Digital White Papers

SC24

publication of the International Legal Technology Association

Issue link: https://epubs.iltanet.org/i/1519635

Contents of this Issue

Navigation

Page 12 of 22

I L T A W H I T E P A P E R | S E C U R I T Y & C O M P L I A N C E 13 U S I N G E M P L O Y E E E N G A G E M E N T A N D T E C H N I C A L C O N T R O L S T O R E D U C E I N S I D E R R I S K Auditing and alerting network logs allow organizations to detect anomalies in user data upload and download rates; compared with regular user activity, these anomalies can indicate data exfiltration outside the company network or data smuggling. Intentional or malicious insider risk incidents involve individuals who work in an organization and deliberately seek to cause financial or reputational harm to that organization. These events can be organized into several categories: espionage or intellectual property theft, intentional unauthorized disclosure, sabotage, fraud, and workplace violence (Insider Types | MITRE Insider Threat Research & Solutions). Of these, one of the most concerning and one that must be addressed and hopefully prevented with employee engagement is insider workplace violence. The UK National Protective Security Authority defines this to include "any action or threat of physical violence, harassment, sexual harassment, intimidation, bullying or other threatening behavior by a co-worker in the workplace." As one could imagine, an intentional breach by an insider would be the costliest. While less frequent, the average cost per incident topped $700,000 in 2023 (Ponemon Cost of Insider Risks Global Report - DTEX Systems Inc, p. 9). A Technical Approach to Reduce Insider Risk Technical controls are one mitigating step an organization can take to reduce the risk of insider threats. Detective controls, like auditing, provide accountability for privileged and regular users alike while offering the ability to monitor for unusual behavior of users that may indicate attempts at data exfiltration, data smuggling, and unwanted system modification. Preventative controls work together with detective controls to reduce the load on analysts and disrupt known malicious behaviors. These controls include proper account provisioning and de-provisioning, minding least-privilege access management best practices, separating duties for critical system changes, and having strict remote access controls. Finally, if a malicious act is performed, corrective controls, such as data backups, can restore systems to functioning and allow the organization to return to normal operations. Detective controls are an essential type of control that organizations can use to alert an organization of the first signs of suspicious activity and be used as evidence when a suspicious activity occurs. Auditing and alerting network logs allow organizations to detect anomalies in user data upload and download rates; compared with regular user activity, these anomalies can indicate data exfiltration outside the company network or data smuggling. CISA (Cybersecurity and Infrastructure Security Agency) notes explicitly that User Behavior Analytics (UBA) software can be used to help identify these anomalies and quickly alert analysts of unusual user behavior (Insider Threat Mitigation Guide (cisa.gov), p.39 ). Host- based actions should also be logged and reviewed regularly, especially for mission-critical systems, as not all illicit actions are conducted via network communications (Common Sense Guide to Mitigating Insider Threats, Seventh Edition (cmu.edu), p. 83-4). Logs outside of business hours should also be investigated to determine the actions taken, purpose, and validity of the events, as a user may be attempting to hide malicious activity during minimally reviewed times. Preventative controls assist in auditing and mitigating insider threats by preventing malicious actions from taking place. When provisioning user accounts, least privilege permissions should be utilized to ensure that users only have access to systems and applications required for their job duties. Consequently, a thorough and reliable user de-

Articles in this issue

Links on this page

Archives of this issue

view archives of Digital White Papers - SC24