by Patrick Knight
A 2018 study released by IWG found that every week, 70% of employees are working at least one day from somewhere other than the office – a reality that presents many opportunities, but also a few challenges, specifically as it relates to cyber security. Most notably, an increasingly remote workforce presents a greater risk of insider threats, like employee fraud, data breaches and lowered productivity.
To reduce the risk, organizations must consider implementing an insider threat strategy that includes a process for identifying, addressing and resolving issues that may arise. To accomplish this goal, certain steps must be taken to ensure that any loose ends can be tied up.
Step One: Determine What Should be Measured
Different organizations will have different threats that dictate which aspects of remote behavior should be monitored. For example, if your focus is employee productivity, you should be watching actions that determine whether an employee is working or not. But if you are watching for users stealing data, the focus should be on monitoring the employee’s interaction with corporate data in applications and files.
Productivity can be measured for organizations where users must connect to the corporate network from a remote location. Validating a basic connection is a leading indication of an active employee. Further, analyzing the applications being used during said connection, ensuring they are relevant to the employee’s role and reviewing which apps are most used helps to provide context into whether or not they are working.
That said, just because an application is open doesn’t mean it’s being used. A deep dive into whether an application is in the foreground, actively being used or simply open in the background can help to identify the true nature of an employee’s activity. And monitoring specific actions taken within the applications in use can deliver insight into what employees are doing and if they are using their work time advantageously.
Finally, data-related actions can be a key indication of a risk or insider threat. Determining when files are copied, emailed, uploaded and printed can identify potentially malicious actions that can hurt the organization.
Step Two: Determine Who to Measure
Even though you may feel it’s unnecessary to monitor all employees with respect to productivity, a holistic approach should be used in respect to security. Because it’s not possible to know where a threat to your company’s data will come from (malicious employee, employee mistakes, compromised credentials), best practice dictates that security teams be vigilant and protect all endpoints, local or remote. It’s possible that remote users are in greater danger of compromise as they are not sitting behind corporate firewalls and may be utilizing public networks at airports or at their local coffee shops.
Step Three: Baseline Employee Activity
Establishing what’s “normal” is a critical step in the development of a remote monitoring strategy. This baseline will serve as the reference point by which the productivity and work activity of remote employees is measured. To give an example, an employee that typically logs on by 8:30am and accesses two applications, spending between 3-4 hours in each, sets an excellent baseline for which to reference. If that same employee begins logging on at 10:00am, and reduces their time spent in the applications, or changes applications altogether, it could be a red flag. But these changes in behavior are only detected if a baseline exists. From a security perspective, understanding data usage patterns, web access (including dark web), network, email and application usage are just some of the indicators that are important to monitor when establishing the baseline.
An AI based system generally takes 20-30 days to establish a baseline. A baseline of a single week’s worth of work does provide some value, but with a much greater margin of error. It’s important to remember that if or when an employee’s role changes in a major way, a new baseline will have to be set. Because of the volume of data that needs to be gathered and analyzed to establish baselines, it’s a nearly impossible task if your organization does not employ a user and entity behavior analytics (UEBA) solution. UEBA offerings utilize AI and machine learning and are generally designed to analyze user activity to automatically generate baselines making it possible to determine “normal” user behavior – and identify when significant changes occur indicating a possible risk.
Step Four: Plan a Response
A response plan should be developed early on, in the event that deviations from an employee’s baseline are recognized. In order to address this type of situation, a few factors need to be considered:
- Alerts – The point of monitoring remote employees is to be made aware that data is at risk when they deviate outside acceptable parameters, and many UEBA solutions have this type of functionality built in.
- Understanding – Once an alert is sounded, organizations need the ability to determine exactly what’s happening. After all, these are valued employees so care needs to be taken to avoid false accusations or creating an atmosphere of mistrust. Utilizing user activity monitoring technology (UAM) allows a security team to look back in time and see a video replay of what occurred on an employee’s device. Whether a productivity issue or a security related incident, visual understanding and evidence is invaluable when determining if the remote employee’s actions are inappropriate and require response or unusual but completely benign.
- Security–related threats – An organization should first determine what kind of actions should be responded to, and who within the organization should be notified when those actions take place, such as IT, Security, HR, Legal or department heads.
- Response planning – There is a big difference between an employee spending too much time on social media, and one that’s putting the organization at risk. Different response plans should be developed based upon the severity of the situation. Examples of breaches that may warrant specialized plans include;
- employees considering leaving an organization
- data theft
- unwitting insiders that have been compromised
- employee errors
- compromised credentials
A mature insider threat security plan should involve IT, Security, HR, Legal and the executive team.
- Deter threats with onboarding and employee notification – A major area of risk is employee negligence and accidental risky behavior. One defense strategy against an insider threat breach is to ensure employees are aware of the security guidelines and given alerts when online activities deviate to introduce risks. Onboarding and training create an environment of awareness and help set expectations for acceptable use of corporate data and assets. Mature UEBA technologies may also provide login banners and notices reminding employees to handle sensitive data with care. Keyword alerts and other notifications can also help remind employees when their activities begin to approach a level of risk. The best breaches to recover from are those that are avoided in the first place.
Working remotely has become a mainstay in the 21st century. While remote employees don’t inherently pose additional risks, it’s important to understand that they do bring an increased risk potential. To minimize this potential, organizations should consider analyzing employee behaviors to identify potential threats, including the deviations that signal insider threats, like employee fraud, data breaches and lowered productivity.
With a complete identification and response strategy that incorporates technologies like UEBA in conjunction with user activity monitoring, companies can identify indicators of a risk and quell potential threats.
About Patrick Knight
Patrick Knight is the Senior Director of Cyber Strategy and Technology at Veriato helping organizations protect critical data from threats by trusted insiders. His cybersecurity career spans 17 years helping enterprises protect against online threats and developing anti-malware, network intrusion detection, computer and network forensics and encryption technologies. Prior to this, he served in the U.S. Intelligence Community and the United States Army for 12 years in the fields of Signals Intelligence Analysis and Cryptanalysis and as a Russian and Serbo-Croatian Linguist. He can be reached on Twitter at @PatrickKnight70 and on LinkedIn at linkedin.com/in/PatrickKnight70.