Insider Threat Mitigation: 5 Best Practices from Cybersecurity Experts
Cybersecurity experts Jeffrey DiMuro, Salesforce’s Chief Security and Compliance Architect for Financial Service Industry Team, and Josh Hofer, Stearns Bank’s Chief Risk and Information Security Officer, shared best practices for insider threat mitigation in Salesforce and other cloud applications. As industry-experienced individuals, both Jeffrey and Josh have seen the inner workings of multiple financial institutions’ InfoSec teams and helped architect robust security solutions that safeguard sensitive information.
During their tenure, they’ve each seen the changes the cybersecurity world has faced, including the newest – and possibly largest – risk to organizations managing sensitive information: insiders. Using their many years of experience and hands-on research and implementation in their roles, Jeffrey and Josh each shared critical takeaways that can help organizations in all industry verticals with insider threat mitigation.
1. Insider threats are more common than you may think
“The two most common breaches come from either a credential compromise or an actual insider working for your organization. That’s really where the bulk – it’s probably 90+% – of all breaches occur.” – Jeffrey DiMuro, Chief Security and Compliance Architect for Financial Service Industry Team, Salesforce
On average, insider threats cost organizations $8.76 million a year, according to the Ponemon Institute’s Cost of Insider Threats report. In the 2019 Insider Threat Report, Verizon identified the top two causes of data breaches – which make up the majority across the board – are perpetrated by insiders. What these reports and others all indicate is the increasing trend in internal risks, which comes as a surprise to many.
The unexpected prevalence of insider threats may stem from people not recognizing them; rather than being a shadowy figure in a hooded jacket siphoning files in the corner, internal threats can be anyone – your co-worker, the maintenance staff, third-party vendors, etc. The Verizon report identifies five inside actor threat profiles, including the Careless Worker, the Inside Agent, the Disgruntled Employee, The Malicious Insider, and the Feckless Third Party. The first step in insider threat mitigation is recognizing them in the workplace. Only then can you develop a thorough security posture that alleviates the risk they pose to your organization.
Once you understand who insider threats are, it’s critical to understand how they pose a threat to your data. As organizations continue to expand their Salesforce environment, entering more and more sensitive data, having the right controls in place is essential for preventing abuse. Admins must evaluate the difference in behavior to determine whether an unusual activity in Salesforce is a hacker or malicious actor, or whether it’s a legitimate user performing necessary business functions.
2. Clean data is essential for a successful user behavior monitoring program
Categorizing your information by having a good data inventory up front is one of the best things you can do before you start monitoring user behavior. Doing so can help you understand not only whether a user is acting out of the norm, but it can also help you see what data they’re accessing – is it sensitive information?
With the principle of least privilege, you may be able to set accurate controls for users, but you might receive false negatives and false positives if they’re not accessing the sensitive information you’re concerned about protecting. False alerts create unwanted noise, and most security departments don’t have the staffing to sort through unnecessary alerts; it’s crucial to cut through the noise by establishing clean data. This is where classifying data first and then determining the user entitlements is most critical. With clean data, you’ll be able to easily see what events rise to the level of an incident and require further due diligence. Without it, the success of your user behavior monitoring program is at risk.
3. User entitlements are not static, and neither is data security
It’s also imperative to remember that user entitlements are not static. Security solutions like user activity monitoring applications and SIEM systems are critical for success, but at the end of the day, they aren’t “set it and forget it” – organizations absorb new data elements all the time, whether that’s new users, users changing roles or functions, departing users, or otherwise. InfoSec’s role is to digest the information from security solutions to ensure user entitlements that were appropriate yesterday are still applicable today.
A full evaluation and complete revision of security alerts can keep your program up to date as your cloud environment, monitoring, and organization’s needs evolve. By continuously examining your permissions and alerts, you can stay on top of not only industry updates but changes to your Salesforce environment as well.
From a hygiene perspective, this forms the foundation for strong data governance. Supervisory regulators look at your understanding of the data you’re managing and who has access to it when determining how you’re securing and complying with various regulations.
4. Organizations should start with a focus on privacy, data access, and security
Speaking from the perspective of a financial institution’s Chief Risk and Information Security Officer, Josh Hofer noted that his organization focuses primarily on three security initiatives, which entail financial privacy (including notifying customers about privacy requirements), monitoring who has access to data, and safeguarding said data.
Regulations guide many industries, financial services included. In fact, the financial industry is one of the most heavily regulated industries in the world. While many regulations establish security protocols, others impart the importance of privacy on institutions, such as GLBA (Gramm-Leach-Bliley Act). Protecting customer data and information against external and internal threats is an integral part of an impenetrable information security program that complies with GLBA and protects PII.
A vital factor for InfoSec teams to consider when implementing a data security program is how they’ll establish, implement, and maintain the information security program. Then, more importantly, how they can continue to evolve it proactively, ensuring they create robust controls that make sense for the size and function of their institution.
5. A layered approach is the most effective for insider threat mitigation
For a robust security posture, a layered approach, also known as defense in depth, is the most effective way to establish a powerful safeguard. Effective controls for every layer – from the perimeter to the network to the application layer where the data lives – can stop data loss in its tracks. Essential elements in a layered approach include:
- Powerful firewalls and separation through demilitarized zones at the perimeter layer
- Data loss prevention (DLP) systems
- Enterprise-wide intrusion detection or prevention systems (IDS or IPS) at the network security layer
- Endpoint security such as antivirus or antimalware for workstations
- Patch management processes to eliminate vulnerabilities
- And more
What’s most important is relying on multiple defenses in case there’s a lapse at any single point. Numerous components provide insurance against system failures or insider threats sneaking around security protocols. At the application level, monitoring can be done through app testing, code review, and scanning at the half layer in addition to the actual vulnerability testing and penetration testing of the host server to prevent insider threats from gliding through security controls unnoticed.
The major takeaways cybersecurity experts want organizations to know is that insider threats are a prevalent risk and need to be addressed. Internal threats are growing as more employees feel entitled to the work they create in the office, even if it belongs to the company. Malicious insiders can be anyone, and best practices for insider threat mitigation include having clean data for a successful user behavior monitoring program, remembering that neither user entitlements nor data security are static and need continuous reevaluation, starting with a focus on privacy, data access, and security, and utilizing a defense in depth approach to security. Together, these practices can successfully allay the serious risk that insiders pose to the security of your most precious asset – your data.