Long Overdue: Shedding Legacy Employee Monitoring Technology to Effectively Manage Insider Threats
The wave of recent headlines centered on the insider threat make it hard to deny that the dangers within our organizations are just as pervasive as those on the outside. The data theft and sabotage affecting companies of all sizes and across all industries - from Coca Cola and Tesla to the FDIC and Chicago Public Schools (CPS) - has instilled a renewed sense of urgency in enterprise security and technology leaders to keep critical systems and valuable IP protected.
Among those headlines was the five-year anniversary of Edward Snowden’s 2013 leak of classified NSA documents to the Guardian, reminding us that this is hardly a new challenge - and while much progress has been made, there’s still a long way to go. Data shows that the insider threat remains a top concern for nearly half of today’s IT and security teams, and that the anxiety induced by trying to defend against is just as pervasive as the threats themselves.
It's this worry and fear, rather than strategy, that has been driving enterprise security investments and approaches.
And the pressure and urgency to retain, or regain, a sense of control and protection led to the purchase whatever technologies were available, affordable, and seemingly capable… namely, legacy employee monitoring solutions. Methods like keystroke logging, video and screenshot capture, surveillance and GPS tracking promised to capture everything happening across an organization and make it more secure in the process. And these practices have become the new normal; nearly 80 percent of major companies currently monitor employees’ email, internet, or phone activity.
That is, until now. The world is quickly evolving, far beyond the challenge-ridden and invasive methods of legacy monitoring solutions.
From the scandal surrounding major technology companies like Facebook to the repeal of US consumer data protections and emergence of the General Data Protection Regulation (GDPR), events in recent months have people on high alert. Consumers are now dedicating a significant amount of time and attention carefully examining the tradeoff of our personal data and privacy – or the new ‘currency’ - for access, advantage, or convenience. And they’re being more vocal in their demands for a mutual, fair value exchange.
It’s only practical to acknowledge that these same concerns and newly defined expectations around privacy and transparency are translating over to the workplace – with employees taking a more active role in understanding how personal data is being collected and stored, and where invasions of their personal privacy might exist. And this shift is having widespread effects across the enterprise - from human resources and company culture to security, and perhaps most notably, employee monitoring.
There’s no question that full visibility into the behaviors and actions of our employees - as well as other insiders such as partners, customers, or vendors - is integral to effective and comprehensive enterprise security. But, it’s become more critical than ever that we evolve our approach to employee monitoring.
OLD: Security and privacy cannot co-exist.
American companies generally aren’t required by law to disclose how they monitor employees using company-issued devices (and typically the best-case scenario is including a catch-all clause in employment contracts). The tactic of self-policing alongside the absence of regulations around monitoring practices has opened the doors for employer manipulation and abuses of power, overreaching and overstepping without much consequence.
With the emergence of the GDPR and similar regulation in other geographies, it’s quickly becoming evident that any global business - regardless of geography - that hopes to sustain and thrive must adopt the mindset that the right to privacy is ‘a fundamental right of every human being.’ This is necessary not only to avoid considerable penalties, but also to be competitive in attracting and retaining skilled, talented employees - many of whom are demonstrating a growing intolerance for manipulative and intrusive monitoring practices.
NEW: Employee privacy by default, and by design.
The good news is that there are a wide range of user-centric, behavior-based technologies now available that make it entirely possible to gain full visibility without invading personal privacy (or hindering productivity, performance, or efficiency.) With the ability a focus on not just seeing, but understanding, employee behavior, it’s possible to generate a higher fidelity signal into where suspicious activity is taking place. And with the ability to be reliably and immediately informed when a user or endpoint may be compromised, it’s no longer necessary to try to be everywhere and see everything… just what is deemed a potential risk.
There has also been significant innovation in things like data anonymization, which can keep a user’s identity hidden and behavioral data protected until suspicious activity is detected. These capabilities not only help alleviate employee privacy concerns, but also provide a layer of protection at a time when behavioral data is increasingly being labeled as sensitive, personally identifiable information.
OLD: Writing and applying rule-based alerts, and manually reviewing them to verify if a threat exists.
Legacy employee monitoring tools use a rule-based model, where behaviors or events are labeled ‘good’ or ‘bad’ and alerts are generated accordingly (when potentially ‘bad’ activity is detected.) But, what we once thought of as black and white has become shades of grey, thanks to the human element - and what presents as risky or suspicious activity for one person does not necessarily represent suspicious activity for another.
With so many variables to contend with, it is essentially impossible for the average organization to account for every variable and write a rule for all potentially risky scenarios. But rule-based solutions are only as intelligent as the information being fed into them, and they rely completely on the humans who manage them to tell them what to look for. For many analysts with limited bandwidth, this makes it necessary to cast a wide net – generating potentially hundreds, if not thousands, of alerts that require a manual review to verify if a bona-fide threat exists. And has resulted in a constant state of information overload.
What’s more, there’s the challenge of the ‘unknown unknowns.’ The simple fact is that if we don’t know it presents a risk, we won’t know to look for it. If rules and indicators are designed based only on known and available information, without seeking out additional context or intelligence, there will inevitably be things that fall through the cracks.
NEW: Applying behavioral context, advanced analytics, and machine-learning to generate actionable intelligence.
The ability to write rules and policies tailored to our specific needs and environments is an absolutely necessary piece of the puzzle, and the best way to generate immediate value from any monitoring solution. And while the visibility and information provided by traditional monitoring solutions are essential, it’s critical – and now entirely possible - to go a step further.
For visibility to truly have value, it needs be enriched with intelligence and capable of self-tuning. This means it has to be powered by technologies that can understand behavioral context, and can apply advanced analytics and machine-learning, to establish a baseline of normal behavior and determine when an event or behavior is abnormal. With better anomaly detection comes higher-quality alerts - and reliable, actionable intelligence.
