The Identity Blog

Background image

How to Decrease the Insider (Outsider) Threat Risk

Information Security departments spend months developing “defense in depth” strategies to protect their company’s information assets.  As most are aware, layering security across networks, applications, endpoints, and people,  provides protection against hackers, malicious software, and the insider threat.  Yet, regardless of how many layers are added to an environment, the insider threat continues to be a serious issue for companies.  Per the 2016 Verizon Data Breach Report, there were 10,489 total incidents associated with insiders, with 172 confirmed data disclosures.  With the correct security controls in place, why are so many breaches still occurring?

Building Risk Profiles Proactively, Not Re-actively

Technologies exist that enable organizations to build a risk profile of employees based on their actions on the network.  These technologies monitor day to day usage of an individual, establishing a baseline of behavior.  Any deviation from this baseline would be considered a risk and trigger an immediate alert.  As effective as these technologies are, they are reactionary in nature.  The user has already gained access to files, printed off hundreds of documents or ex-filtrated hundreds of files.  So, the question is, how can you build a risk profile of a person before they gain access to your most critical assets?  How can you be proactive instead of reactive?

Every insider begins with an identity, what we at SecZetta would refer to as a profile.  A person gets hired as an employee and their profile is created in an HR system.   The creation of this profile is critical to onboarding a new employee.  It establishes the person’s relationship with the organization.  Keep in mind, creation of the profile does not grant access to systems.  At this point, the individual only has a profile.   Accounts haven’t been created, and access has not been granted.

As the profile is created, data is gathered and associated with it, such as social security number, date of birth, marital status, who they will report to, etc…  It is at this point of creation that risk attributes should also be captured and associated with each profile. To the detriment of most organizations, however, this is not common practice.  Building risk attributes during the creation of profiles would empower organizations to understand the risk of an individual before creating accounts.  Risk levels of profiles could drive the decision to grant access to sensitive information, or enhance monitoring of usage.

Third-Party Risk Profiles

When it comes to assessing the risk profile for business partners, or non-employees, most  organizations have less control.  If your organization does not have a robust Third Party Risk  Management program, you will not know if third parties are:

·      located off shore or onshore

·      using a corporate issued device or a personal device

·      have had a background check performed

·      whether they will be performing a critical function for the organization


And even if you are able to assess these aspects of a third party, your focus is likely on the security posture of the third-party organization, not the individual.  Risk attributes such as privileged user access, sensitive information access, or what business process they will supporting may drive a higher risk score than what the third party assessment relayed.  Vetting this information before accounts are created and access is granted is vital to securing this non- employee user population.

Security and risk mitigation must be embedded into processes, technology, and people management.  By gathering critical risk information before creating accounts and granting access, your organization will be empowered to apply enhanced security controls around the highest risk individuals.  Currently, information is classified and  application risk is assessed.  Why is the same not happening for the  individuals introducing risk to an  environment at the earliest stages of their relationship within the organization?  By embedding risk attributes into profile creation, your organization will be able to increase scrutiny and potentially decrease the insider threat risk.