Author: RICHARD HENDERSON
October is National Cyber Security Awareness Month, a global campaign run annually to raise awareness about the importance of cybersecurity. We’ve asked some of our leading security experts here at Absolute to chime in on some of the most pressing issues in cybersecurity today. In the fourth and final part of this series, we bring you a glimpse of what the future looks like for one of today’s most serious threats, the insider. Richard Henderson, our Global Security Strategist, discusses his thoughts on how this risk will evolve and provides ideas on that to do about.
I spend a lot of time thinking about what cyber security will look like in the future. I think about how fast things seem to be changing in our lives from every angle and if we’ll ever be able to get ahead of it all. With that in mind, and with October being Cyber Security Awareness Month, I thought I’d spend some time considering what continues to be an elusive, critical threat: the insider.
One thing worth asking is can you ever really stop every insider threat? I don’t think we’re ever going to be able to get to a world where we can stop every possibility or cover every crack or corner. No security team will ever be able to give their executive leadership categorical assurances that they’ll be able to completely eliminate threats posed by insiders. After all, we have to trust (and we *should* trust) our friends and colleagues… but sometimes that trust will be betrayed. It’s no different than what we face in our personal lives.
I sometimes need to remind myself that not all breaches are intentional or malicious: the explosion of cloud services, the exponential growth in storage and bandwidth has created a whole new world of collaborative tools and technologies… and sometimes those tools can lead to unintentional misuse or sharing of customer and internal proprietary data. That makes me consider how new laws like the EU’s GDPR will impact organizations. When an insider unintentionally drops a huge dataset of customer data onto an unprotected AWS bucket, what will the regulatory impact be when that data is stolen or misused?
I worry about the explosion of IoT, OT and IIoT devices that are crowding our IP address space, and making it harder and harder for security teams to monitor all of the bits zipping around our networks. How much harder is it going to be to spot that key data point or log that points to an insider incident? Or worse: what if an insider decides to cause a failure in an IoT device that will have real-world kinetic impacts?
I wonder if the current data that shows rampant account sharing in many verticals including healthcare will improve? I suspect it won’t in the near-term: users just want to get their work done, and additional security controls in environments like healthcare often get in the way of providing patient care.
CHANGING THREAT RESPONSE
That being said, I also expect to see changes in defenses to compensate: intent-based security will likely play a huge role, as will recent advances in machine learning and AI. I think some extremely risk-averse organizations may borrow a page from the Intelligence Community’s idea of “continuous evaluation.” In a nutshell, it’s the monitoring of employee data activities inside the workplace, and to a lesser extent, monitoring of life outside the office such as social media postings and public records (including police and bankruptcy records). While this opens an entirely new can of worms around privacy and snooping by employers, and likely won’t fly in places like the EU, I can see new automated tools being created and used to monitor key, privileged employees in highly sensitive roles or extremely regulated verticals.
In the same vein, I am often surprised that we don’t read more about “old school” techniques borrowed from spy thrillers – why aren’t we seeing more low level employees coerced financially (or through other means like extortion of a personal nature – compromising messages or photos, for example) to plug in a drive, click on executables, steal secrets, or provide access to key data assets.
I ask myself when every organization will treat the security of their data as one of the top risk priorities for their enterprise security teams… and that includes the executive leadership too.
Part of our future success in combating the threat of the insider is to build out a comprehensive plan from desk to server to cloud that has the ability to mitigate, detect, respond and most importantly, deter incidents by insiders. This is as much a process and procedure challenge as it is a technical one. We need to get our board and executive teams involved. They may be hesitant, or may not have a deep understanding of how catastrophic an insider attack can be, but ultimately the buck stops with them and your insider threat strategy must be integrated into your organization’s overall business strategy.