<iframe src="//www.googletagmanager.com/ns.html?id=GTM-TR8PWW" height="0" width="0" style="display:none;visibility:hidden">

All Threats are Insider Threats

By Jonathan Lewis on June, 13 2014
Jonathan Lewis

Director of Product MarketingJonathan Lewis serves as director of product marketing at SSH Communications Security where he is focused on raising industry awareness of risk and compliance issues of unmanaged Secure Shell identities. Jonathan has over 15 years of experience in the IT security industry, having held product management and product marketing positions at Nortel, Arbor Networks, Compaq and Digital Equipment Corporation. He has led the launch of numerous security products including IPsec and SSL VPNs, end point security products and firewalls. Jonathan holds a BS and MS from McGill University as well as an MBA from Bentley University.

Back in the day when the enterprise security model was a hardened perimeter protecting the internal "trusted" network, security vendors seized on the notion that businesses need protection from their employees - the insider threat.

Studies were commissioned to show how much malicious insiders were costing businesses. More recent studies indicate the majority of data breaches are carried out by outsiders.

So, what to do? Protect against insider threats or outside attacks? The answer is it doesn't matter, because both forms of attack are carried out in pretty much the same way.

The standard attack MO is the abuse of elevated privileges to gain access to and then steal high value information. The insider may already have those privileges. The outsider has to obtain them first. From that point on the outsider is, effectively, an insider.

Conceptually, it is straightforward enough to defend against this.

Step One: Track, manage and monitor the credentials that give access to the data you need to protect.

Step Two: Monitor, record and audit all sessions that use elevated privileges. This includes not just interactive sessions, such as system administration, but also automated application sessions that can have access to entire databases of high value information.

Step Three: Link these capabilities into the security infrastructure - SIEM, DLP, IPS, SOC.

Sounds good on paper, but, unfortunately, attacks are not carried out on paper. Work with experienced people and vendors with strong domain expertise to put together a well-integrated security infrastructure.

Submit a Comment

Stay up to date