Monitoring privileged access
Aidan Simister outlines some options for protecting against insider threat
Some of the biggest threats to any organisation still come from within. Verizon's 2013 Data Breach Report claimed that insider threat accounted for 14 per cent of total incidents.
The weakest link for any organisation is not systems but the human factor. However, while the insider threat is usually assumed to be from rogue employees or planted "moles", consider the role of IT administrators and managers who already have privileged access, without having to hack into anything.
This may include external contractors, security services providers, and even vendor or channel support staff.
They can stop and start systems, make critical changes such as granting access rights, and even delete security logs without trace.
We all prefer to believe we can rely on trusted employees or external consultants to do the right thing but it is always possible someone could abuse his or her access privileges.
And of course if they become disgruntled or plan to leave for a competitor, the risk is even greater.
Most organisations have limited capabilities to trace specific IT events to specific users. Staff at a large retailer recently told me it had 90 IT administrators, including a number working on contract through an outsourcer, but no way of determining which changes were made by which administrator at any time.
You cannot always stop people becoming disgruntled or eliminate all mistakes, but you can make sure you know who did what, where, and when. Yet few IT teams really know what is happening in their infrastructure at any given point. Even some of the largest organisations still trawl files of native logs manually to get the answers.
There is also the question of how quickly you can identify a change in the infrastructure that has caused a problem or failure, whether via user error or something more malicious.
Active Directory is at the core of most modern networks, yet the majority of organisations cannot tell you who has made changes, what they did and when they did it.
The same is true for changes to password policies and procedures. And, despite our reliance on email, it is not standard practice to monitor for erroneous or malicious changes to MS Exchange.
Furthermore, when it comes to basic file access many companies do not know who accessed a file, when it was accessed and if the attempt succeeded or failed.
The problem is that change auditing sounds like an additional headache and a lot of hassle when there is already not enough time in the day. Many companies do little more than pay lip service to it.
I have read that many audits are only carried out before a compliance check or as part of an investigation after an event such as data loss or server failure.
Others take a costly sledgehammer approach to the problem and opt for security information and event management. These offerings include automatic remediation and intrusion prevention, boosting the expense and complexity.
And it still relies largely on interrogating native audit logs that can be tampered with by privileged users.
Specialist change auditing software can also deliver a reliable and consistent view of what is going on. It snapshots network activity, captures multiple streams of data from multiple sources, then filters, translates, sorts and compresses the results. It also provides alerts and reports.
Aidan Simister is UK and Ireland country manager at NetWrix