Ever since the Black Hat conference at Las Vegas in 2013, the insiders have been one of the hottest topics of discussion among the law enforcing and legislative authorities. The cyber crime developed into a business long time ago. Almost anything that connects to the internet, has an inherent risk of getting hacked. In 2016, the regulatory authorities in UK confirmed that the cyber crime had left behind the old school crimes like murder and theft etc. The health care industry has suffered the most on the hands of insider threats.
Despite the high risk of becoming a victim to this crime, one should not surrender himself to it. There are several technical controls that work in relation with the nontechnical measures to ensure that the insider threat is mitigated in the most professional of ways. These controls can be divided into three broad categories.
Before the incident:
The initial phase of your controlling process is based around the understanding process. You need to understand your environment and the people engaged in the usage of a specific material. Neglecting this part of your controlling process will make it difficult to handle the problems at the end.
#1 Know your assets:
Knowing your asset is the first and the most basic security need. Know what assets you own, where they are and who uses the asset. This can be a difficult thing to do, especially if the assets are kept in mobile, cloud or VDI. The asset data can be either structured or unstructured depending on the nature of it. The data that you hold will be in either of these stages; in the storage, in transit (transmission stage) or in use.
The data encryption technique is the most basic control used to mitigate the risk of the use of a file by an unauthorized individual. The encrypted data can only be read by the person having the relevant key.The discovery and management solution related to a holistic asset might help your cause as well. It might sound simple but even the best software and tools are difficult to handle. This thing does not control the risk in its own, but the absence of this feature makes your data highly vulnerable to hacking and cybercrime.
#2 Know your people:
After assessing and identifying your asset, the next part is to identify the individuals that interact with your assets. The problem is that each individual can have several MAC and IP addresses, usernames and phone numbers. The IP arrest is always a difficult job to do, so the emphasis must be on the identification of “who”.
During the incident:
Now that you know what your assets are and who has the authority to use them. The next part is to see whether everyone is using the data in the authorized way and not stealing anything.
#3 Monitor the process:
There are flags to help your cause in this matter. There are red flags indicating the insider incident. The log data and the data security solutions form the yellow flags. This is like a phone bill check, where you can see the individuals to whom the calls were made and the duration of it. This helps in the interrogation process.
This is an extremely viable control which keeps a check on who and when the insider used the file or program.
#4 Encrypted activity monitoring:
30-40 percent of the world’s network traffic is based on the SSL networking which includes social media, file sharing and emailing servers. The organizations mostly have the 60-70 percent of their traffic under their monitoring process.
The monitoring is essential but attaining expertise and next level superiority in the decryption analysis related solutions. The decryption devices, proxies, firewalls and IPS solutions are the controls that provide you with ultimate visibility in this matter.
#5 Analytical aspect:
Just like the external threats, analytics can be used to control and manage machine based analysis. The abovementioned analytics can be applied to the alert data, logs and even the packet captures. Sessions and instances are collected before, during and after the cybercrime just like the CCTV cameras.Three typical analytics include:
- Visualization – if a person has worked for a long time looking at the file, the logs and packets will tell the details of it and this will make the person to work quicker.
- Correlation – this helps you to establish link or relationship between the authorized file and any other unusual event.
- Pattern discovery –this provides the ideal bases for The expected activity and helps setting priorities while investigating the matter.
After the incident:
This process of your control involves investigation. The employee that is suspected, is investigated through all means to reach a satisfactory conclusion.
#6 Forensic analysis:
The investigation is built around both the real-time investigation and forensic analysis of the matter. The yellow flag discovery in real-time starts the response but you need to know what else the employee has been doing, since when this is happening and is there any other person involved.
The investigation will include the real-time monitoring along with a forensic analysis of the employee’s devices and accounts. The forensic analysis will include checking the files sent through email, file sharing to any other source, things said on the emails and the internal servers that the employee has been using.