How to stop malicious insider threats to cyber security with IAM and endpoint monitoring

By Paul Bottomley, Endpoint Threat Detection Lead;
Chris Donovan, Endpoint Threat Detection Principal Analyst; and,
Matthew Yee, Senior Manager, Identity and Access Management

Insider threats are sometimes less of a business risk than organisations might fear, with research showing that just 14% of cyber incidents were caused by malicious employees¹.

But there is a sense among cyber security professionals that new remote working practices might provide greater incentive or opportunity for insider threat actors. This becomes a higher priority when people are leaving the firm, particularly when those employees have corporate laptops at home.

While it’s arguable whether insider threat activity increased during lockdown, there are steps that you can take to monitor malicious activity and ensure your organisation can detect and contain any threats. This broadly falls into two security stages: a preventative layer using identity and access management (IAM) and a detection layer using endpoint monitoring.

_{[1] https://www.pandasecurity.com/mediacenter/security/cost-insider-threat-report}

Identity and access management

Identity and access management lets an organisation control the systems and data that employees can access, helping to keep the network secure from unauthorised users or threat actors. Remote working can complicate IAM controls, as employees are no longer in the office using the corporate internet connection and might even be logging onto the network using a personal computer.

To ensure the network remains secure, organisations should move towards a ‘zero trust’ system of access management. This involves the implementation of strict access controls, with users having to verify their identity even if they are already within the corporate network.

What is ‘zero trust’?

A zero trust approach starts with a shift from securing networks and perimeters to securing the interaction between users, endpoints and assets. The decision to grant access now requires more than the correct combination of identity and access rights – it considers other factors such as the device and the context of the access request.

Given the range of devices now available to employees and the prevalence of “bring your own device” policies, the traditional security perimeter can’t make the same assumptions about devices, their location and their security as when they were connected to the corporate network.

Instead, capabilities such as device management enable security and IT operations to establish the configuration of the device and determine if it meets compliance policies and rules for device security and hardening. This could include ensuring that appropriate patches have been applied to the device or that anti-malware software has been deployed.

Security teams can also implement ‘conditional access’, which uses additional factors such as the time and location of access to decide whether the request is legitimate given previous behaviour. A user accessing classified information from an unusual device at an unusual hour is more likely to be a malicious insider or external threat actor, calling for additional checks before giving them access.

The implementation of zero trust from an identity perspective involves the combination and coordination of the above functions. A consolidated source of truth for identities within an organisation is one of the first objectives, alongside a clear view of assets and endpoints and the policies that determine their “acceptable” configuration. From there it becomes a task of integrating the controls and monitoring across the user-device-network-asset chain to ensure that each is appropriately validated and unusual activities are detected.

‘Just in time’ access

Complementary to zero trust is the concept of “just in time” access. As the name implies, this provides temporary access for specific tasks and time periods, before removing it once the task has been completed. The key distinction here is that access is based on tasks, not job, role or responsibility.

From a risk perspective, “just in time” controls reduce the opportunity for malicious insiders to exploit privileged access to sensitive information. Rather than having multiple privileged accounts created and maintained (and therefore open to compromise), privileged access is only granted when needed, enabling controls, monitoring and audit to be focused during those elevated periods.

Endpoint monitoring

Though endpoint monitoring is often implemented to guard against external threats, it can also be used to spot potentially malicious activity from employees. Endpoint security tools provide near real-time data from across your IT network, enabling security teams to understand, for example, asset visibility issues, high risk threat vectors, and personally identifiable information data stores. This can be used to create interactive dashboards that highlight potential areas of risk to a network and help detect insider threats, including:

Unauthorised devices

Most organisations do not have a complete picture of the devices on their network. Endpoint monitoring tools like Tanium’s ‘Discover’ capability can identify and block unmanaged interfaces in an IT network. For example, a malicious insider may attach a non-approved device to a corporate network, which they intend to use for nefarious purposes. Tanium will alert on this activity and allow blocking if integrated with Cisco Identity Services Engine (ISE) or Palo Alto layer 3 firewalls.

Screenshot of our risk dashboard capability, summarising all unmanaged endpoints in an IT network.

Benchmarking and IT hygiene

CIS benchmarks and custom-defined benchmarks provide baselines and best practices for securely configuring a system. The execution of these benchmarks across an enterprise can provide deep insight into which endpoints are ‘drifting’ from a baseline, and ultimately which endpoints present increased risk which insiders may exploit.

For example, an insider may target an endpoint used by a more trusted employee whom they know has greater access than themselves; this would allow them to access more data and may reduce the chance that a true insider is discovered. A simple CIS benchmark that may help with this is the system inactivity timeout, which ensures the endpoint locks itself after an extended period of inactivity and lowers the endpoint’s risk score.

Poorly configured user account access

Understanding how active directory (AD) accounts and groups are configured is imperative in understanding potential attack paths for malicious insiders. Misconfigurations could allow, for example, a non-privileged user to gain administrator privileges on a production server or give an untrusted user access to all PPI data on the network. We are able to combine and enrich AD configuration data with sensitive data discovery and the endpoint benchmark to give a holistic picture of the estate.

Sensitive data

An insider will typically target sensitive data stores, which are often dispersed across an IT network and not necessarily confined to the database and file servers an organisation would expect. We often find sensitive data stores with inadequate protection on end user workstations. Tanium’s ‘Reveal’ capability enables you to identify and locate sensitive data stores before they can become a risk.

While the vast majority of breaches come from external threat actors, businesses should ensure they remain protected against insider threats. Through a combination of IAM and endpoint monitoring, organisations can detect suspicious activity from employees and prevent any breaches occurring.