting the data, why not bribe an employee, either a DBA or Sys Admin to just hand over the assets -- most organizations don't have strong controls over privileged users.

Interestingly though, in our experience selling such solutions to protect databases, we often find ourselves talking to the very insiders who are being watched. You would think this would put them in an adversarial role, questioning why their management should not trust them, and do they really need a product like ours.  But, the reaction is frequently exactly the opposite. The overwhelming majority of these users is incredibly honest -- and they welcome a solution that provides a trusted audit of all activity (including theirs), so in the case that there is a breach, they can easily demonstrate that they are beyond suspicion.  Even better, a system like Hedgehog can pinpoint exactly who is responsible, and even avoid a breach in the first place, eliminating the need for internal audits of a team that should be focused on helping to resolve the problem, not suspected of causing it.

Feb 28, 2011 4:02 AM David Shephard David Shephard  says:


Gijo, Andy and yourself raise very valid points on insider threat. CERT has researched and presented (for example: Combat Insider Threat: Proven Strategies from CERT- quite in-depth analysis on the who and how of insider threat.

Incidents are predominantly executed by non-technical staff; but bearing in mind that the average damages range from US$750,000 to in excess of US$800,000 (excluding one reported case that exceeded US$700M), any incident is not to be sniffed at and it must be recognized that any member of staff can make an 'impact'. Initiating and maintaining those proven strategies to recognize potential perpetrators early and combating the threat should be front and center. However, we are all aware that the stretched resources you reference in your second paragraph. This impacts IT / IT Security departments as well. Minimizing the impact of additional security is a key desire, not just on the IT team but also on the business.

Anyway, do take a listen to Dawn Cappelli of CERT in above linked webcast. She presents great insights into the latest trends in insider crime profiles, actual case studies and best practices for addressing.

Great post, keep it going and looking forward to the next.


Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.