SPECIAL REPORT CYBERSECURITY: INSIDER THREATS
than half have a formal program in place to address the issue.4
SECURITY BEFORE, DURING
AND AFTER
As the threat landscape changes, traditional security tools such as firewalls and intrusion detection systems are no longer enough. While these tools are a critical component of a comprehensive security strategy, they only address part of the issue.
While implementing these controls to deter attacks before and during events is important, they can’t
catch everything. This is why it’s so important to continuously monitor internal networks, searching for unusual behaviors and unknown threats. The best way to do that is
to focus on both bad behaviors and behavioral anomalies.
This can be accomplished
by collecting network traffic metadata such as Cisco NetFlow and analyzing it with Cisco Stealthwatch. By capturing data for every network transaction directly from infrastructure devices such as routers, switches, and firewalls,
NetFlow and Stealthwatch transform the network into a powerful security sensor that can immediately flag suspicious activity.
Stealthwatch uses this telemetry
to establish a baseline of normal behavior for devices, users, and the network as a whole, which it then uses to alert on anomalous activity that can signify malicious activity. For example, if the system identifies a phoned communication from within the network to an abnormal site in Ukraine, the system would send an alarm to alert administrators to investigate further.
Cisco’s Stealthwatch turns every part of the network into a sensor— routers, switches, wireless devices, virtual networks, and more—and uses this data to detect traffic
and behaviors that could signify
an insider threat. For example,
it can help agencies identify if a non-classified network interacts with a secure network, providing the information managers need
to investigate the specifics of the interaction and determine if there has been any misconduct or attack.
CONTINUOUS CHANGE
As more devices become network- capable and technology and threats continue to evolve, the cyberthreat landscape will remain volatile. Keeping up with these dynamic threats and techniques requires attacking the problem during
all three phases: before, during,
and after an attack. All types of
tools should have robust security analytics, which improve the quality of detection.
Because each type of tool addresses a different set of issues, there is no one product or solution that can manage all three phases. Therefore, it’s critical to ensure all types of security tools—from firewalls and IDS to breach detection and forensics solutions—work well together.
This is where Cisco’s philosophy of creating simple, open, and automated security solutions can help. For example, Cisco Identity Services Engine (ISE), our access control technology, integrates seamlessly with Stealthwatch. Together these tools can identify people on the network, what they are doing on the network, and quarantine them from the network if needed.
Most importantly, treat threat prevention and mitigation as an ongoing process. “Don’t think about it as a destination, but a journey,” says Joseph Muniz, a Technical Solutions Architect at Cisco. “You’re never fully secure because there will be new technologies and new threats all the time. It’s about putting a system in place you can rely on to keep on top of existing and new threats.”
6 Ernst & Young, Shifting into High Gear: Mitigating Risks and Demonstrating Returns, 2016
Three Types of Insider Threats
While every insider threat poses a danger to organizations, they aren’t all malicious. The most common type, in fact, is simple negligence. Employees who neglect to scan their laptops when entering the building or use simple passwords that are easy to hack are often a common attack vector.
Insider negligence is more than twice as likely to cause problems as other factors, such as external hackers or malicious employees.5 The best way to avoid these issues is by automating security processes, such as enforcing complex passwords.
The second type of insider threat is caused by employees whose credentials or computer has been compromised by external hackers. The best way to address this type of threat is breach detection technology that searches for anomalies and unusual behavior.
The last type of insider threat is the malicious insider—employees who may be angry at the organization or want to gain financially. Malicious insider threats are one of the fastest growing types of threats.6 Threat detection technology is critical to monitor these insider threats.
4 MeriTalk, Inside Job: The Federal Insider 5 Ponemon Institute, Closing Security Gaps to Threat Report, September 2015 Protect Corporate Data, August 2016
For more information please visit: http://www.cisco.com/c/en/us/products/ security/index.html
Sponsored Content