Insider threat explained
An insider threat is someone with legitimate access to company systems and data who consciously or unconsciously presents a threat for a potential data breach. Because there can be multiple people with varying levels of access to your data at any one time – including employees, consultants and vendors – detecting insider threats has its challenges. In fact, 27% of CISOs say that insider threat is the most difficult type of risk to detect, because of the sheer number of possible threats and people responsible for said risk.
Identify the three most common insider threats
- Departing Employees: Most employees take data with them when they leave for their next job. We make sure your most valuable files stay with you.
- Repeat Offenders: Behind every data risk event is an employee who likely didn’t follow the rules. Stop data exfiltration from users who continue to violate security policies.
- High Risk Employees: Programmatically protect data by monitoring flight risks and other high risk employee types.
Methods to detect insider threats
Any employee, contractor or partner who has access to sensitive data could be a potential risk, which makes insider threats notoriously difficult to detect. Monitoring your company’s data movement, instituting clear security policies and implementing employee training are smart strategies to put in place to prevent potential attacks before they happen.
Monitor all data and its movement
Unusual file movement is a common red flag that might indicate an insider threat. By constantly scanning your systems, you can establish a baseline pattern of file movement and get the context needed to know if it’s risky. Activities outside of that normal pattern of behavior might indicate an insider threat and should be investigated in order of priority:
- File exfiltrated: Removing a file from its original location using zip file, USB or even AirDrop could mean the data ends up in the wrong hands.
- File destination: Ensure that company files are moved to destinations you trust rather than personal or unsanctioned cloud applications.
- File source: Looking into the source can clue you into its potential danger. Suspicious file sources, such as attachments sent via ProtonMail, could be malware or ransomware in disguise.
- User characteristics and behaviors: Investigate all potential signs of suspicious insider activities. Monitor excessive spikes in data downloading, moving data at unusual times of day or acquiring privileged access to high-value data.
Investigate unusual data behavior
It isn’t enough to simply detect signs of a potential insider attack. It is important to follow up with robust investigation. Not all unusual behaviors will be problematic, but they should be investigated regardless. In order to make this tactic effective, Mimecast believes it’s important to add contextual indicators that can be prioritized to effectively protect data from employees who are most likely to leak or steal files. Then, when there is unusual data behavior from an employee, security teams can intercept and investigate. Some behaviors that may require investigation include:
- Creating new user accounts
- Copying data that’s not related to their work
- Using unauthorized applications
- Renaming files for concealed exfiltration
- Increasing access permissions
Superior insider threat detection requires new solutions
Insider threat detection is quickly becoming a critical priority for IT departments. While most organizations have effective defenses against malware and viruses, and some have solutions for advanced threat protection, few companies today have tools to stop an insider threat.
Superior insider threat detection technology must be able to identify and remediate three different insider threat profiles:
- The Careless Insider. For employees who ignore security policy or don't understand the dangers of threats like malicious email attachments, insider threat detection solutions must prevent actions (like sharing intellectual property through unsecured email) that could put the organization at risk.
- The Compromised Insider. Successful attacks like advanced persistent threats and impersonation fraud often rely on the attacker's ability to take over the email account of an unsuspecting user through malware, phishing emails or social engineering. Insider threat detection must offer tools to identify and remediate these threats before users can be compromised.
- The Malicious Insider. In some cases, employees within an organization purposefully leak data, steal information or try damage the organization. To prevent these attacks, insider threat detection must be able to automatically monitor internal email traffic and alert administrators to suspicious activity.
How to respond to insider threats
Arguably the most important step following insider threat detection is the response strategy that IT and security has in place. While blocking data exfiltration upfront can be a “quick fix” to a data breach in progress, to reduce insider threat incidents over time, you will need to develop and execute a comprehensive response plan.
- Set expectations: Clearly communicate security policies with your users. By aligning on what is and what’s not acceptable when sharing data, you can hold employees accountable when these established rules are breached.
- Change behavior: Real time feedback and just-in-time training videos are crucial when working to improve a user’s security habits. These practices hold employees accountable and help them to follow best practices, which ultimately changes behavior over time.
- Contain threats: Even with training and holding employees accountable, insider threat data risks are inevitable. When they happen, the key is to minimize the damage by revoking or reducing access on a user level if necessary. Then you can investigate and determine the best course of action to remediate.
- Block activity for your highest risk users: Preventing your riskiest users from sharing data to unsanctioned destinations is a crucial step in your response plan. Blocking certain activities from those users allow the rest of your organization to work collaboratively without hindering productivity, all while knowing your data is safe from those likely to cause harm.
Responding to insider threats is no easy task . Staying vigilant with the right tools, processes and programs can keep your company ready when insider threats occur.
Insider threat detection with Mimecast
Mimecast provides insider threat detection as part of its comprehensive email management services for security, archiving and continuity. Built on a highly scalable cloud platform, Mimecast's insider threat program is available as part of a fully integrated subscription service that reduces the risk and complexity of keeping email safe for business.
Mimecast Internal Email Protect, part of Mimecast's Targeted Threat Protection suite of services, is a cloud-based service that monitors internally generated email to detect and remediate email-borne security threats originating from within the organization. Mimecast's insider threat detection technology covers both email sent from one internal user to another and from internal users to external email domains.
Mimecast scans all email, attachments and URLs to identify potential malware and malicious links, and content filtering helps prevent leaks and theft by comparing the content of internally generated email to Data Leak Prevention policies.
Benefits of Mimecast's insider threat detection service
Mimecast's insider threat detection technology enables you to:
- Protect the organization against a wide variety of insider threats.
- Identify lateral movement of attacks through email from one internal user to another.
- Automatically identify and remove emails that contain threats.
- Minimize the risk of a breach or malware spreading through the organization.
- Stop email containing sensitive information, intellectual property or privileged financial data from leaving the organization without authorization.
- Manage insider threat detection from a single administrative console for configuration and reporting.
Learn more about insider threat detection with Mimecast, and about how recover deleted items with Mimecast archiving services.
