LONDON, UK – As insider attacks continue to plague the enterprise the security community is doubling down on finding new solutions to mitigate against the age-old problem.
An insider threat can encompass anything from a gullible employee falling for a spearphishing email, to unaware new hires sharing data inappropriately – all the way to a rogue employee stealing company data.
What connects all these insider threats is some level of human emotion is leveraged. Current threat detection tools don’t take these types of emotions into account. So say experts Tuesday each sitting on a panel discussion at Infosecurity Europe, which takes place here this week. What’s needed, argued panelists, is a stronger level of relationship between companies and their employees.
“We’re still in the early days where we’re still looking at external actors when it comes to threat detection,” said Sian John, EMEA chief security adviser with Microsoft. “We need to build tools to detect malicious insider attacks.
Mitigating human risk is a relationship-based activity, and companies need to look at this from not just an attacker perspective, but also the fears and motivations on employees’ side.
Spearphishing is a tricky attack because of that emotional component. It involves a tailored and targeted approach that seeks out specific “pressure points” of employees, panelists said.
Examples of this included an HR employee receiving a threatening email from an attacker purporting to be the CEO of a company. They order the employee to immediately transfer a payment. The employee’s emotional response is to immediately do so out of fear.
“Everyone has a pressure point and a price,” said Jenny Radcliffe, with Human Factor Security. “That [insider threat] is something we lack on the defense side. We need to take time and focus on people we don’t address in our awareness training.”
When it comes to more malicious insider threats – including disgruntled employees who have gone rogue and tried to steal or share data from the firm – companies need to focus on not just detecting, but preventing these incidents in the first place, said John.
“We have to define the insider threat correctly,” she said. “Most tools dealing with threats are looking at malicious actors that don’t belong to an organization. But when it comes to the insider threat, we need to assume that they know where to go and how to get what they need.”
When looking to detect and deter insider threats, it’s first critical to look at the normal behaviors within companies – and flag the irregularities. For instance, firms should look at where employees normally work and their normal hours, the data they access and the systems that they connect to. Detection tools can then help to sniff out anomalies in employee behavior.
However, while tech analysis gives the “what,” it’s the “why” that companies need to address said Radcliffe. For many employees, it’s because they’re unhappy – and unfortunately, keeping tabs of employee’s human emotions is complicated and difficult to do and sustain.
“Know your people better than anyone, including the bad guys,” said Radcliffe. “Insider threats will stay a complex problem.”