In most cases, people view their co-workers as acquaintances, not adversaries. It’s just human nature. So it can be challenging for organizations to take steps to monitor their own employees. Perhaps it seems unfriendly, or even punitive. But industry trends show that insider threats are on the rise, and insider attacks can be extremely costly.
According to Verizon’s 2017 Data Breach Investigations Report (DBIR), 25% of attacks on companies involved internal actors. In the 2019 DBIR, that figure rose to 34%. Further, the Ponemon Institute found that the average cost of a cybercrime attack perpetrated by a malicious insider rose from $1.4 million in 2017 to $1.6 million in 2018.
Cybersecurity specialists in the healthcare and financial services industries have for some time been focused on the individual costs of breached records and the impact those breaches have on privacy and sensitive data. But an insider breach can affect any organization, and when it does, it’s most typically directed at the theft of intellectual property.
Own the threat
For years, organizations have been warned the adversary is external, and so they have dealt with this warning by building up cybersecurity defenses. Most organizations concentrate on perimeter defense rather than worrying about any internal defenses, and they tend to employ penetration testing as one strategy to guard against breaches. However, external penetration tests rarely yield enough information or privilege into an environment to gain access to sensitive systems.
Given the increase of malicious insider attacks, organizations must also pay close attention to protecting internal networks. Internal penetration testing is one strategy to strengthen network security. Internal penetration tests typically yield privileged credentials – enough privilege to gain access to sensitive information systems. Implementing internal controls can help organizations mitigate an insider threat and stop an external actor that gains access to the internal network.
Even if an organization has an effective insider threat program, it still might need to readjust its sights. Traditionally, insider threat programs were aimed at organization administrators and users with access to sensitive data. While these insider programs have been successful, the focus has shifted. Ordinary, nonprivileged employees have access to sensitive data – just not as much as an administrator. Malicious actors have figured this out, and now they target nonadministrator employees to gain access to data.
Take this case, for example. A recent investigation of a breach at a communications organization revealed that over a five-year period, a malicious actor paid out more than $1 million in bribes to employees in exchange for access to the internal network and the organization’s tools. Most organizations trust their employees, but how many employers believe their employees would reject a bribe of hundreds of thousands of dollars to provide sensitive company data?
Trust no one
Because organizations have operated based on the notion that the adversary is outside the doors, network protection has traditionally revolved around defending the border between the organization and the rest of the internet. But what if organizations assumed that everyone could be a potential adversary?
The basic idea of zero trust is that network administrators should lock not only the outside doors but the inside doors as well. Zero trust architecture is based on the concept that anyone and everyone is a risk, so users must be reauthenticated at every step of the process.
Every time users need access to a resource, they must authenticate to that resource just as if they were logging on. Certain software offerings – specifically identity and access management (IAM) products – can make reauthentication a fairly seamless process, acknowledging that end users experience frustration with entering credentials repeatedly.
Build a zero trust foundation
Zero trust implementation comprises several moving parts. As with anything in cybersecurity, these features are layered in a way that if one aspect of zero trust is defeated, the other functions can mitigate the risk. Used together, the following tools and features constitute the foundation for zero trust: identity management, authentication, segmentation, and logging and monitoring.
Identity management. Identity management is a category of tools that assist with automating user management. An identity management system contains policies that dictate what resources users may access.
Identity management also encompasses privileged access management (PAM), a database of privileged passwords to which users are granted access. In the event a user needs to use a privileged account, PAM will authenticate to the system for the user without disclosing the password to the user. By this method, the user can access sensitive systems if the identity management system deems the user acceptable, but the user doesn’t retain any of the sensitive authentication information. If malicious actors were to gain access to a single account, they would not have access to the actual password database and the rest of the passwords to any other systems.
PAM also allows each account to be specific to the system, something that personnel would find tedious to manage. This system-specific feature means that if a malicious actor were to gain access to one system, the user would not be able to use that same account on a different system.
Authentication. Zero trust authentication has also incorporated alternative methods that validate a user based on the reality that many employees in today’s workforce work remotely. In many zero trust implementations, authentication isn’t just a username and password. A system has a specific data classification, and the user must have enough clearance to gain access to that system.
Gone are the days of users simply having access to a specific resource based on their account privilege. In a zero trust network, a gatekeeper at each resource will add up factors to determine if users should gain access. These factors include username and password, location, device, and multifactor tokens. With this level of authentication, a system can make a more precise determination about whether each specific user is approved to access a resource or whether the user’s account has been compromised.
Segmentation. Network segmentation is not a new concept in cybersecurity. The premise of network segmentation has been a best practice in networking, but typically for network efficiency reasons. The idea behind network segmentation is to break users into smaller groups based on function. For example, organizations can position the marketing group on one network segment and the engineering team on another to allow access to resources. This method prevents someone from the marketing department from accidently or purposely accessing sensitive engineering data.
Zero trust takes segmentation one step further by relying on the concept of microsegmentation, which dictates that all users be their own group. The idea is that potentially malicious communication between endpoints can be prevented if the endpoint can communicate only with its authorized resources. If an attacker were to compromise a user account, segmentation would prevent the attacker from gaining access via other endpoints or gaining access to data the user is not authorized to access.
Logging and monitoring. For these systems to work together to support zero trust, they must be able to log all the actions appropriately. Logging allows other systems to understand the actions that had to be taken previously and to make decisions about what to do next.
The vast amount of data that is logged also allows more advanced alerting capabilities. With multiple systems sending logs to a central repository, logs from different systems can be cross-referenced, and anomalies can be detected in user behavior that are not possible from a single log source. For example, a user logging in at 2 a.m. might not trigger an alert on its own, but if that same user logs in at 2 a.m. from a foreign country, that could be cause for alarm. This amount of logging also allows the organization to review actions taken in the past to determine the extent of an attack.
Identify insider threats
What does this have to do with insider threats? All this authentication is logged and monitored. The IAM system can determine if users are doing something outside their normal behavior. If so, the IAM system can catch the possible insider threat more quickly and efficiently than a human can.
If malicious actors were to gain network access, odds are they would not have all the authenticators needed to access sensitive data. By implementing zero trust architecture, organizations can mitigate the risk of malicious insiders and outsiders simultaneously.
Embrace the culture change
While implementing zero trust architecture seems like an obvious choice, it can be resource intensive. Therefore, a specific culture change must take place for stakeholders to understand how the benefits outweigh the inconvenience, cost, and resource reallocation. Engaging in these discussions with management can be difficult, but the sooner everyone can understand the threat landscape, the sooner the organization can implement zero trust.