I
L
T
A
W
H
I
T
E
P
A
P
E
R
|
S
E
C
U
R
I
T
Y
&
C
O
M
P
L
I
A
N
C
E
13
U S I N G E M P L O Y E E E N G A G E M E N T A N D T E C H N I C A L C O N T R O L S T O R E D U C E I N S I D E R R I S K
Auditing and alerting network logs allow organizations to
detect anomalies in user data upload and download rates;
compared with regular user activity, these anomalies can
indicate data exfiltration outside the company network or
data smuggling.
Intentional or malicious insider risk incidents involve
individuals who work in an organization and deliberately seek to
cause financial or reputational harm to that organization. These
events can be organized into several categories: espionage or
intellectual property theft, intentional unauthorized disclosure,
sabotage, fraud, and workplace violence (Insider Types | MITRE
Insider Threat Research & Solutions). Of these, one of the most
concerning and one that must be addressed and hopefully prevented
with employee engagement is insider workplace violence. The UK
National Protective Security Authority defines this to include "any
action or threat of physical violence, harassment, sexual harassment,
intimidation, bullying or other threatening behavior by a co-worker
in the workplace." As one could imagine, an intentional breach by an
insider would be the costliest. While less frequent, the average cost
per incident topped $700,000 in 2023 (Ponemon Cost of Insider
Risks Global Report - DTEX Systems Inc, p. 9).
A Technical Approach to Reduce Insider Risk
Technical controls are one mitigating step an organization can take
to reduce the risk of insider threats. Detective controls, like auditing,
provide accountability for privileged and regular users alike while
offering the ability to monitor for unusual behavior of users that
may indicate attempts at data exfiltration, data smuggling, and
unwanted system modification. Preventative controls work together
with detective controls to reduce the load on analysts and disrupt
known malicious behaviors. These controls include proper account
provisioning and de-provisioning, minding least-privilege access
management best practices, separating duties for critical system
changes, and having strict remote access controls. Finally, if a
malicious act is performed, corrective controls, such as data backups,
can restore systems to functioning and allow the organization to
return to normal operations.
Detective controls are an essential type of control that
organizations can use to alert an organization of the first signs of
suspicious activity and be used as evidence when a suspicious activity
occurs. Auditing and alerting network logs allow organizations to
detect anomalies in user data upload and download rates; compared
with regular user activity, these anomalies can indicate data
exfiltration outside the company network or data smuggling. CISA
(Cybersecurity and Infrastructure Security Agency) notes explicitly
that User Behavior Analytics (UBA) software can be used to help
identify these anomalies and quickly alert analysts of unusual user
behavior (Insider Threat Mitigation Guide (cisa.gov), p.39 ). Host-
based actions should also be logged and reviewed regularly, especially
for mission-critical systems, as not all illicit actions are conducted
via network communications (Common Sense Guide to Mitigating
Insider Threats, Seventh Edition (cmu.edu), p. 83-4). Logs outside
of business hours should also be investigated to determine the actions
taken, purpose, and validity of the events, as a user may be attempting
to hide malicious activity during minimally reviewed times.
Preventative controls assist in auditing and mitigating insider threats
by preventing malicious actions from taking place. When provisioning
user accounts, least privilege permissions should be utilized to ensure
that users only have access to systems and applications required
for their job duties. Consequently, a thorough and reliable user de-