printer friendly version

Managing the insider threat

The insider threat is so immense it now even has a month dedicated to it.

Gerard King.

With the mission-critical role played by today’s mainframes it is essential to pay close attention to the insider threat and the management of privileged users. I think we can safely say that there is little argument from any research house that the biggest security risk organisations face today is the insider threat.

However, that is not to say that the majority of insiders are malicious. Insider threats come from many sources. Certainly, malevolent insiders pose a threat, but often the threat originates from employee mistakes rather than malice, or a valid system account being compromised by an external attacker.

Faced with these significant threats, we must focus our security management practices at effectively mitigating the risks in this area. This is easier said than done as there are hurdles to overcome first.

The following are four best practices essential to the management of insider threat:

• Assess and secure.

• Govern and control.

• Record and review.

• Operationalise.

Assess and secure

It is important to assess your existing security posture and, based on the results, implement the necessary controls to mitigate key risks. This involves identifying your privileged users and determining which of these users truly need this level of access. It is extremely likely you will find that you have too many privileged users.

You must also understand your data landscape. Make use of scanning and classification tools to gain an understanding of where your sensitive data resides, including financial, personally identifiable information, private health material and other information that is confidential to your business. Understanding your data landscape, and determining the risks of each classification of data that you own, will provide you with the necessary information to implement good risk mitigation capabilities. Restrict access to this data as much as possible and, in many cases, limit this access to only your privileged users.

Govern and control

The use of a privileged access management tool that allows privileges to be elevated only when needed will be important to ensuring you adhere to the principles of least access and therefore mitigate risks in this area. Also, the use of multi-factor authentication for privileged users is important to prevent these high-risk accounts from falling into the wrong hands.

Monitoring these accounts to ensure compliance with access policies is essential. This will involve understanding who has access to critical applications and data as well as being informed of who has been accessing these resources. Logging and alerting around this area will help mitigate many critical risks. It is also important to identify who has not accessed sensitive resources in several months or even years. These are the users that need their permissions reduced, which will in turn reduce your overall risk and is consistent with the principles of least access.

Record and review

It is crucial to monitor the activity of all users, especially privileged users. The use of tools that can monitor activity against security policies, and send alerts when these policies are violated, is essential.

Many organisations use Security Information and Event Management (SIEM) platforms within their Security Operations Centre (SOC). A best practice involves sending mainframe security events to these SIEM platforms. This allows the SOC to identify security issues on the mainframe and react quickly to reduce the risk to the business. But, it is important to filter and enrich the event information coming from the mainframe to the SIEM platform. This ensures that these events are clearly understood and don’t overwhelm the platform.

Operationalise – strengthen that risk posture

Now that you have the necessary steps and controls in place, you need to operationalise each area to ensure you maintain a good risk posture. This includes the ongoing use of clean-up tools to review if users need their level of access control adjusted, which will be necessary when employees change jobs or leave the company. Don’t forget to continuously scan for sensitive data, as data is always changing. Understanding when and where new copies of sensitive data enter your systems helps you adjust your access policies, reduce risk and pass audits.

Adaptation is key to survival

Remember, our environments are continuously changing and we need to continuously monitor these changes and adjust. With this approach we stand the best chance of keeping our risks at the lowest possible levels.

For more information contact CA Southern Africa, +27 11 417 8594, heidi.ziegelmeier@caafrica.co.za

*https://go.forrester.com/blogs/insider-threat-gets-its-own-national-awareness-month/

Share this article:

Further reading: