• United States




6 technical measures to mitigate insider threats

Aug 19, 20135 mins
Network Security

Insiders were a huge point of discussion at the 2013 Black Hat security conference in Las Vegas Nevada. Recent high-profile insider incidents have attracted mainstream media coverage and amplified this topic.

But we needn’t throw up our hands and surrender. There are technical measures that can be embraced to help mitigate the risks brought upon by malicious insiders. These technical measures work in tandem with non-technical measures and can be leveraged before, during and after an incident.

Before the incident

Before an incident there has to be some prep work to better understand your environment. In particular, knowing what you’ve got and who’s interacting with it just makes intuitive sense. Not knowing this doesn’t pass the “duh” test but unfortunately it can be difficult to resolve.

#1 Know your assets

Determining where all your assets are, what they do, who owns them, etc. can be difficult, especially in the world of VDI, mobile, cloud and BYOD. One type of asset, data, can be structured (databases) and unstructured (file servers). Data can also exist in storage, in transit and in use.  This makes “knowing” complex.

Encryption solutions will help protect sensitive data across its various incarnations from those lacking keys. But a holistic asset discovery and management solution can help keep track of what you’ve got and where it is. Fundamentally this sounds simple, but even with the right tools it’s challenging. However without it a malicious insider will have a huge advantage that’s analogous to a bank hiding money in different locations around a building but not remembering where they put it.

#2 Know your people

Only second to identifying assets are identifying those individuals interacting with your assets. Users can have dozens or even hundreds of identifiers from MAC and IP addresses to user IDs and phone numbers. Since you can’t arrest an IP address, obtaining attribution – identifying “who,” is paramount.

Robust identity management solutions will integrate with active directory, LDAP, DHCP, MDMs, NAC, incident detection systems and asset management systems to help associate a user persona with an incident tied to packets, sessions and logs.

During the incident

The prep work has been completed, you have your hands around your sensitive assets and you can identify who is interacting with them. Now it’s 4:00PM on a Friday and Alice, a system administrator, has begun her exfiltration mission, using legitimate trust and access to steal intellectual property.

#3 Monitor activity

There are few red flags for an insider incident, but there are yellow flags. Taking advantage of log data across endpoints as well as network and data security solutions provide yellow flags. This is a bit like looking at a phone bill and being able to derive the individuals on the call, when it happened and duration.  This may create a yellow flag or group of yellow flags warranting more investigation.

These logs are extremely valuable, especially if you are able to augment them with much richer packet and session information to reconstruct exactly what Alice did and even open up the file she stole. Various solutions including SIEM, log management, data loss monitoring and Big Data Security Analytics can assist in activity monitoring.

#4 Monitor encrypted activity

Roughly 30-40 percent of today’s network traffic is over SSL including many popular providers of social media, email, and file sharing. Most organizations aren’t comfortable only being able to monitor 60-70 percent of their traffic.

Monitoring is essential, but equally essential is the ability to take advantage of solutions that allow for decrypted analysis. Some proxies, next generation firewalls, IPS solutions and purpose-built decryption devices can provide this elevated visibility. As such, it doesn’t matter that Alice’s PDF file was sent through email using HTTPs.

#5 Apply analytics

Just as with external threats, analytics can be leveraged to take advantage of automated machine-based analysis and augment human intuition. These analytics can be applied to log and alert data, as well as packet captures and sessions collected before, during and after an incident – much like a surveillance camera. Key analytics include:

  • Visualization – as anyone that has spent time looking over log files or packet captures will tell you, visual analytics allow an analyst to work more quickly
  • Correlation – correlation helps to find causal relationships amongst seemingly unrelated or benign activity
  • Pattern discovery and anomaly detection – building up baselines of normal or expected activity helps analysts prioritize investigations

With analytics we see that Alice used her administrative privileges to access a particularly sensitive server. Based on her profile within the identity management solution she should only be accessing that server to conduct backups but access controls didn’t limit her movements. We determined that she used these elevated privileges to access a secure folder, create a copy of the file, and rename it. She later downloaded the file to her laptop and eventually emailed the file to herself. Analytics across solutions that aggregate packets, sessions or logs help gather these details or yellow flags.

After the incident

We are confident that something suspicious is happening. We might not know for sure if Alice is malicious or careless but we are sure that the evidence warrants further investigation.

#6 Conduct forensic analysis

Insider threat investigations are always a combination of real-time and forensic analysis. Discovering an insider yellow flag in real-time starts a response but you’ll also want to see what else Alice has been doing, how long she has been doing it and who else she has be doing it with.

Responding to the Alice incident may include explicit real-time monitoring and forensic analysis directed at Alice’s devices and identities. We might want to every file she has sent to her personal email. We might want to know if she has been uploading information to external file shares, other internal servers she has been accessing and what she has been saying over IM and email. 

Organizations can successfully mitigate insider threats using the measures I’ve outlined. This will decrease the insider’s operational window and reduce the damage they can inflict. What other steps does your organization take?


Over the last two decades Brian Contos helped build some of the most successful and disruptive cybersecurity companies in the world. He is a published author and proven business leader.

After getting his start in security with the Defense Information Systems Agency (DISA) and later Bell Labs, Brian began the process of building security startups and taking multiple companies through successful IPOs and acquisitions including: Riptech, ArcSight, Imperva, McAfee and Solera Networks. Brian has worked in over 50 countries across six continents and is a fellow with the Ponemon Institute and ICIT.

The opinions expressed in this blog are those of Brian Contos and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.