It is universally acknowledged that the UK is home to some bizarre traditions. Above all, perhaps, is Bonfire Night. “Remember, remember! / The fifth of November” – so instructs the mysterious English folk verse, regarding the failed ‘Gunpowder Plot’ of 1605, which is celebrated to this day with the annual burning of Guy Fawkes effigies on bonfires across England. In fact, Fawkes neither devised nor led the plot to assassinate King James I, yet his name remains immortalised thanks to his expertise in gunpowder, and perilous role in the conspiracy – specifically, to source and ignite the explosive.
In the end, nearly two years of meticulous planning was foiled at the last hurdle: in the midnight hour, Fawkes was arrested beneath the House of Lords, surrounded by 36 barrels of gunpowder, all stacked in the cellar directly below where the king would have been perched for Parliament the next day. Subsequently, Fawkes was sentenced to excruciating suffering, including the rack. So, while regicide remains undesirable, it’s arguably a little odd that – hundreds of years later – our nation still chooses to commemorate the prolonged torture of anyone with fireworks and toasted marshmallows; just take a look at Kit Harrington in the BBC’s recent drama Gunpowder to get a sense of the horror.
Nonetheless, Fawkes provides food for thought when considering the contemporary concept of ‘insider threats’. This is a phrase that most IT managers and CISOs have become all too familiar with, thanks to headline-grabbing incidents such as the Apple leak and Deloitte hack this year, and the fact that this particular threat is so difficult to identify and temper. A worthy allegory, Fawkes can be seen as the very embodiment of an insider threat, similarly equipped with ulterior motives and explosive consequences.
Ultimately, the insider threat is an issue for any business storing sensitive information. Traditional cyber security solutions can’t reveal the insights required to stop the insider; instead, it’s imperative to monitor, record, and analyse human processes through user entity behaviour analytics (UEBA) across the organisation. This way, it’s possible to uncover who has accessed what, from where and at what time; what’s more, all of this can be done in a way that doesn’t impact on either performance or privacy.
Shockingly, nearly half of enterprise security incidents are caused by some form of insider threat, which is why it’s so vital to deploy a potent defence across all fronts. By implementing comprehensive intuitive protection (such as UEBA) against insider threats, it becomes possible to stop an incident – whether malicious or accidental – before it causes any serious damage. However, in order to maximise the potential of such protection, organisations must arm themselves with knowledge about the different types of insider threats they might face, as well as the motivations behind such threats.
One example is the bright yet disgruntled employee, who perhaps feels they’ve never been listened to sufficiently. A pioneering developer, they may have identified a fundamental vulnerability in their company’s software, but their employer dismissed the situation. Annoyance evolved into ire, and now this individual may decide to tamper with the faulty software just to prove a point. Here, the catalysts are broken promises and undervaluing key opinions – unfortunately, it’s all too familiar. In such instances, it’s paramount to locate any signs of dissatisfaction and then complement this analysis with technology to monitor any unusual activity within the corporate network and beyond, such as logging on at unusual times or uploading suspicious files to the likes of Dropbox.
Another threat profile is the spy. True, they may have started out with the best of intentions, but now they feel undervalued and stuck in a rut. Perhaps one night in the pub, they confide in a close contact and then, before you know it, they’re approached by a competitor, who offers a significant reward if they pass on classified data about a project they’re about to launch. During one particularly inflammatory day, they may fall for such provocation, downloading the data onto a memory stick, returning to the pub, and delivering the secret data to the competitor. Uncovering this kind of behaviour is always going to be tricky, so technical controls will be required – the more advanced, the better. By monitoring behaviour on endpoints, for example, it’s possible to track when a user connects a USB drive to the network and to determine if any data has been removed or copied.
Of course, the insider may well not be exactly who they say they are either; all it takes for an outside threat to become an inside one is legitimate login details, swiped from a post-it note or a laptop left on the train. Being able to evidence the who, where, what and how of any incident can again lead a trail back to the perpetrator.
In all of these cases, it’s important to remember that all it takes is a disgruntled employee, a lapse in judgement, or an outside influence to surface in order to have an insider incident. As such, learning lessons from Fawkes, it’s absolutely crucial to establish a clear framework for hunting down, evidencing and dealing with these threats as soon as possible. And it’s technology that can enable this. After all, a fire consumes all in its path, and the incendiary effects of a data breach are no different.