Insider risk is daunting, but data protection goes a very long way

Insider risk happens when an authorized user, typically an employee, breaches controls (and trust) from inside your system and goes after your corporate crown jewels, usually found in your data. The complex nature of these attacks makes data protection and controls, such as encryption, absolutely critical, but there’s a lot more to it. We’ll start with a story.

Imagine you’re a global security leader with a focus on people-centric security and defending against human risk, and a platform that defends users from compromise, as well as traditional data leak protection (DLP) capabilities.

One day, your Director of National Partner Sales says he’s quitting to work for a competitor.  It’s a shock, but not entirely surprising – good salespeople are indeed hard to find. You wish him good luck, maybe take him to lunch. Then, one day, you receive a message from IT, and it’s bad news – very bad news.

Apparently, before they left, your sales director downloaded over 10K files to a removable USB drive. Included in the stolen information was, of course, your marketing playbook aimed at your director’s new employer (and your biggest competition).

And, in case you forgot, you’re a data loss protection provider. If you can’t get this right, who can?

Internal risk is a big puzzle with lots of small pieces

This wild but true story is one of many that help illustrate a very salient point: insider risk is a security and compliance nightmare.  It doesn’t happen with the same frequency as other attacks, but when it’s successful, the consequences can be devastating.

A good insider risk program can help you respond quickly in the event of a potential breach.  An even better program would enable you to proactively guard against internal risk, sometimes preventing breaches before they occur; however, even the most sophisticated IR program can only do so much.

• IR is driven by a complex mix of uncertain human behavior and motivations 

• The same user’s risk may change over time, based on personal and professional circumstances

• The user’s familiarity with both your business and your systems can make them hard to detect, even if they’re not a seasoned fraud pro

As external risks continue to grow and evolve, it’s easy to overlook the potential risks originating from within your perimeter.  And the obvious reason insider risk keeps security teams up at night is the relatively close proximity of insiders to the organization's crown jewels, and we’ve already seen how devastating just one attack can be.

But it’s not just that insider attacks are so damaging. Effectively defending against insider risk also requires a new set of tools and skill sets, and brings its own unique challenges to the organization and its culture.

What makes insider risk so hard to manage?

In a world that’s absolutely swimming in cutting-edge security solutions, why do insider risks persist? These are managed users, typically on managed devices.  So where’s the difficulty?

Insider threat programs are more extensive than just IT, but they’re also not exclusively security-focused, making it a complex issue.

Insider threat management requires cross-functional collaboration to ensure all the right stakeholders get (and stay) involved. A good program starts during the hiring process and also includes some level of coordinated monitoring.  Ideally, this monitoring extends beyond traditional security controls and HR processes.

The program obviously has significant security implications, but it can also have a substantial impact on the organization's overall culture. Is the program managed and marketed as a way to build trust? Or do teams feel resentful and reactive? How frequently is the issue addressed in ongoing employee training? All these answers can impact the program’s success.

The successful programs will be the ones that connect the right data points and inform the right decision-makers.

A good insider risk program is one that can connect data points across systems and domains, including HR and financial data, as well as access and device telemetry data. This always requires a careful balance between user privacy and the need to defend the organization.

From our example, a more effective program could have monitored activities more closely once the director had announced their departure, although this would require establishing some level of connectivity between HR, IT, and security systems. It doesn’t have to be seamlessly automated, but those dots do have to get connected.

The best time to build a formal IR program was yesterday, but today works too

The good news is that, given how IR brings together a multitude of stakeholders and systems, you can always find a starting point, and you may already have useful tools at your disposal as well.

• Build an IR task force that brings together the key stakeholders, typically including HR, security, IT, and legal. Where and how the program is managed will make all the difference in its success.

Beyond any technical controls, communication and collaboration are essential.  Cross-functional feedback loops are critical. In our example, HR informing IT that the director was leaving could have triggered new conditional access requirements that deterred him from doing so. 

• Examine existing tools to determine how and where they can be effectively utilized.  Start by creating rules built around common IR breach tactics:

  • Files being downloaded to removable media

  • Files being shared to a personal email account/sharing site account

  • Large number of files being downloaded at once

• Focus on creating and understanding a baseline for human and system behavior.  Once you have ‘normal’ defined, you can more narrowly focus on actual anomalies.  This can take time, but it’s absolutely critical.

Over time, programs will evolve from minimal to fully mature, shifting from reactive and disconnected to something closer to automated and truly proactive. IR should become an input to overall strategic planning and risk assessment, ensuring its unique worldview gets represented.

Technology will never be enough to completely eliminate insider risks, but it can help limit the damage and protect sensitive data.

Insiders are particularly risky because they are, in fact, inside your perimeter, operating with elevated privileges.  A shift to a zero trust paradigm, where every connection and access request is carefully and exhaustively validated, gives you the best technical defenses against a possible attack.

These controls are also crucial in containing the blast radius of any breach that may occur. Once either a user or their behavior is flagged as suspicious, we can implement additional defenses and controls within their workflows, nudging them when they make mistakes and stopping them if the situation worsens.

But adding selective encryption can be a game-changer

While there will never be a single magic fix for detecting and preventing insider risk, better fundamentals can go a long way.  This is especially true for valuable and sensitive data protection–those crown jewels everybody wants. The better controls you have around your data, the better your chances of protecting it. 

This is where Confidencial’s selective encryption can make all the difference.

• Identify not just your most important files, but most important pieces of information, and integrate robust encryption at the field level.

• Embed encryption directly into the file’s metadata, so the protection is persistent, even when and where the file leaves your environment.

• Tie this encryption directly to access controls, enabling you to revoke access to sensitive fields via policy or from the Identity Provider (IDP). This means even previously authorized users, who manage to exfiltrate the file, wouldn’t be able to use it.

We can see a whole different story playing out had Proofpoint implemented more data protection controls, especially selective encryption. Again, no magic fix for preventing a breach, but you can limit the damage to nearly zero with the right defenses in place.

Insider risk isn’t going anywhere, so what’s your plan?

Human nature is uncertain, and that’s enough to ensure that insider risks will always keep security, compliance, HR, and everybody else busy watching, waiting, and hoping for the best.  

As technology advances and IR programs mature, organizations can tune themselves to be more proactive and predictive.  It’s never a straight line, and it never happens overnight, and that’s probably the point.  Just like every other risk paradigm, continuous preparation, plus solid fundamentals like selective encryption, can make all the difference.