Using monitoring to defend against insider threats
The media are constantly bombarding us with the stereotypical image of the hacker, sat in a darkened room surrounded by screens full of code. But in reality, with firewalls and other counter measures, these external threats can be far less significant than the threats from inside your network. But what are these internal threats?
Over 90% of European businesses have suffered a data breach in the past five years, with 42% of this activity being undertaken by malicious insiders. Internal threats to your systems can actually come in a number of guises: the human element including discontented system admins maliciously damaging systems, staff potentially stealing intellectual property and spiteful employees leaking information and confidential data for political or financial gains. Then there are the devices inside your network, with ever increasing numbers of unknown attached BYOD and IoT devices.
How do I prevent it?
Countering the human threat begins with getting your internal team on side. Each individual should know their responsibilities in the detection of suspicious activity, and understand how they can anonymously escalate their findings.
You should have a policy in place covering unacceptable behaviour when it comes to security adherence and outline the consequences for breaching this. You should also have a policy in place for leavers, ensuring their privileges and logins are removed as soon as possible.
In reality you cannot completely remove the potential for malicious activity, however you can try to minimise it through stricter security policies. For example, with non-administrative team members you can separate duties to prevent any one individual performing all the tasks required to cause damage. You can implement rights management that stops them being able to view or edit confidential information or documents. You can also require admin authorisation to implement configuration changes or set up accounts.
Administrators on the other hand, have free reign across the network and are much harder to stop. Admins can create their own back doors, and rogue accounts to allow them access. They have access to system configuration and files that can effectively kill your network. However, even when it comes to administrators, though it may appear so, you are not completely powerless. Using tools such as Restorepointâ€™s Universal console you can allow administrators access to the critical systems via an interface that never reveals the super user passwords, and allows activity to be tracked. Also, in the case of emergencies, configurations to be rolled back.
From a device perspective, setting up DMZâ€™s to restrict devices attached to your Wifi for example, can restrict their ability to probe and damage systems.
Monitoring for unusual activity
Monitoring is central to keeping an eye on activity on your network. Monitoring changes to files (especially log files) can warn of potential attempts to cover up activity. Detect when new user accounts are created and when unplanned activity is happening on the network. Know what devices are on your network and what they are doing. Detect and analyse spikes in traffic flow and potential data theft.
Monitoring with a tool such as Mutiny combined with Netflow helps you to see when activity is occurring across your network and to detect unusual activity which could signify a data theft. Analyse traffic at various points across your network and detect abnormal traffic flow. Security Information and Event Management (SIEM) provides real-time analysis of security alerts generated by network hardware and applications. Alerts can then be passed to trusted individuals to act on.
Mutiny can advise and help you implement technology to monitor and track unusual activity on your network. For more information, get in touch here.