Survey after survey shows that of all the cyber threats facing organizations in 2019, insider threats top the list. This continues a multi-year trend that reflects the issues faced by CISOs in government and industry alike.
Insider threats can take many forms; the media tends to focus on malicious insiders. But the greatest risk, statistically, comes from careless insiders.
In early May, Matt Shelton, FireEye’s Director of Technology Risk and Threat Intelligence, hosted a webinar on the continuing issue of insider threats along with practical approaches that government IT leaders can take to limit the risk. After the webinar, we followed up with Shelton to find out more about the challenges and solutions.
Government Technology Insider: Besides more education for employees and contractors, how else can organizations reduce the impact of unintentional or careless insider risks?
Matt Shelton, FireEye: Education is the best way to prevent insider attacks. But outside of that, I believe that the best way to address an unintentional threat is a good Defense in Depth strategy. It’s basically having multiple different security controls that overlap with each other.
For most unintentional inside threats, e-mail is one of the largest attack surfaces that we’ll actually see. Start with investing in an advanced e-mail threat service that could combat BEC (Business Email Compromise) threats that will turn your employees into non-hostile insiders.
Here at FireEye, we have a set of financial controls that prevent unintentional insiders from becoming victims of scams. So, if someone does ask our employees to pay an invoice or change the account information for a particular payment, we have a process in place that will catch that ahead of time.
We see a lot of e-mail campaigns that are attempting to harvest credentials from employees; those get used for all sorts of attacks, whether it’s a follow on campaign for a BEC threat or something else. Two-factor authentication is a part of a good defense.
Finally, just understand your employee workflows. For example, a lot of our remote salespeople were sending documents to their personal email accounts, because when they were on the corporate VPN, they weren’t able to print to their local computer or printer. So, we were able to adjust some of our VPN configurations to allow local printing, and that cut down on unintentional data spills from insiders.
That’s also how cloud services become attack vectors, as well. You have to provide enterprise alternatives to these cloud providers. People don’t use their personal Dropbox account because they want to do something malicious. They use it because it helps them work around something, which ultimately makes them more effective.
GTI: What’s the impact of mobile device use by employees, contractors, and third parties when it comes to insider threats?
MS: In many cases, mobile devices are actually more important than a desktop device, such as the example of people doing inventory. I also believe that mobile devices create an opportunity for people to do things that they didn’t intend to do.
If I’m sitting on my couch at 9:00 at night and shooting off some e-mails, that’s probably the worst time to do that, because you might unintentionally send something that you didn’t expect to send. So, giving people that mobility definitely increases the likelihood of someone becoming an unintentional insider.
At FireEye, we require our employees to install mobile device management (MDM) software on their personal phones or other devices before they can they can access corporate resources. More and more, we’re treating all devices as mobile devices, (including) our corporate laptops. A good MDM solution will help you enforce a good security policy, no matter where your device lives.
GTI: Do agencies need to expect that breaches of any kind are inevitable? How does this change how an agency should approach their cybersecurity, especially in terms of insider threats?
MS: Absolutely. Every organization needs to assume that a data breach is going to happen. Organizations need to develop a good incident response plan that lays out the steps necessary for responding to a breach from either an insider or an outsider, and you need to test it.
At FireEye, we have incident response plans and a playbook around what we do if a breach were to happen. But, we also conduct regular tabletop exercises where we get all the players together— not only technical resources, but representatives from our legal department, from our corporate communications team, from marketing… all over the business. And we walk through what we would do in the event that an insider breach happens.
These tabletop exercises are not a one-time event. They should be conducted on a regular basis, and we actually get all sorts of value out of what we learn from them.
GTI: How does setting a security goal fit into your plans? Is that the first thing that you need to do?
MS: Absolutely. When you understand where your risk is within your environment, the next step is to figure out how to build controls into your environment that will reduce that risk. When we when we conduct these exercises, we’re specifically taking something that we believe is a risk to the company and running through the response.
What’s great about that is we then have a set of actions that come out of it. So security should always be an iterative process. It’s never done. And you should continually be testing and evaluating your security controls in order to make sure that they’re still functioning.