When it comes to threat detection, spotting malicious insiders is one thing. They often leave a trail. But how do you protect against the accidental insider threat? Mike Siegel, VP of Product at Forcepoint, shares strategy and solutions.
To start, it's important to know what malicious and accidental insiders have in common and where they differ, Siegel says.
"The accidental insider and malicious insider are both trusted users on the network," he says. "It's just that one doesn't intend to do you harm, and the other explicitly intends to do harm."
And while high-profile cases such as Edward Snowden and Private Manning have brought due attention to malicious insiders, accidental insiders are often overlooked in risk assessments. As Siegel reminds: "The statistics actually show us that we have far more accidental insiders in our organizations than we do malicious insiders."
In fact, the accidental insiders often believe they are acting in the line of duty when they make their mistakes. Among the red-flag activities to look for: Employees who take home sensitive work to complete on unsecured personal networks, or workers who click on infected links in phishing emails. "[They're] people who don't intend to do the wrong thing, but they may be targeted, they may be preyed upon by people who could be looking for them to be susceptible."
Education is a partial solution - but not nearly enough, Siegel says. Organizations also need to deploy tools such as spam filters, secure gateways and sandboxing technologies to help mitigate the vulnerabilities introduced by human behavior.
In an interview about mitigating the accidental insider threat, Siegel discusses:
- Common characteristics of the accidental insider;
- How to avoid falling into the trap of "sawtooth compliance;"
- His vision of "total protection" to ward off internal and external attacks.
Siegel is vice president of products for Forcepoint, LLC. He leads product management, technical marketing and analyst relations, and helps define the company's strategic direction. Siegel joined Websense in 2013 and helped sell the company to Raytheon Company in 2015.
Prior to Websense, Siegel worked three years with venture funded Mocana Corporation as vice president of products. Before Mocana, Siegel spent nearly a decade at McAfee. Prior to McAfee, he was a financial analyst for Deutsche Bank's technology investment banking group.
Siegel received a bachelor's degree from the University of California at Berkeley, and an MBA from U.C. Berkeley's Haas School of Business.
Defining the Accidental Insider Threat
TOM FIELD: Mike, we all have general awareness of the malicious insider. How do you differentiate and define the accidental insider threat, and why do you find that organizations are so unprepared to mitigate that today?
MIKE SIEGEL: First, let's think about how information security really used to work. You used the moat and castle concept. Everyone on the outside was a bad guy, and everyone on the inside was your team. And so most defenses were very similar - the moat, the walls of the castle, the drawbridge - they were all designed to keep the outsiders out of the organization.
Now we know from the news that people with bad intentions may be in the trusted positions on your network. They may be planted there to steal your designs, to conduct industrial espionage or to steal valuable customer information. They may be motivated by money, anger or ideology. But the point is they're there to cause harm to your organization.
The accidental insider is also in a trusted position, but they don't necessarily mean to cause you harm. In fact, that's why they're called accidental. They do things that, at the end of the day, are bad for the security of your organization. Maybe, they're clicking on links in an email without looking at them. They may be visiting websites that host malware. You might even have a great employee who thinks, "You know what? I'm going to take my files home, put them on my laptop [or] on my flash drive, and go work on them over the weekend, because I couldn't get it done by the end of my work week. But when the weekend's over, the employee brings back the finished work, and all of the bad things, all the viruses that were sitting on that family computer, come along with it. And we've seen workers be targeted specifically at home, knowing that they will be bringing these threats back to work with them.
So, the accidental insider and the malicious insider are both trusted users on the network. It's just that one doesn't intend to do you harm, while the other explicitly intends to do you harm. And while the malicious insider can do enormous damage - we often think of the Edward Snowdens or the Private Mannings of the world - the statistics actually show us that we have far more potential accidental insiders inside the organization than we do the malicious insider.
Characteristics of the Accidental Insider
FIELD: That's a good point, Mike, and my friends at the Insider Threat Center at Carnegie Mellon University are now focusing a lot more of their research on this accidental insider. Now you touched on this to some extent in your previous answer, but could you go a little bit deeper and tell us what you find to be some of the common characteristics of this accidental insider?
SIEGEL: The most common characteristic of these accidental insiders is they don't intend to do harm. In many ways, they're actually doing things they think are in line with conducting business. As I've said before, it could be taking files home over the weekend, having the internal data be exposed outside the corporate walls in a way that's not with the highest security hygiene, if you will. It could be clicking on bad links, clicking on phishing emails. They're being preyed upon by malicious individuals who know that human nature is to conduct business in this way. When you receive an email from someone whose name you recognize, you believe it's from someone that you know is within your company. Instead what has happened is a phisher has changed very slightly the email domain. And so, while you think you may be clicking on an email from someone who's trusted, it's actually not, and you could be bringing malware and other files into the organization that way.
So those are the characteristics that we tend to see. It's people who don't intend to do the wrong thing, but they may be targeted or preyed upon by people who could be looking for them to be susceptible.
