Cavirin Blog

Automated Insider Threat Management

Most people find stories like the Uber snooping lawsuit pretty unsettling.  If you heard nothing of this but the accusation of Uber's use of "God View" as explained in a recent series of articles by Forbes , it is important to know that Uber collected customer and employee information, and used that information in a manner that was well outside of reasonable use by the standards of California Privacy Legislation.

“Exhibit A contains customer data collected by Defendant and constitutes Defendant’s confidential, proprietary, and private information about its users — the very existence, content, and form of which are of extreme competitive sensitivity to Defendant in that they demonstrate what data Defendant considers important enough to capture, how that data is stored and organized, and could, individually or in the aggregate, provide Defendant’s competitors with insights into how Defendant views, analyzes and executes certain aspects of its business,” Uber wrote in a court filing.

The activities exposed by whistle-blower Ward Spangenberg, who was fired from Uber in February 2016, raises concern over two major threats affecting companies today, Tone at the Top or Corporate Ethics, and Insider Threat. This article looks more deeply at the elements that could occur with this information from the inside. As stated in Wikipedia, "Insiders may have accounts giving them legitimate access to computer systems, with this access originally having been given to them to serve in the performance of their duties; these permissions could be abused to harm the organization", or in the case of Uber, to harm its customers.

Insider threat poses a much higher risk than external threats. As a company, you not only need to defend your data and infrastructure from external risks, but also from insiders.

Per a recent survey collection,

  • 69% of enterprise security executives reported experiencing an attempted theft or corruption of data by insiders during the last 12 months
  • 62% of business users report that they have access to company data that they probably should not see
  • 43% of businesses need a month or longer to detect employees accessing files or emails they're not authorized to see
  • Nearly a third of all organizations still have no capability to prevent or deter an insider incident or attack
  • Only 9% of survey participants rank their insider prevention methods as very effective
  • 45% of IT executives say malicious insider attacks is one of the email security risks they are most ill-prepared to cope with
  • 62% involved employees looking to establish a second stream of income off their employers' sensitive data
  • 29% stole information on the way out the door to help future endeavors and 9% were saboteurs

At a broad level, there are two types of insiders:

  • Malicious insiders
  • Accidental insiders

Malicious insiders take a series of intentional and carefully chosen and calculated steps to cause negative impact on the organization by breaching confidentiality, integrity or availability. They exploit their privileged access and seek inappropriate gains. These gains could be:

  • Financial
  • Schadenfreude joys or
  • Other emotional motivations

Accidental insiders on the other hand are non-malicious by intention. These insiders could be saboteurs through their inappropriate action or inaction. Their actions may not cause an immediate harm but could potentially lead to future risks.

The IEEE paper on a framework for characterising attacks by insiders enlightens us about:

  • Defining which insiders attack,
  • Why they attack,
  • The human factors that lead to accidental threats,
  • How one's background may impact likelihood of attack,
  • What behavior may be exhibited before or during an attack,
  • What the common attack vectors and steps within an attack are, and
  • What assets and vulnerabilities are typically targeted

IEEE threat framework Copyright IEEE 

The CERT® project conducted by CMU is the most comprehensive work done on insider threat management. The Common Sense Guide to Mitigating Insider Threats details the best practices for mitigating insider threats. These are:

Practice #

Practice Title

Practice 1

 Consider threats from insiders and business partners in enterprise-wide risk assessments

Practice 2

 Clearly document and consistently enforce policies and controls.

Practice 3

 Incorporate insider threat awareness into periodic security training for all employees.

Practice 4

 Beginning with the hiring process, monitor and respond to suspicious or disruptive behaviour.

Practice 5

 Anticipate and manage negative issues in the work environment.

Practice 6

 Know your assets.

Practice 7

 Implement strict password and account management policies and practices.

Practice 8

 Enforce separation of duties and least privilege.

Practice 9

 Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities.

Practice 10

 Institute stringent access controls and monitoring policies on privileged users.

Practice 11

 Institutionalize system change controls.

Practice 12

 Use a log correlation engine or security information and event management (SIEM) system to log, monitor, and audit employee actions.

Practice 13

 Monitor and control remote access from all end points, including mobile devices.

Practice 14

 Develop a comprehensive employee termination procedure.

Practice 15

 Implement secure backup and recovery processes.

Practice 16

 Develop a formalized insider threat program.

Practice 17

 Establish a baseline of normal network device behaviour.

Practice 18

 Be especially vigilant regarding social media.

Practice 19

 Close the doors to unauthorized data exfiltration.

Most of the above practices are combinations of administrative, physical and technical controls. While administrative and physical aspects of the security controls are addressed by people and processes, technical controls should be automated.

For example, let us take “Practice 10 -  Institute stringent access controls and monitoring policies on privileged users”. How does this apply to modern workloads such as AWS? What controls do you need in place? How do you continuously monitor access policies on AWS?

Based on the CIS AWS Security Benchmarks, below are some of the rules that can address Practice #10 on AWS.

  • Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
  • Ensure no root account access key exists
  • Ensure MFA is enabled for the "root" account
  • Ensure hardware MFA is enabled for the "root" account
  • Ensure IAM policies are attached only to groups or roles
  • Do not setup access keys during initial user setup for all IAM users that have a console password
  • Ensure IAM policies that allow full "*:*" administrative privileges are not created
  • Ensure CloudTrail is enabled in all regions
  • Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
  • Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
  • Ensure a log metric filter and alarm exist for usage of "root" account
  • Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
  • Ensure a log metric filter and alarm exist for S3 bucket policy changes

When you count the data points, enumerations, conditions and prerequisites to be evaluated for every single rule each time you want to audit the above technical controls for just Practice #10, you find that the work easily becomes overwhelming, complex, monotonous and error-prone. Imagine, you need to evaluate hundreds of such rules covering each of the CERT® practices tabled above. Multiply the above complexity with the workloads strewn over multi-cloud vendors and on premise datacenters. You now understand why insider threat management is such a difficult task.

What can companies do to lower the impacts of Insider Threat, and how is Cavirin addressing this requirement?  

The Cavirin PULSAR elastic infrastructure security platform automates hardening industry's most commonly exploited configuration weakness, limiting the opportunities for insider threat and greatly reducing the potential impact of the malicious insider.  Pulsar continuously monitors infrastructure for technical policies that bolster insider protection.

Cavirin is transforming the way IT security manages risk. Leveraging continuous visibility and automated risk analysis, companies are empowered to make the right decisions faster.


5201 Great America Pkwy Suite 419  Santa Clara, CA 95054

- 1-408-200-3544

Monday - Friday: 9:00 - 18:00

Cavirin US Location