Know your assets
If you don’t know what you have in your network, it makes it very difficult to determine if someone is accessing information they shouldn’t be.
Malik said enterprises should have critical assets and their owners identified, and classify data. There should be a view into both on premises as well as cloud infrastructure. This should be enhanced with reliable threat intelligence in order to identify any patterns of behavior known to be used by organized gangs as well as rogue individuals.
Steven Grossman, vice president of strategy and enablement at Bay Dynamics, said to effectively reduce insider risk, companies should understand which assets, if compromised, would cause the most damage, where those assets reside, and who governs and interacts with them. Companies should also limit access to those assets to only those employees and contractors who need it, continuously monitor behaviors and engage application owners in the business to qualify alerts as suspicious or business justified.
“That kind of business-oriented qualification significantly reduces noise and false positives, bumping the most important and imminent alerts to the top of the pile. Non-malicious policy violators should be put on notice that it is unacceptable behavior, sent to targeted security awareness training that focuses on the policy violated and be tracked post training to ensure they changed their behavior," he said.
Organizations should always be testing for insider threats, by simulating new threats and not thinking of it as a build-once-and-use policy, said Brutti. Red teams should always be performing new attacks and blue teams should be trying to detect them and build upon what they learn.
Kris Lovejoy, CEO of BluVector, takes a slightly different tact than the other security pros. She believes shutting off access will stifle innovation. She said companies should not oversecure their networks but have a balance that protects the organization with health of the business. “Like water, employees and contractors will find their way around controls where they are too locked down. They will use personal email, drop-box, other less secure data transfer mechanisms to just get the job done.”
Sign up for CIO Asia eNewsletters.