What Hamilton can teach us about insider threats

By gaining visibility into user activity, organizations will be able to stem the tide of insider threat risks—and stop the next Aaron Burr in their tracks

CSO slideshow - Insider Security Breaches - Two-faced businessman removes his mask in a binary world
Stockfinland / Getty Images

In cybersecurity, it’s often said that “hindsight is 20/20” when a breach or leak occurs.

It’s not for lack of trying. The effort is usually there, with many cybersecurity teams deploying an extensive array of strategies and tools designed to mitigate risk to property, systems, and data. It’s unfortunate when an incident occurs, but the key to thwarting future incidents often lies with a little history lesson.

What can be learned by looking back at past incidents? I found myself (much like I often do) thinking about this question while taking in the hit Broadway musical, Hamilton.

I know what you’re thinking: “What does Hamilton have to do with cybersecurity?” But bear with me – U.S. history can teach us a surprising amount about cybersecurity threats. While the songs of Hamilton are catchy, and the musical numbers are impressive, there’s much more to the story. When I watched the show, I couldn’t stop thinking that Vice President Aaron Burr exuded all the characteristics of a modern-day insider threat.

A brief history refresher (and definite spoiler): Burr and the musical’s namesake, Secretary of the Treasury Alexander Hamilton, had a longstanding feud full of corruption and deceit. Hamilton eventually paid the ultimate price when Burr shot and killed him in a duel.

This insider threat all started with a form of betrayal that ultimately changed American history forever…

Hamilton, and the insider threat

Alexander Hamilton and Aaron Burr did not start out as foes. The two were initially close comrades and colleagues, practicing law together. According to many, Hamilton looked up to Burr, and saw him as a trustworthy source. Hamilton had no reason to believe Burr would threaten their relationship, and later become a malicious actor. 

The relationship turned sour in 1791, when Burr stole a Senate seat from Hamilton’s father-in-law, switching to the Democratic Party to do so (Burr and Hamilton were originally part of the Federalist Party). Instead of staying loyal to the Federalists, Burr shifted allegiances for political gain. This turn of events spiraled into a longstanding political dispute, exposing Burr’s true nature as an insider threat willing to do whatever it took for personal advancement, and threatening both political and personal ties with Hamilton, as they were no longer on the same side.

Over the years, Hamilton and Burr’s feud led to many political snafus. The tipping point came during the Election of 1800, where Hamilton encouraged Federalists to endorse Thomas Jefferson over Burr for the presidency. Federalists typically loathed Jefferson, but Hamilton saw Burr was a threat and encouraged his colleagues to reach across party lines for the endorsement. As we know, Thomas Jefferson ultimately became president. Burr was his second in command.

Burr was furious that Hamilton would double-cross him and sought out ways to get revenge. As Burr’s ill will against Hamilton continued to build up, he eventually challenged Hamilton to what became an infamous duel, resulting in Hamilton’s death. Burr’s rash decisions showcased his true nature – a malicious foe who wanted revenge and was not going to let anyone stand in his way.

An intent towards revenge is a mindset often seen with potential insider threats.

Why insiders are a serious threat 

Insider threats in organizations are easily disguised. Just as Hamilton should have kept his guard up with Burr, organizations need to be careful to protect data and assets from insiders – even if they seem benign or trustworthy.

Anyone can be a potential insider threat. I’d like to think that if insider threat software existed in the Hamilton era, things would have worked out very differently from a historical perspective. The behavior trends alone would have indicated intent!

To prevent insiders such as vendors, contractors or employees with access to key systems and data from becoming the next Aaron Burr, organizations should start by evaluating their trusted users and current cybersecurity processes. Individuals, like Burr, who have an agenda for personal gain can be seen as potentially malicious or posing a risk to the organization. To reduce risk, companies can benefit from having visibility into user actions and monitoring trends in behavior.

One of the challenges with insider threats and data leakage in cybersecurity is the inability if many organizations to detect, in real time, when users are exhibiting risky behavior or taking out-of-policy actions. Whether exfiltrated for malicious reasons or through negligence, once valuable data has been leaked via inappropriate means, there are people or groups with ulterior motives who will look for opportunities to use the data to their advantage.

As hackers find creative ways to capitalize on stolen data, organizations need to put systems in place to identify instances of insider breaches or leaks in as close to real-time as possible. Whether for malicious purposes or based on user negligence, the results of insider threats can diminish a company’s brand, reputation, and potentially shareholder value.

How you can identify the Aaron Burr of your organization

It can be challenging—but is of utmost importance—for organizations to implement processes and technology to proactively detect insider threats, streamline the investigation process and prevent data exfiltration.

Cybersecurity isn’t just about outsiders trying to get in! Insiders are uniquely able to access and misuse systems and data in a variety of ways, yet they are often overlooked when organizations “lock down” their data.

To stop insider threats, both malicious and accidental, organizations must detect and prevent these threats – before they leak information outside the organization. When trusted users with access to key systems or information have malicious intent, like Vice President Aaron Burr, confidential data and property can quickly become exposed.

So how can organizations avoid exposure of confidential information that may result in disaster?

It starts with having eyes on the endpoint, striving to always be aware of how vendors, partners and employees are interacting with and accessing organizational information. But perhaps most importantly, individuals (and organizations) need to place their trust not in their “friends,” as Hamilton did, but in measurable, trend-tracking solutions and processes that are powerful enough to address the scale of modern-day enterprises and provide real-time visibility into what users are doing.

While many of today’s insider threats may not make the (global) history books, the devastating impact of insider threats to an organization’s finances and reputation will be felt for the foreseeable future. It has never been more crucial to build processes and invest in solutions that provide clear visibility into who is doing what, when, where, and why.

By gaining visibility into user activity, organizations will be able to stem the tide of insider threat risks—and stop the next Aaron Burr in their tracks.

The Hamilton show was great, by the way.

Copyright © 2018 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline