There has been a lot of talk recently about the Chinese company Huawei and if they are enabling spying by the Chinese government. It was leaked recently that the United Kingdom’s government may have decided that Huawei equipment can be trusted for at least part of the UK’s roll out of 5G mobile services.
On Wednesday 1st May, Gavin Williamson was fired from his position as the United Kingdom’s Defence Secretary. It was alleged that he was the source of the leaked information. This was by no means the first leak from Prime Minister Theresa May’s Cabinet, it seems like every month there is a new story about a leak from a government department or a minister allowing their private papers to be photographed.
Whatever your opinions about Huawei, there is an important lesson here for most organisations – the potential for complex nation state attacks might get all the headlines, but most organisations are more likely to experience cyber security incidents due to accidental or deliberate insider threats. And real nation state attacks always start by going after the same low hanging fruit as used by insider threats, so protecting against insider threats helps defend you against those as well.
Insider threats come in many forms, from the accounting clerk who clicks on a phishing email, to rogue member of the sales team stealing records, to the disgruntled system administrator booby trapping your IT infrastructure. All these scenarios have their own challenges, but there are some general steps you can take to reduce your risk.
At the heart of this should be a record of what your most important assets are, and who needs what level of access. Assets include not just databases and reports, but also any credentials you may have for access to online banking, and physical equipment that is vital to the functioning of your organisation. Once you have identified your assets, you should evaluate what the impact may be from any unauthorised access or modification to the asset, or its loss in part or entirety.
Limiting access to your important assets to only those who require access is an essential step to take. Just as important, if not more so, is monitoring when your assets are accessed or modified, and by whom. A Security Information and Event Management (SIEM) solution should be employed to collect and monitor logs from throughout your IT infrastructure, and a Network Traffic Analysis solution deployed to monitor what information is being transmitted.
User Entity and Behavioural Analytics can also offer insight into the activity within your environment. But on their own, these generate a lot of false positives and noise. A Security Operations Centre (SOC) staffed by experienced analysts is the key to unlocking the power of these tools – they can take the vast amounts of data generated by these tools and dig into what is really going on, turning it into actionable intelligence and discovering any insider threat activity quickly. In the event of a breach, these tools in the hands of a high quality SOC allow you to go back and examine how the breach occurred and build a full timeline of events.
Regular staff security awareness training is another element that should be rolled out. This helps to reduce the risk of accidental insider threats and by making it clear that you as an organisation take security seriously, you deter deliberate insider threats. These training courses should be tailored to
the audience, so that those with heightened level of access to your assets are more aware of the risks and how they can protect themselves and the organisation.
Finally, you need to prepare for the worst. Put in place a plan of action of how to respond to an insider threat, so that when it does happen, you are not having to figure out how to manage it on the fly. Running a simulated incident response exercise is a great idea, as this can ensure that your response plans will stand up in the heat of the moment. This doesn’t necessarily mean hiring a crack team of cyber specialists. It could be as simple as knowing you have that resource available from a third party at short notice.
Implementing these recommendations can be a challenge for most organisations, which is where Commissum comes in. We can deliver all the above, either individually, or as part of a complete program. Our fully managed cyber security services act as an extension of your internal teams, monitoring your environment 24/7 for insider and external threats from our SOC, analysing any discoveries and making actionable recommendations based on your unique business context.
This article was written by Michelle D'israeli, Commissum's Security Operations Centre Manager