The typical organization loses 5% of its revenues to fraud by its own employees each year, with most thefts committed by trusted employees in executive management, operations, accounting, sales, customer service or purchasing, according to the Association of Certified Fraud Examiners (ACFE). This type of malicious behavior by "privileged users" who have been given broad access to the company's computer assets has captured the attention of CIOs across the country.
It's no mystery why: insider breaches can damage a company's reputation, market advantage and its bottom line, stretching into billions of dollars. Despite the increased awareness and severity of the risk, a recent Ponemon survey of 693 IT professionals, commissioned by Raytheon revealed only 40% of IT budgets have dedicated funding to fight insider threats.
One reason for lack of funding is IT security budgets are largely targeted to defend against external threats, which are greater in number, but not necessarily as devastating in severity and damage to an organization. The irony of this is highlighted in the same survey: 45% say it's likely that social engineers from outside the organization will target privileged users to obtain their access rights. This underscores that "insider" does not mean a person has to be physically based in an organization and that privileged users should truly be the focus when we talk about insider threats.
So who is the privileged user?
In any company, the privileged user is an employee with authority to access more than usual company data or make changes to the company network. Companies need privileged users because they have access to source code, file systems and other assets that allow them to upgrade the systems or make other technical changes.
Because they have greater access to the network and are limited by fewer controls, privileged users can access more of their companies' intellectual property, such as corporate data or confidential product information. They often have the ability to easily get around controls that restrict other non-privileged users and they sometimes abuse what should be temporary access privileges to perform tasks.
An example illustrates the problem: Bob is logged in with ordinary network access privileges but receives a help desk ticket that requires him to log out and log back in as a system administrator. Once the task is performed, Bob remains logged in as the system administrator with elevated privileges, exposing the network to a much greater security vulnerability if he were to be victimized by a cyberattack.
One way to tackle it is by focusing on Privileged User Monitoring and Access (PUMA), which relies on monitoring human behavior to determine the context of the behavior and people's intent as well as automated tools such as video replay to keep an eye on privileged user activities. Monitoring human behavior is especially important with privileged users because they often have the know-how to cover their tracks, a feat that becomes much harder with video replay and other technologies that can have a deterrent effect by their presence. If privileged users know you're monitoring their activity, they're less likely to behave badly.
At the core of the privileged user problem is this dichotomy: With greater access to a company's computer assets comes greater security risk. The privileged user can be a company's security enforcer but also its greatest security risk.
Put another way, if a privileged user wants to do bad things, their elevated access to the company network makes it easier for them. But even a well-intentioned privileged user poses high risks. When a system administrator or network engineer with elevated access clicks on a malicious link, because of their greater access to the network, it's far more likely to do company-wide damage than if an office manager without elevated access clicks on the same link.
The privileged user threat shows no signs of diminishing, in part because of economic pressures that have forced companies to try and do more with smaller staffs, leading to stressed out employees who are likely to be more careless about their use of elevated access privileges. And in today's environment companies have a greater responsibility to report data losses of all sizes, so data theft by privileged users on the inside attracts widespread attention with significant negative impacts on the company's reputation and stock price.
It all adds up to a realization by companies that the biggest cyberthreat to their organization may not be from an external attack. The most serious threat may be from an unknowing "privileged user" colleague right down the hall.
Mitigating the risk
Survey respondents said the two biggest challenges companies face when addressing insider threats are having enough contextual information provided by security tools (69%) and security tools that yield too many false positives (56%). Endpoint monitoring and auditing tools allow visibility and context, alleviating these challenges.
Additionally, the best approach to mitigating privileged user abuse is to develop a comprehensive and layered strategy that implements best practices, involves process and technology, and most importantly, involves a better understanding of human behavior. It is a common myth among IT management staff that auditing privileged user activity is too difficult and complicated.
The truth is that privileged user auditing does not have to be a complicated technical challenge if the auditing and monitoring process is flexible, policy-based, and provides irrefutable attribution to a particular privileged user. The knowledge alone that an organization uses auditing and monitoring technology is a huge deterrent against privileged user abuse. Many studies have been done to help identify best practices for mitigating the risk of privileged user threats.
While there are a variety of tools that address different aspects of privileged user security, there is no single technology that fully mitigates the problem. Gartner identifies solutions used for privileged account management (PAM) as a set of technologies enabling enterprises to address these specific needs:
Your company needs its privileged users - perhaps the most valuable players in any organization. However, these are the very same people who can also become a super threat if not properly monitored. Organizations can protect themselves from privileged user threats by implementing best practices and implementing a flexible policy-based monitoring solution that ensures enterprise-wide visibility into privileged user activities. The key to mitigating privilege user abuse is the ability to determine context and intent, which can only be accomplished by monitoring human behavior.
Michael Crouse is Director of Insider Threat Strategies at Raytheon.