Sep 22 2022

Mitigate Insider Risk with These Tools

Agencies are overrun with cyberthreats. Here’s how to decide which protection tools work best.

It’s bad enough that your agency needs to worry about myriad cyber risks such as ransomware, spear phishing, remote workers and so on. Cybersecurity teams are also overwhelmed by a stream of new cyber protections, while users are fatigued from demands for vigilance against attacks.

However, three cybersecurity tools can help, especially when securing against malicious or negligent insiders. Individually, each tool adds a valuable layer of protection. Combined, they mitigate insider risk end to end.

They free your cyber teams from having to chase false leads and relieve your users from constantly having to watch their backs. The key is to follow best practices when deploying them.

Click the banner below to learn how to become an Insider.

Take the Pulse of User Behavior with UAM

The first tool is user activity monitoring, or UAM, which is among the most effective solutions for reducing insider risk. It’s also a good starting point for understanding your cyber posture and whether you need additional protections.

UAM lets you monitor risky user activities and track trends in real time. The technology detects anomalous behavior that deviates from baselines and can help you understand user intent through context-sensitive analysis. It then prioritizes high-risk events on a per-user basis and provides comprehensive visibility for organizations to take appropriate action before breaches occur.

You can gain additional insight by integrating UAM with behavioral analytics to build holistic user risk scores. This is accomplished by ingesting UAM data and other complementary data sources to drive user behavior-based models. Risk scores allow organizations to identify unusual activity against a user’s baseline and when compared with a peer group with similar roles.

Further, this actionable intelligence enables automatic orchestration of different control points to close the loop and prevent data or system breaches. For example, if users are accessing a highly sensitive database from outside the country through a different VPN connection than they normally use, their risk score may increase. This would trigger external action from an identity and access manager to force a password reset and potentially alert their supervisor of suspicious behavior.

DIVE DEEPER: How should federal agencies implement identity and access management tools?

Remove the Malware You Can’t See

Much of the data your employees consume is in the form of text and image files such as Word documents, PDFs and JPGs. Cyberattackers can embed malicious code in these files. As users download and share infected files, they can become unwitting accomplices in cyber breaches across your network.

The solution is content disarm and reconstruction. As users download and share files, CDR intercepts them, captures the valid text and image code, and builds new, sanitized files that are free of malware. The deconstruction and reconstruction occur in near real time, without affecting employee productivity.

CDR is also useful for cyber analysts conducting forensics. When an analyst accesses a suspicious file, CDR presents the safe, reconstructed version. The original file is retained in quarantine as a forensic record.

Browse the Internet in an Isolated Manner

From health experts monitoring trends to intelligence agents tracking adversaries, many agency employees spend time scouring the internet. That potentially exposes them to malware embedded in websites.

Remote browser isolation lets employees access webpages but prevents hidden malicious code from reaching their devices. To users, it looks like they’re using their familiar web browser, but the RBI solution is isolating the web session to keep malware from getting through.

An effective RBI solution can work in two ways. Secure streaming delivers high-level protection in high-bandwidth use cases. Native rendering provides similar protection but with lower performance demands.

Use Best Practices for Deployment

UAM, CDR and RBI should be deployed in steps. Start by gathering data about normal user and network activities from your control points — everything from endpoint sensors to edge devices to your cloud access security broker (CASB). The right visibility is the key to knowing what, when and how to apply technology to increase your overall program efficacy and responsiveness.

Then develop policies around user behavior and what your organization considers a compromise. The sensitivity of your data, the way employees interact with data and the criticality of your mission all inform how you define a breach. Your policies should likewise be dynamic to reflect changes to your mission and your data needs.

Next, involve stakeholders from executive leadership, HR, legal, compliance, IT, communications and so on to explore what-if scenarios and determine how you’ll respond to a breach.

READ MORE: Separate fact from fiction when it comes to zero trust.

An employee stealing data will involve the cyber team, but what if a user views inappropriate material on an agency laptop? What if they make online threats? That might involve HR or legal.

Now you’re ready to deploy your new cyber tools. In addition to monitoring user activity, UAM can validate the effectiveness of your other security solutions and control points such as data loss prevention, CASB and external device controls.

Once you have the appropriate visibility to determine anomalous behavior, you can layer on technologies like CDR to neutralize the threat of malware embedded in content that might otherwise seem unsuspicious. Then, RBI can be added to further insulate employees from malware embedded in specific web pages accessed as part of a person’s daily job.

Protect Workers’ Privacy as You Protect Data

As you mitigate insider threats, don’t forget user privacy. Effective protections will have privacy baked in. Look for solutions that have a strong immutable audit trail designed to protect technology from being improperly used by people with access to sensitive company data. Tools should remove the preconceived “human bias” and allow data to drive critical business decisions.

EXPLORE: How agencies can best implement zero-trust architecture.

Along with an audit trail, privacy protection should include granular policy controls, role-based access, two-person authentication (when appropriate), and data encryption in transit and at rest, to name a few. Having confidence that technology is being applied properly will go a long way toward building consensus and adoption of your insider risk program.

UAM, CDR and RBI won’t completely eliminate user threats, because no cyber solution can. But they provide proven, effective protections that can meaningfully mitigate insider risk. By building on one another, they can ensure a closed loop of flexible safeguards that ease the burden on your users and your cyber team while strengthening the cybersecurity posture of your agency.

metamorworks/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.