And those aren’t even the biggest problems. The most sophisticated, advanced persistent cyber threats are often able to overcome this vulnerability reduction approach. Why? They are playing a different game. They tend to bring a long-term focus on high-value targets and can adapt to these tactics.
So, what should we be watching instead? We need to bring more focus to watching and understanding our attackers—we call this the threat focus. We need to place a greater emphasis on understanding and sharing threat patterns to balance detection with mitigation and response. We need to share and analyze knowledge gained from multiple, discrete attacks to better understand attacker behaviors and reduce the likelihood of future successful attacks by aligning our defenses and our investments to the actual threats we face.
How do you approach the insider threat?
Well, first we should define what we mean by “insider threat.” I define it to include true insiders as well as situations where an intruder has gained access to users’ credentials, and is now “free to roam.” Both types of insiders pose different yet equally challenging issues for security professionals.
Fundamentally, I approach both with a threat-based defense. This means gaining understanding of the system, of individual intruders’ behaviors, and then using the data to help inform defensive action where abnormalities exist. I like to think of the issue as looking for a needle—not in a haystack but— in a pile of needles. You don’t use the same tools and techniques to discover the latter, but you certainly can use similar understandings of the problem to start your search.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.