Skip to main content

3 Common Approaches to Insider Threat and How They Fall Flat

Insider threat isn’t slowing down

Insider threat mitigation has been a priority for most security teams for several years now. But more recently, it’s working its way into the C-suite, as top-level business leaders recognize that figuring out how to stop insider threats is critical to both protecting and enabling business growth. Despite the increased awareness, the scary reality is that the insider threat problem isn’t slowing down. Insider threat incidents are increasing — and they’re growing more costly to deal with. Every week, a new high-profile case makes headlines, spanning every industry: A departing Pfizer employee took vaccine secrets to a rival company. Apple has been mired in various IP theft lawsuits with former employees, while Yahoo took an ex-employee to court for stealing trade secrets. Tesla sues yet another former engineer for stealing valuable code. Finally, fintech company Block experienced malicious insider activity that led to a data breach in its subsidiary Cash App, placing the organization at risk of non-compliance.

Insider threats are hurting businesses in measurable ways — with increasing frequency. So, what are most security teams doing about it? Let’s take a look at three of the most common approaches to current insider threat prevention — and how they fall flat in the real world:

1. Go all-in on blocking-first approach (DLP)

Naturally, the first response to a threat is to try to stop it. The most common strategy that today’s security teams take is to try to leverage existing DLP solutions and supplement them with CASB and User Entity Behaviour Analytics (UEBA) in an attempt to granulary track — and predict — potentially malicious insider behavior. 

The essence of conventional DLP is to identify a user doing something deemed wrong or risky and stop that activity. Cutting straight to the point: in today’s hybrid cloud work environments, you simply cannot lead with blocking. We encourage employees to creatively find ways around barriers in their work — and they creatively find ways around DLP rules, as well. Today’s workforce relies on an ever-growing keychain of unsanctioned, unmonitored, and potentially vulnerable tools to productively collaborate at work, meaning that there are always new ways of moving data that DLP rules don’t account for. Conventional prevention tools like DLP only look for what you tell them to look for. In short, between data portability and user creativity, security teams just can’t think of everything that they need to watch for. So, risk, including your source code, customer lists, product roadmaps and engineering plans can easily slip through the cracks of the prevention-alone approach. And because DLP tools don’t know when they’ve been beaten, it’s not the security team that alerts the company to data leaks — it’s the legal team, or it’s an embarrassing headline, or it’s a year later, when a competitor comes to market with a copycat product.

To add insult to injury, conventional prevention tools not only fail to stop every risky action — they often disrupt legitimate collaboration activities as well. Overcompensating with strict DLP policies ends up stifling user productivity, collaboration and innovation — impacts which cause their own damage to the business. Because of the way DLP blocks or flags actions without full context, it often ends up framing a non-malicious action by an authorized user as a malicious action by a user with dangerous intentions. This isn’t just a waste of security and user time — it’s also an approach devoid of empathy for employees, and can significantly damage culture and trust within the workplace.

The Code42 View: Prevention alone isn’t enough.

Conventional DLP, CASB and other prevention tools can play a role in protecting regulated, structured data.But they can’t stop everything — and when a risky action falls through the cracks, a prevention-alone approach leaves security teams flying blind — unable to detect, investigate and respond before the damage is done. That is why 76% of organizations still suffer a data breach despite having a DLP solution in place.


2. Focus on the user instead of the data

When security teams eventually recognize that rigid DLP policies can’t handle evolving, unstructured data and dynamic, creative users, they turn to user-focused tools (e.g., UAM, UEBA) for granular visibility into user activity. It makes sense: it’s your users that perpetrate insider theft; data doesn’t steal itself.

The problem is that users do so much stuff every single day — and 99% of it is completely legitimate and harmless. User behavior tools try to use AI to tease out normal vs. abnormal behavior — which sounds great in theory. However, without full context into user activity and trained personnel, security teams end up being bombarded with alerts and far too much noise. Even if they correctly identify normal vs. abnormal behavior, abnormal is not synonymous with risky. So, security teams are still overburdened with false positives and could potentially be distracted by the wrong dangers — while real data leaks slip through the cracks.

But you can’t ignore the other major problem with user monitoring tools: employee privacy. The evolution of privacy regulations like GDPR and CCA call many user monitoring practices into question. Then there’s the Big Brother implications. User surveillance implies unmerited suspicion and unquestionably hurts company and workplace culture, damaging employee trust and empowerment at a time when embracing and supporting new ways of working can provide a powerful competitive advantage for a business. Many will view this as an unempathetic approach to security, potentially sparking an adversarial relationship between security teams, management and users, jeopardizing the most critical element in any insider threat program — employee buy-in and adherence.

The Code42 View: It’s a technology problem, not a people problem

At the end of the day, a user-only approach falls flat because of a simple truth: User-focused tools are looking in the wrong direction. Security teams don’t really care what employees do on the cloud or the web; they care where the company’s data goes. By default, we are all accidental insiders, whether or not we want to admit it. Someone has unknowingly hit “send” on that email containing confidential information, someone has created a publicly accessible link on Box, someone has transported data to another non-trusted source with the intent of getting his or her job done and of course, someone has fallen prey to advanced phishing techniques. Accidents happen and at the root of those accidents are people. For far too long have we been misplacing the problem as a “people” problem versus a “technology” problem.

3. Cull the data

The third most common approach to insider threat — and a direct response to the problem of “too much noise” — is to cull or filter out the data that’s “not important.” This requires the dreaded-by-all data classification exercise — painful, time-consuming and costly. But as discussed earlier, the reality is that security teams cannot think of everything. In this case, it is increasingly impossible to account for all of your valuable and vulnerable data in real time. That’s because unstructured data is not static — it’s evolving, moving, being shared and iterated on as part of modern collaboration culture. And the value and vulnerability changes as the data changes.

Sure, a company could try to account for the dynamic nature of their data with regular data classification. But most security leaders recoil in fear at the time and cost of just one data classification exercise. Moreover, no matter how recently you classified your data, the dynamic nature of your valuable, unstructured data leaves you with the distinct possibility that something you’ve ignored as “not important” ends up becoming incredibly valuable to your business. Too often, the first time the security team realizes the oversight is when they learn that valuable, overlooked data has been taken. By then, it’s too late — they’ve been blindsided by insider threat. The hard truth: Employee-driven threats to data have outpaced the programs, policies and tools in place today.

The Code42 View: Ultimately it’s all about context

Collaboration culture is fueled by the rapid evolution of unstructured data. Businesses can no longer distinguish between “important” and “unimportant” data. They need to capture and monitor all pieces of data to detect when and how valuable files are moving to places they shouldn’t - across endpoint and cloud, without disruption and lots of tuning.  Moreover, considering that we have reached an era of truly unlimited storage, the logic behind culling of classifying data is now flawed. The speed to investigate and respond is essentially the same, if not faster, so why filter out what may become critical data evidence at a later date? 

But when collecting so much data, knowing what files went where, when and as catalyzed by whom is essential. Context should extend to organizational knowledge about things like “when are users expected to work” by department and “what types of files are considered important by line-of business managers?” Having answers to these questions falls under the umbrella of “context” that is vital for security teams to have to be able to prevent insider threats.

It’s necessary to treat individual users and organizations differently based upon their job roles. For example, if a salesperson was penalized for uploading a slidedeck to a prospect’s DropBox, that would restrict their ability to do their job. However, if they suddenly started uploading scads of files to github or, there could be a problem.

Dealing with the inevitable insider threat

Companies in every sector today are striving to achieve the kind of dynamic, agile, flexible culture that encourages, enables and empowers new ways of working and unlocks powerful innovation. In this environment, it’s a mistake to view increasing insider threat as a problem that can be fully snuffed out. In fact, insider threat is a natural byproduct of successful collaboration culture. It stands as a serious threat to the business — one that must be proactively and diligently monitored and mitigated.

Prevention is undoubtedly the first step in an insider threat prevention program. Without some form of walls around your valuable and vulnerable data, your organization is completely exposed to attack — from the inside or outside. But prevention alone isn’t enough and blocking-first is too rigid of an approach, leaving an enormous gap in the security stack.

You need purpose-built insider threat detection and response

Twenty-first century security teams need a solution that will help them to easily prioritize between low-risk mistakes and real threats — quickly and accurately. They need to be able to prevent data loss and correct behavior without draining security time and user productivity. And because the risk isn’t slowing down, you don’t have time for a lengthy, complicated roll-out. You need a tool that deploys in days — and gives you the visibility you need in seconds.

What you need to solve the problem

Beyond having the visibility to monitor where unstructured data is moving, and the ability to contextually prioritize threats, security teams must also be empowered to address the root cause of insider threats: the employees themselves. Modern solutions like Code42 Incydr™ differ from conventional ones by giving security teams a wide array of actionable and right-sized responses proportionate to the severity of the risk. An ideal risk detection and response plan should: 

  • Establish adequate use policies, communications plans, escalation and incident handling procedures, and documentation processes
  • Address, correct and change user behavior through appropriate and responsive lessons on security best practices 
  • Contain threats and enforce prevention of further risky action by users via user access controls, quarantine procedures, and security protocols

These responses should ultimately focus on purposefully and empathetically educating users by informing them on the long-term impact of their immediate actions, while security teams focus on determining the extent of any breach and closing further security gaps. 

Treating employees as valuable stakeholders of organizational security — rather than potential threats to be put under a microscope — isn’t just a more empathetic approach to managing the risk of insider threat. It’s also a proactive way for security teams to cut through the noise — by reducing the likelihood of accidental user action — so they can prioritize resources and energy on identifying and responding to the real insider threats hiding amidst their organization’s ever-changing, ever-growing data environment.