MOM! Means, Opportunity and Motive. When thinking about the risk of theft, be it a household article, towels from a hospital, books from the library, the perfect culprit is the person who has the means to perpetuate the act, the opportunity to do such and a motive or reason. Amazingly, most scenarios discussed in the world of information security are paralleled in our everyday lives. How many times have we suspected an insider job? A homeowner can often detect or control an outsider’s attempt to enter and remove any asset without authorization. Chances are he or she would immediately see physical signs of a forced entry. Broken window, kicked in door etc. Of course it will not be as apparent if controls were not in place. As a home owner we try our best to activate our deterrent, detection, prevention mechanisms when they are needed. The game changes if one has no policies as to who visits our home, what they can do in our home, how our valuables are managed in our home and how much access that visitor has.
A visitor to your home automatically becomes authorized. They are given permission to be there. They are inside. Now let’s assume you have valuables scattered all over. How difficult would it be to tell if that visitor walked away with your jewelry? Now let us for a minute transfer this understanding to a network that has employees (authorized), assets (financial data, personally identifiable information, intellectual property), and last but not least, reputation to protect. The scope becomes way bigger but the concept remains the same. The insider is the most dangerous to your home or network environment if not properly managed.
Gartner estimates that 70 percent of security incidents that actually cause loss to enterprises – rather than mere annoyance – involve insiders. This finding should surprise no one.
Again let’s go back to the homeowner. There are things we do to protect our assets and mitigate the probability that they will be lost or compromised.
1. The family members are made aware of the assets we have, their value, the impact to the family if they’re lost. Children, for example are trained how to use, activate and deactivate controls.
2. There are rules, written and unwritten, about who can be brought to the house.
3. There are policies concerning acceptable behavior and repercussions for bad behavior.
4. Certain information is not available to certain people- need to know.
5. None of the above is news to anybody who has ever owned something.
Today, with the rapid rise of computer breaches, we are finally addressing the most basic and obvious problem in the enterprise, The Unintentional Insider Threat. Finally we are seeing an acceptance of the fact that we cannot relegate cybersecurity to so called “smart devices” if our approach to data security is not smart. It is apparent that for a long time we focused on the attacker outside while completely back seating, the one within.
How pleasant it is to finally see products being released that place emphasis on the insider. Recently I started looking seriously at a few products from Forcepoint (formerly Websense) and concluded that somebody over there got it. I speak of Stonesoft NGFW, Sureview Analytics and the Triton Risk Vision. I am a huge fan of the Next Generation Firewall. This solution amazingly combines intrusion prevention, evasion prevention and application control. It presents a very use friendly interface and a wealth our information tied to a logical layout. Attacks have become more sophisticated so a tool that has proven capability to identify advanced techniques is a no brainer for any organization.
Being a musician, the name Triton immediately caught my eye. The flagship product is the Triton. Just love it!
My favorite from Forcepoint is the Sureview Insider Threat. So much can be said about this tool. Here’s a short list of what it does.
*Tracks endpoint user and system activity
*Baselines “normal” activity across the organization
*Exposes and quantifies risk through user behavior analytics
*Enables investigation of anomalies with integrated, chronicled data sources
*Provides incident replay, including full-event endpoint video recording
*Detects policy violations hidden by encryption, whether in Web traffic, email or attachments.
Another well thought out offering is the Triton Risk Vision. This is as close to Artificial Intelligence as one can get. Integrated file sandboxing, behavioral analysis, threat intelligence and a wealth of cutting edge technology. All in all, I think that the solution from Forcepoint is the ideal tool for the cybersecurity student. I vote to have this implemented in school/classroom security training.