OLD: It’s enough to focus on investigation and forensics in hopes of prevention.
Traditional employee monitoring solutions are notorious for their heavy footprint, generating excessive amounts of data and requiring a significant investment in people and resources to analyze it before it can be acted upon. Without sufficient bandwidth or infrastructure to support, some organizations have been forced to resort to a forensics-only style of security - piecing together events after a threat or breach has been identified, and using the information gathered to try to prevent future occurrences with punishment and restriction.
NEW: It’s critical to take a layered approach, spanning prevention, detection, mitigation, and investigation.
The security of a business’ most valuable resource, their data, is directly dependent on the security and protection of its users. It’s unreasonable to expect to minimize insider-related incidents without a layered approach, encompassing prevention and detection as well as mitigation and response – and without equal investment in both technology and human-readiness.
Empowering employees with consistent and comprehensive education is an absolute must, given the volatility and sophistication of today’s threat landscape, as is equipping them with the tools needed to build responsible security habits. But, even in the best-case scenario – with a commitment to employee education and training, and high levels of employee awareness – human behaviors will eventually put an organization at risk. This further emphasizes the need to have a continuous monitoring system in place that delivers unobstructed, real-time visibility into user behavior.
OLD: It’s sufficient to monitor the select few if we can’t monitor them all.
The heavy footprint of traditional monitoring solutions has also rendered it essentially impossible to deploy them at scale. With a limitation on the number of users that could be monitored, many organizations narrowed their focus - and visibility - to include only the most privileged users.
While it’s certainly true that with increased access to systems and data comes increased vulnerability, the reality is that all users are equally capable of capable of putting the business at risk. And more often than not, it’s not because they are malicious, but simply careless; more than 60 percent of insider incidents can be attributed to user negligence.
A common pattern seen in many high-profile cyberattacks - notably Yahoo, SWIFT / the Bangladesh Bank and the DNC, among others - begins with a targeted social engineering or phishing attack on a ‘semi-privileged and unsuspecting’ employee. (SOURCES: Cyberark Article / Ars Technica Article)
NEW: It’s imperative to have full, enterprise-wide visibility that spans all users and environments.
The bottom line is that every employee is human, and that fact alone makes them vulnerable. Whether it’s falling prey to the social engineering tactics of bad actors or inadvertently leaving a backdoor open, it only takes one user – any user – to compromise a network. And how much damage is done is directly related to an attacker’s ability to move swiftly and undetected across the network, harvest credentials and escalate privileges, and gain access to critical systems and data.
This means, in order to be truly effective, monitoring solutions need to be capable of detecting anomalies and flagging when someone with seemingly legitimate access is engaging in potentially harmful activity. They also need to be capable of adapting to shifting priorities and evolving needs – which is the only way to achieve full, enterprise-wide visibility that spans all environments, endpoints, and users. It’s worth noting here that organizations should be mindful not to overcorrect, or allow privileged users to become the exceptions-to-the-rule that create security blind spots… as they have become a prime target for manipulation and exploitation with the GDPR and similar regulation recently coming into effect.
OLD: Comprehensive security is dependent on secrecy.
The traditional belief is that effective enterprise security and monitoring requires secrecy or the element of surprise. But, with a new world order taking hold - centered on trust and open communication – this approach is both flawed and potentially dangerous. And the companies who continue to rely on it not only run the risk of legal liabilities, but also weakening their first and last line of defense if they aren’t up front with employees about monitoring practices.
NEW: Lead with transparency and open communication.
The employees who understand how their organizations generate and use data will ultimately be in a better position to understand what activities are potentially harmful. There’s research to support the idea that transparency of information can ‘breed self-correcting behavior’ – and not only minimize careless or irresponsible security habits, but make well-intentioned employees feel more comfortable and empowered. And on the flip side, in a transparency-led environment, employees who may wish to engage in malicious activity will find there are far fewer dark corners to hide in.
OLD: Immediately establish our greatest assets as our greatest liabilities.
What’s interesting, and a bit alarming, is that the very monitoring solutions that were deployed to increase security - and secondarily, productivity - have largely inhibited efforts on both fronts… not only impeding the strength and reliability of corporate networks, but also employee access and efficiency.
While some of this can certainly be attributed to the technical implications of heavy monitoring technologies, it can also be attributed to the ‘Zero Trust’ methodology embraced alongside. Centered on the blocking of, or severely restricting, access to resources and applications, this approach has actually raised our risk levels in many cases - leading users to engage in risky or irresponsible behaviors simply because they are unable to complete an essential or urgent task.
NEW: Enable our greatest assets to remain our greatest assets.
Having the right systems in place is essential here, both from a technical and strategic perspective. Technically speaking, this means they provide complete, real-time visibility, use lightweight data collection, and have proven to be scalable. And with these capabilities in place, it becomes – from a strategic perspective - truly possible to extend trust and allow employees to move more freely. This is likely to leave them feeling not only more empowered and accomplished, but also better equipped to make responsible security decisions.
The bottom line: yesterday’s employee monitoring approaches and technologies do not work today.
Today’s solutions must provide complete visibility into everything users do on their work devices, capable of generating intelligence, shining a spotlight on suspicious behavior, and filtering out all the noise. And they must be scalable enough to be deployed enterprise-wide without negative impact to network performance.
Just as importantly, these programs need to be built on transparency, with the utmost respect for personal privacy and data protection. And mutual trust - between companies and their employees, as well as contractors, partners or customers - must be at the core of any program or initiative that requires visibility into behavior or the capture and collection of data.