Solutions to Detect and Prevent Compromise
FIELD: Mike, what do you find to be some of the common security gaps within organizations, and what are some of the technical, as well as non-technical, solutions that organizations should deploy to detect and prevent compromise from these accidental insiders?
SIEGEL: Both technical and non-technical solutions play an important role in preventing accidental insiders from doing harm. First, let's look at prevention, using an example of a very recent memory. We're recording this in January; we just had New Year's. A lot of people have New Year's resolutions, but how many people abandon those resolutions very quickly thereafter? It happens to all of us. It's kind of funny, but at the end of the day, willpower is a finite resource.
The same is true for security education. We fundamentally believe in educating our users, and we call that within Forcepoint, "Raising the Human Security IQ." But there are really only so many things that you can remember, and business moves very first. And, as I said before, if I've got to get that work done and I've got to put that on a USB stick in order to bring it home over the weekend, I may make the decision to go do that, even though it's against my better judgment, from a security standpoint. And since threats change all the time and IT policy changes all the time, you really can't expect the well-intentioned insider to know exactly what, potentially, puts them and the organization at risk for harm.
So, while it's important to educate, you're really just hoping for normal human beings to do the right thing every time, and, unfortunately, as we know, hope is not a very good strategy. So, we believe it's important to, as well as you can, engineer out human behavior as a factor. You can employ things like spam filters and secure Web gateways, tools to keep us from going to bad links or clicking on bad emails in the first place. We do things like sandboxing a file so we can look at them in a safe place before they go down to an end user's machine, and they have the ability to click on them. We can apply data loss prevention on data, and we can use firewalls to keep users and applications out, both from outside the network, as well as to keep people from accessing data they don't really need to do their jobs. That's the prevention piece of this, and our TRITON platform is a leader in this area.
When it comes to insider threats, detection is an entirely different story. For malicious insiders, we use human intelligence and technical controls. Human intelligence might include security clearances, background checks and knowing who might be motivated to do you harm. A disgruntled employee with a high level of credit card debt and substance abuse issues, for example, is one stereotype, but that only takes you so far. From all accounts, Edward Snowden was actually a pretty gregarious good guy that no one really suspected. He had all the right security clearances, and he didn't trip any red flags whatsoever.
And that is what's exciting about our SureView Insider Threat product. Both accidental and malicious insiders are flagged based upon their behavior on the network at the endpoint, in terms of the communications they conduct and the applications they access. With SureView, we know what risky user behavior looks like. This allows our customers to essentially have an early warning system. They can automatically identify the riskiest end users within the organization, based on those behaviors, as well as information they received from other systems like our TRITON AP-DATA, which is Forcepoint's data loss prevention solution.
SureView Insider Threat gathers and provides really rich context around these actions. We even have the ability to record and play back a user screen before, during and even after these risky behaviors are conducted. So we aren't asking someone to review all the user logs from the Web. That would be, you know, far too time-consuming, and no one has time to do that. What we're doing instead is we're automating these processes. We're having machine learning and the technology automate what we think is risky. We're recording and providing that information and making it accessible to the security administrator.
Avoiding the 'Sawtooth Compliance' Trap
FIELD: Mike, I want to come back and ask you about the products in a moment, but I want to talk to you first about education and about policy. Now we've established that education's important, but really it's insufficient, so once you've deployed policies and controls, how does an organization avoid falling into the trap of what you call "sawtooth compliance?"
SIEGEL: Right, and most folks maybe don't know quite what sawtooth compliance even means. When I think of sawtooth compliance, I'm thinking about a graph of user behavior over time and looking at whether that behavior is good or bad. And so an incident happens. When that happens inside a company, there's usually a renewed focus on the rules. You get an email from legal or compliance. Then there's training, and, for a brief period of time, everyone is trying really hard to do the right thing. But the willpower, as we've described with our New Year's example, is finite, and ultimately these old habits die hard. So people then revert back to their previous behaviors, and you've got a graph that kind of looks like a sawblade. It's that population of the gym that quickly falls off just a couple weeks after New Year's. To avoid this, we try to engineer out the possibility of users misbehaving with the TRITON platform. And when SureView Insider Threat detects an insider, we can watch what they do and remediate as necessary.
Now, for the accidental insider, it might be as simple as educating them, right? Walking down the hall and saying, "Hey, I noticed that you were conducting certain kinds of activity or communicating data in a certain way." And as is often the case, putting some tighter controls in place is really sometimes all you need to do. It's a business process change to get people in the organization to essentially change their behaviors going forward. Now, for the malicious insider, not the inadvertent or the accidental one, it might actually involve continuing monitoring at a much deeper level. You could even be looking at contacting law enforcement and prosecution.
The Total Protection Scenario
FIELD: Mike, let's come back to the products. At Forcepoint, you stress the importance of total protection to forestall insider threats and external attacks. Talk to me a bit about how your solutions provide this in real-world situations, and how you differentiate yourselves from your competitors as well.
