Security Experts Weigh In: Best Practices to Identify and Mitigate the Insider Threat

“Trust can always be broken, but we can limit the resulting damage. The separation of functions, limitation of privileges, and vigilant monitoring can reduce the consequences of malicious acts and honest mistakes. We need to make it easy for users to do the right thing, but very difficult to cause disasters.”Dr. Ulf Lindqvist, program director, Computer Science Laboratory, SRI International

“In today’s economy, the insider threat is a top concern. The perfect recipe for insider cybercrime combines financial stress with easy access to corporate data and a host of on-line black market outlets ready to turn information into cash. To effectively address cybercrime, companies must use an inside-out security approach that monitors events and suspicious behaviors across the entire computing infrastructure. Prioritizing mission-critical assets that store information is key to delivering the necessary level of security to prevent, detect, and respond to insider cybercrime.”Tom Reilly, president and CEO, ArcSight, Inc.

“Maintaining the privacy and protection of patient records must be a top priority for healthcare organizations. IT and security departments have to meet security challenges head on to ensure HIPAA compliancy by implementing better processes specific to controlling end user access across their computing environments. However, compliance does not always equal security. It’s important to be able to correlate events and attribute meaningful analysis to user behavior on the network. Responding to threats in real-time reduces the risk of data breaches whether they are deliberate or unintentional.” Brad Blake, IT Director, Boston Medical Center, ArcSight customer

“Develop a centralized log management and analysis process and replace manual log reviews with automated tools. SIM tools can be justified based on improved visibility and responsiveness to potential security breaches. Include logs from both the wired and the wireless environments.”Dr. David Taylor, CISSP and founder, PCI Knowledge Base

“Given that most breaches are inadvertent, develop acceptable use policies with feedback from managers to insure that policies don’t hamstring users trying to perform their jobs. Then work to get buy-in from end users with both a carrot and stick approach. An example of a carrot could include offering security workshops to educate users and an example of a stick could be that documented incidences of data breaches would have a negative impact on job performance reviews and potentially promotions.”Paula Musich, Senior Analyst, Enterprise Security, Current Analysis

“Building controls directly into the LAN is the best means for achieving a concrete defense against insider threat. Doing so with integrated devices that offer identity and application control allows organizations to achieve both capital and operational savings while protecting their digital assets. User and application control in the LAN ensures access policies are enforced, controls non-user devices, and tracks all activity of specific users—by name—for reporting, compliance, and accountability.”Joe Golden, CEO, ConSentry Networks

“You need to inspect traffic and activities beyond a user’s initial connection to the LAN. You want a solution that is extremely configurable and identity based (not device based)—this enables you to create access policies based on what resources users typically need and restrict them to those applications and servers. The bottom line for me: the goal of security is to protect the business, not disrupt the business. Finding a security solution that can protect the company’s intellectual property without intruding on day-to-day activities is key. If I can control more, I can regulate less.”Max Reissmueller, senior manager of infrastructure and operations, Pioneer Electronics (USA) Inc., ConSentry customer

“Employees are using risky Internet applications to be productive, according to research by the Ponemon Institute. In addition to changing employee behavior, companies need to know where the confidential information on Internet applications is stored and then protect this data. We recommend limited use of portable devices, enhanced perimeter controls—such as firewalls, network surveillance, access controls, and device scanning.”Dr. Larry Ponemon, chairman and founder, The Ponemon Institute, LLC.

“Organizations can never prevent insider abuse, but they can minimize its impact by implementing independent auditing practices. Start by deploying real-time technology to detect unauthorized intellectual property traffic, server configuration changes, and remote network access. Regularly audit the oversight tools to ensure that trusted insiders are abiding by the approved policies and procedures that safeguard the company.”Eric Ogren, Principal Analyst, Ogren Group