What is the difference between insider threats in the movies and those at your organization?
John Checco, Resident CISO at Proofpoint, says it is usually the amount of drama involved.
"When I think of insider threat, in general, I conjure up Elliot from Mr. Robot, or that guy from Office Space, Pete Gibbons, or maybe even the computer programmer from Jurassic Park.
But the reality is those true insider threats are not that dramatic. The activity is actually going on under the covers and there are a lot of problems that we need to take care of."
Checco was co-presenting with Barry Suskind, Sr. Director of Infrastructure Security at FINRA, on the SecureWorld webcast Mitigate Insider Risk in Financial Firms. You can now watch the broadcast on-demand.
4 key findings of insider threats in the financial services sector
Checco and Suskind unpacked four key points about insiders in the finance sector based on research and their own investigations.
Checco explains it like this:
1. The insiders were not really technically sophisticated. For most of the cases, the insiders, the insider actions, were just straightforward.
2. Most of the incidents were detected either through an audit, a customer complaint, or coworker suspicion. That was interesting that all the technology that we have didn't catch the majority of these insider threats.
3. As people exfiltrated data more slowly, they have a better success rate. And, you know, we have a lot of tools that look at anomalous network behavior. But if you're slow enough, you can actually create a norm for that behavior.
4. Fraud by managers was significantly different than by non-managers. If you didn't have authority to a system, most of the time you just took documents, and you either email them, put them on USB, or print and carry them out. Whereas a manager who had access to a system would actually either manipulate the system or get one of their subordinates to manipulate the system.
In the webcast, Checco also shared some fascinating insider threat case studies, which he investigated, including one where an employee quit on the spot when asked about their questionable activity.
UBA use to track insider threats
Barry Suskind explained that his organization has a large number of insider threat mitigation tools already implemented.
An insider could do substantial reputational harm to FINRA, which is a government-authorized organization that oversees U.S. broker-dealers. FINRA helps maintain the integrity of the financial markets and takes that role very seriously.
"We do have user behavior analysis that occurs within the company, and we take in as much of the data as possible. So we're logging all the emails, we're logging all the print jobs, we're logging network access. We do log access to the people that read from USB devices, and the few people that can write from them. We're logging all of that," Suskind says.
"For printing, one unique part of it that I've discovered is if you just print a normal document, the print job will say who did it and the name of the document. But if you're printing emails, all you see is Outlook memo format; you really don't know what's being printed.
So I made use of my endpoint DLP in a unique fashion to say if you're in Outlook, and you use the print function, the sensitive content is from, to, subject, date. So I capture that information as a DLP event, even though it's just for information that my insider threat team uses in conjunction with the other information to track down what people may be doing."
Insider threat webinar now available on-demand
If you are in the financial services sector, there are many more insights shared in the on-demand webcast, Mitigate Insider Risk in Financial Firms.
The discussion also looks at the following:
- Who owns insider threat risk?
- How does organizational size impact insider threat detection?
- With work from home and telework on the rise, how can you track insider threats?
- Ways to think outside the box to monitor employees
- Unique challenges faced by financial services firms trying to track rogue employees
Here is one final thought from John Checco:
"You can have all the automation in the world, all the best tools in the world, but you need someone to look at this data. And you need to start using some of the tools in your toolbox that aren't specifically for insider threats to help you find the root cause and then help thwart any future insider threats."
[RELATED: Fired Employee Hacks to Delay COVID-19 Shipments]