SIEGEL: As we look at the IT security or cybersecurity industry, there are over 300 or 400 different vendors who have a product, a point product [or] a solution, attempting to help customers to stay secure. But if you look at those companies, at least 95 percent to probably 99 percent of them are focused on the external threat. It's about the castle wall, putting up the moat. Very few vendors have technologies that are specifically focused on looking at the insider threat, both accidental and malicious. So one of Forcepoint's main differentiators is the fact that we're offering this total protection scenario. Yes, obviously, we want to prevent the external actor from coming into your organization and causing harm, but we have an equal amount of focus on the insider as well. And when you combine these two, there's actually some great synergy because the external actor who penetrates your corporate walls and perhaps even steals the identity and credentials of a user, now can pose as if they were an insider. So, while they're really an external threat, they're now acting and behaving like an internal threat, and so this overlap means that the technologies you employ need to be integrated. They have to be able to share intelligence and awareness, and that is what Forcepoint's platform is all about. We're building off of the TRITON platform that was originally conceived by Websense many years ago and taking that to the next level, integrating Raytheon Cyber Product Technologies, Stonesoft Technologies, and creating a very comprehensive set of security tools that work under one umbrella framework, one that shares threat intelligence across and provides the ability for key professionals in the security industry to make better decisions. That's really what we're all about, and we want to apply that level of security rigor to the user, to the data and to the networks these users traverse. And those networks could be on premise, or they could be in the cloud. We're very much focused on making our solution cloud-centric in our approach because, frankly, that's where the IT infrastructure and the critical applications are going today.
Consolidating Security Solutions Into a Comprehensive Platform
FIELD: Mike, that's a great explanation. I want to ask you one final question. If you could draw upon some of what you hear from your customers, what lessons have they learned that you can share after they have deployed your solution. What advice would they offer?
SIEGEL: In my job, I take great pride in traveling the world and meeting with our customers all the time. I meet with dozens of customers per quarter in every region around the globe, and I hear some very consistent messages from them. A lot of these are the problems that we are attempting to solve and have been solving here at Forcepoint. Number one, they are facing a world where their IT environment is changing dramatically. Most security professionals do not make the decisions themselves to move their infrastructure and their applications to the cloud for example. Those decisions are usually made by line of business or the chief information officer. General IT operations is moving that transformation to the cloud. Yet, the chief information security officer and their counterparts are responsible for securing data regardless of where it goes, and they're looking for vendors like Forcepoint to help guide them to get to the cloud safely and ensure that their data is protected as the company makes that transition. I love when we have a conversation with a customer who says, "I needed to go and embrace Office 365, but I need to get there knowing that my security posture would stay best in class, and your tools helped me make that migration happen." That's really amazing to hear.
The second thing that I hear consistently from customers is that the threats they face are only getting more complex and more challenging to deal with. The adversary is getting more intelligent and aware of the security tools that may exist within organizations, so they're trying to evade those systems constantly. It's a cat and mouse game or Whack-a-Mole. You think you've gotten one thing under control, and then, sure enough, something else pops up. One of the best stories I ever received from a customer was from a company that has a lot of intellectual property they create internally and whose entire livelihood, the billions of dollars of sales they generate every year, is based upon that intellectual property. Someone came into that company and was a plant. They were hired to steal information from that company, remove it and then sell it or take advantage of that outside the company, whether on the black market or whatnot. That person was an intentional malicious insider, and our TRITON platform detected their movements. We tracked them over a period of time and collected enough information for that person to actually be arrested and prosecuted in court. And we were able, with the help of the TRITON system to send that person to jail. That customer will never pull out the TRITON system. It is a complete anchor point for their security posture, and they've only expanded their system since because they see the value in that system and what it has provided for them.
My last point is with regards to the amount of resources that our customers have to apply to this problem. Again, when I travel the globe, I generally ask our CISO customers, "How many open head count do you have on your staff right now? Are you looking to fill jobs within your company?" I've yet to have a customer tell me, "Nope, I'm full. We're all good to go."
The reality is that there are over a million open jobs right now in cybersecurity. You can't find the people. You can't find the expertise, and our customers are telling us they have point-product fatigue. There are just too many products that have been deployed over the last decade and a half and not enough people to manage them. They're looking for consolidation. They're looking for a platform that can take all these disparate feeds, all of these alerts that these tools create, bring them together and show the linkages between them. That way they can take 20,000 alerts and focus on the nine that really matter today, so that the four people on their staff can focus on the highest priority, highest severity things that could truly make a difference, and they're not going to go chase their tail after something that really is not meaningful.
The TRITON platform started this about six or seven years ago by bringing together Web security, email security and data security under one umbrella console, and providing the ability to see these alerts together and to be able to link and correlate them. And Forcepoint strategy, going forward, is to take this to the next level. It's to take this overall platform, as it is today, and how it will expand in the future, as well as integration with third-party tools, and give our customers a place they can go to to have a definitive understanding of what they truly should care about and where they should spend their time. If we can solve that problem, we're going to make their lives easier. They're going to have the ability to focus on things that will be more meaningful to their organization, and they're going to be happier in what they do.