Friday, December 16, 2011

Risk Indicators of Insider Threats

Dr. Eric Shaw, and Dr. Harley Stock of the Incident Management Group, have published “Behavioral Risk Indicators of Malicious Insider Theft of Intellectual Property: Misreading the Writing on the Wall,” a report on the warning signs and behaviors indicating the likelihood of insider attacks on enterprise IP.

While espionage by foreign governments and attacks by hackers grab the headlines, the vast majority of data breaches and IP theft are perpetrated by insiders. Unfortunately, most IT security budgets are allocated disproportionately to the more sensational (but less likely) attack vectors. This may be explained by the fact that technical controls over insider abuse of access are difficult to enforce – it may not be easy to tell the difference between legitimate and illegitimate access to sensitive data, and detection usually requires tedious manual review of activity logs and comparison with approved rights.

In the vast majority of cases, an enterprise has already captured the evidence of the attack in activity logs but lacks the tools or expertise to reveal what has happened. As a result,
"…insiders use technical means to steal IP, but most theft is discovered by non-technical employees. The majority of subjects (54 percent) used a network—email, a remote network access channel or network file transfer to remove their stolen data. However, most insider IP theft was discovered by non-technical versus technical employees… Sometimes the company involved was unaware of the theft until law enforcement notified them after discovering it during a related investigation."
Even worse, some thieves recruit their co-workers to participate in their schemes. If identifying a single perpetrator is challenging, uncovering “fraud chains” involving multiple insiders is extraordinarily difficult with traditional log review methods. Applying advanced data analytics to reveal behavioral patterns of multiple insiders offers the best defense against complex inside attacks.

Insider attacks are often presaged by other violations of policy. As the report states, "Employees with a history of previous rule violations elsewhere are at even greater risk for future violations."

Verizon, in their 2010 Data Breach Investigations Report, made the same observation. Minor breaches of security often come before a major insider attack. We would recommend a review of unusual patterns of access indicating reconnaissance on critical systems, applications, networks, or sensitive records.

At Veriphyr, we have written at length about insider attacks in this blog. For more information in a health care context, we have published "From Insider Abuse to Insider Accountability,” which describes the problem of insider abuse and how data analytics can be applied to reveal abusive patterns of access that manual auditing misses, while relieving compliance, privacy, and IT staff of the need for installing and maintaining new hardware or software.

More about Veriphyr:

More on insider attacks: get our RSS feed, and follow us on Twitter (@Veriphyr)!

No comments:

Popular Posts

Copyright © 2010-2017 by Veriphyr Incorporated, All Rights Reserved.

Contact us at