Addressing Insider Threats Through Enhanced Data Protection

Originally published by CXO REvolutionaries.

Written by Erik Hart, Global CISO, Cushman & Wakefield.

The words “insider threat” have been known to make a CISO shudder. Few attack vectors can more quickly undermine a well-construed line of defenses than a credentialed user who – intentionally or unintentionally – acts in a manner that increases an organization’s overall cyber risk.

Insider threats may take the form of a disgruntled employee, an equally disgruntled and improperly de-provisioned former employee, a naive or inexperienced user, or one that’s simply careless due to the pace and volume of day-to-day responsibilities. These attacks are sometimes conducted to intentionally damage a company’s representation in retribution for some perceived wrong, for financial gain, or as acts of hacktivism.

According to Verizon’s 2023 Data Breach Investigations Report (DBIR), 19% of 2022 cyber incidents began with insiders. These incidents can lead to downtime, negative publicity, financial loss, or the sabotage of mission-critical applications. Typically, they target what has become a company’s most critical asset: its data.

But it’s important to remember that motive does not define an insider threat. Greed or a grudge are not necessary preconditions. In fact, carelessness and negligence are the most common source of insider data leaks (56%), according to the Ponemon Institute, with malicious insiders responsible for 26% of incidents. While lower than instances of malicious insiders, the average cost of an incident caused by unintentional insider threats was nevertheless $15.4 million.

The seemingly intractable insider challenge

Insider threats have been called a CISO's "worst nightmare" due to the difficulty of preventing them. Especially in an identity-centric zero trust security model, defending against insiders can feel like handing the blueprints for the bank vault over to the robbers before the big heist.

It’s nearly impossible to predict who represents an insider threat. Some insiders have obvious motivations for the actions, as in the infamous case of a hospital executive who delayed the shipment of protective gear by using a secret account to delete critical shipping data after being fired in 2020. Other cases, such as Microsoft employees’ accidental uploading of internal login credentials to GitHub, are not malicious and can persist for months or years without being detected.

Dwell times, in fact, contribute to the difficulty in responding to insider threats. They tend to be especially long since recognized users with normal patterns of behavior typically do not trigger alerts. This complicates remediation efforts, since an intrusion or leak has to first be detected in order to trigger a response.

A multi-pronged defense

Aligning security efforts with zero trust fundamentals is a first step in limiting the potential blast radius of insider attacks. Adhering to the principle of least privilege ensures the average user is not able to abuse his or her access in search of increasingly important tiers of data. Preventing developers from accessing financial documentation and accounting departments from dev environments is a common-sense method for limiting exposure.

Stopping lateral movement is also key to preventing reconnaissance by any insiders who may have malicious motives since one looking to affect maximum damage would often first have to search for high-value assets. Evaluating permissions with every resource request, regardless of location on a network, increases the likelihood of a snoop meeting a dead end.

But a CISO’s options for frustrating insider threats aren’t limited to the scaffolding of zero trust thinking. There is a whole range of additional tools that can help ensure an organization isn’t leaking data through either carelessness or malice.

These include:

Data loss prevention (DLP) solutions

Much of the battle surrounding insider threats is fought against data leakage. AI/ML-backed DLP tools keep sensitive data from being uploaded to the web or leaked from endpoints. Inline inspection is critical for data in motion since up to 95% of web traffic today is encrypted. Exact data match (EDM) capabilities provide organizations with the ability to prohibit the uploading of credit card information, Social Security numbers, tax documents, and other sensitive data.

These capabilities will prove even more essential in light of the growing use of generative AI engines like ChatGPT. As we’ve seen, queries to these tools offer another opportunity for proprietary data like source code to leak from organizations. DLP tools can help address this. Finally, since not all sensitive data exists in text format, so-called “multi-modal” DLP will help prevent data leaks in audio and video formats like recorded video conferences, for example.

Cloud-native application protection platforms (CNAPPs)

Together with DLP, CNAPPs are the workhorses of unified data protection strategies. According to Zscaler’s ThreatLabz team, 98.6% of organizations have misconfigurations in their cloud environments that introduce critical risks to their data and infrastructure. CNAPP solutions monitor data at rest in SaaS apps and other cloud instances for these misconfigurations, risky file shares, and sensitive data residing unprotected in public clouds based on predefined DLP categories.

These capabilities are especially useful in combating instances of accidental leakage, given the pressure development teams are under to monitor dozens (or more) instances of cloud workflows across diverse cloud environments, each with its own idiosyncratic and ephemeral natures.

Cloud browser isolation

Insider threats don’t always come from employees. Third parties occasionally require access to internal apps and resources in order to fulfill their responsibilities. In the case of unmanaged devices making resource requests, cloud browser isolation solutions are useful for preventing data leakage. Rather than granting unfettered access to internal data, browser isolation solutions allow organizations to provide read-only access while limiting copy, paste, and print capabilities. Additional upload/download controls add granularity to data protection policies.

Deception technologies

Organizations tracking user activity can turn to tools like honeypots and lures to address insider threats and dwell time. Because the majority of security incidents involve stealing or illicitly using legitimate credentials, 91% of attacks don’t trigger security alerts. Through the strategic placement of decoys, lures, and tar pits can steer insiders away from valuable resources. Anomalous or risky behavior will trigger alerts tipping security teams to possible issues, drastically reducing the time to detection of a potential security incident.

Insiders are a difficult, not impossible, problem

Combating insider threats is difficult. It can feel like defending against attackers who already hold the keys to the kingdom. But adopting a zero trust framework is an effective first step at limiting potential damage from malicious or inattentive insiders. Ultimately, though, enlisting a well-rounded lineup of security solutions is critical to defending against insider threats, unwanted data leakage, and the most punishing consequences of cyber incidents.