Defending against Insider Threats through proactive SOC monitoring

Meta (Formerly known as Facebook) security guards were selling user logins to hackers. Samsung staff accidentally leaked trade secrets through ChatGPT. A data entry clerk defrauded a community housing provider of $3.79M.

Threats coming from inside your organisation can cause even more damage than external threats. With Proofpoint finding two-thirds of businesses are now experiencing 20+ incidents from insider threats a year, the costs are rising significantly. Proactive monitoring of these threats is now progressing from a nice-to-have to a must-have on the security program.

Cyber security insider threats

The people within your organisation, be they employees, contractors, suppliers, or even clients, have intimate knowledge of and access to your data and systems. With a malicious action or a careless mistake, these people can cause near-instant damages to company reputation, financial losses, loss of competitive edge, fines and other legal repercussions, damage to stock value, and more.

While more than half of incidents arise from negligence, according to the data from Proofpoint, that’s not always the case. Employee dissatisfaction, poor company culture, or financial benefits can compel people to steal, disclose, and trade in company assets, IP, systems, personal information, and other sensitive inside data. Depending on their systems knowledge, the sophistication of this type of attack can make this behaviour extremely difficult to identify, especially in real-time.

Proactive security measures

Access control and credential management

Access control must be managed at the group and user level across devices, systems, and applications. Access levels must include cases for each type of role, employment type, and period of engagement, for instance, onboarding, trial periods, termination and periods of inactivity. Controls like Multi-Factor Authentication, IP Address Verification, and password expiry must be considered.

Endpoint controls

Endpoint controls, on employee or corporate devices, such as restricting software installs, device and network access, not only decreases the outside attack surface, they also restrict the flow of data outside of your organisation.

Hiring and people management

HR has a large role to play in carefully screening new hires and making sure that company culture is strong to keep happy, healthy employees. Employee training that includes security awareness training is essential. Regular company-wide security awareness training should include both practical exercises and be relevant to your industry, organisation and employees.

Automation of manual processes

By removing manual processes where people have an opportunity to either make an error or capture information outside the scope of their role or project, you enhance organisational security.

Resource segmentation

Through the separation of resources, such as infrastructure, data sources, applications, network segments, and even physical resources, it’s possible to use access controls to limit the potential impact of a breach. Employees, contractors, and even management should only have access to the resources required to perform their duties, further restricting access and ensuring additional data and system protections.

Proactive monitoring

Proactive monitoring, incorporating visualisation, detection, and alerting to identify possible insider threats is also a core proactive security activity, with a range of tasks usually carried out by a Security Operations Centre.

For an in-depth guide, we recommend reading 2020’s US Cybersecurity & Infrastructure Security Agency’s Insider Threat Mitigation Guide, particularly Chapter Four, Detecting and Identifying Insider Threats.

What role does a Cybersecurity Operations Centre (SOC) play in monitoring?

An ideal internal security program has 24x7 SOC monitoring, for continuous threat detection and response in real-time. The SOC are responsible for progressing the identification of a potential insider threat to determining malicious intent.

Network traffic monitoring

Through monitoring internal and external network traffic, the SOC can identify anomalies in network connections, traffic flows, access patterns, and so forth. These can then be automatically responded to (quarantining an asset, restricting user access, etc.) or escalated and examined in greater detail, depending on risk.

User-level activity monitoring

Similar to network monitoring, with user session visibility, the SOC can monitor and action abnormal user behaviours, at both the organisational and individual levels. User-level visibility may include application access, web activity, email keywording, etc. Machine Learning models can be created from past logs to uncover outliers in new and future behaviours.

Continuous integration of best practices into monitoring policies and processes

The SOC must stay up-to-date with best practices in monitoring policies and processes to ensure successful proactive monitoring and threat protection. This is achieved through forensic analysis of past events, researching emerging industry threats, and employing standards like the NIST Cybersecurity Framework. By utilising a team of security experts as part of a SOC, an organisation gets access to a wide range of professionals across several cybersecurity domains.

Playbooks and exercises for identifying potential insider threats

As part of continuous best-practice integration, the SOC maintains up-to-date playbooks for insider threat identification and response. The SOC may also engage in defensive security exercises and capture lessons learned for future proactive insider threat identification.

By the time you've detected unusual activity, it's too late

Proactive monitoring is essential to guard against damage caused by realised insider threats.

View our SOC Services such as our Managed Detection and Response (MDR) service or contact our security specialists to start enhancing your security posture against insider threats.