George WilkesJanuary 3, 2022
How Zero Trust Network Access (ZTNA) Mitigates Risk from Insider Threats
Insider threats are among the toughest challenges to address for enterprises—learn what they are, what makes them so dangerous and how to reduce your risk.
For many, the term “insider threat” conjures up images of cloak-and-dagger espionage or Rami Malek’s breakthrough performance as Elliot Alderson in Mr. Robot.
But as with most things related to cybersecurity, the truth about insider threats is a little more complex and a little more nuanced—with important implications for how organizations can mitigate risk.
What are insider threats?
Let’s start by deconstructing the term “insider threat.”
The Cybersecurity & Infrastructure Security Agency (CISA) defines an insider as “any person who has or had authorized access to or knowledge of an organization’s resources, including personnel, facilities, information, equipment, networks and systems.”
Note that “any person” includes employees and contractors, but also the often-overlooked set of business associates and third parties—plus former members of any of those groups.
Next, we move to the second term, threat: this is the potential that someone will use their authorized access, wittingly or unwittingly, in a way that causes harm to your organization.
Putting it all together, we can see that insider threats come in a few forms:
- Negligent insider: A careless user whose unsafe habits—like sharing passwords, leaving devices unattended or failing to recognize an impersonation scam—unwittingly aid a threat actor
- Compromised insider: A user whose account or device has been accessed and has fallen under the control of a malicious cyberattacker, whether through negligence or no fault of their own
- Malicious (or coerced) insider: A user who intentionally causes harm, whether acting alone or under threat or influence from a malicious actor
How common are insider threats?
In a world of imperfect visibility, it’s impossible to quantify with certainty, but we can draw upon a few authoritative sources to get an overall idea.
Verizon’s 2021 Data Breach Investigations Report (DBIR) suggests that, over the past five years, insiders account for 25-35% of breaches. However, there’s considerable fuzziness due to attribution challenges and reporting realities. The report notes that, “an External actor breaking into an organization by leveraging illicitly obtained credentials or other illegal access to pivot internally may initially resemble an internal threat before detailed incident forensics are engaged.” The report added that a perceived upward trend in insider-led attacks “is more likely to be an artifact of increased reporting of internal errors rather than evidence of actual malice from internal actors.”
On the other hand, IBM’s Cost of a Data Breach Report 2021 report suggests that malicious insiders are relatively uncommon and account for only 8% of data breaches—which is good news for organizations, as skilled malicious insiders are particularly dangerous. And at the opposite end of the spectrum is the accidental insider threat. And Egress’ Insider Data Breach Survey 2021 determined that 84% of serious incidents are caused by employee mistakes.
Of course, insider threats can vary by sector and region. For example, in a section on Operational Technology (OT) and Industrial Control Systems (ICS), IBM’s X-Force Threat Intelligence Index 2021 notes that, “Insider incidents made up 13% of all OT-related incidents in 2020, with about 60% of those involving malicious insiders and about 40% involving negligence.” The study said, “Europe by far experienced the most insider attacks in 2020, seeing twice as many such attacks as North America and Asia combined.”
While these reports don’t provide apples-to-apples comparisons, the clear takeaway is that all forms of insider threats are a real and present danger.
What makes insider threats so dangerous?
In a word: trust.
Insider credentials provide privileged access to systems and data, reducing the need to engage in privilege escalation and other intrusion actions that might trigger alarms and raise red flags.
An insider who falls prey to phishing or social engineering schemes may unwittingly hand over what an external threat actor needs for reconnaissance and conduct actions on objective—especially because an automated defense system doesn’t know whose hands are on the keyboard. (Or, as the DBIR put it, “even though the call may be coming from inside the house, there is still a stranger on the line.”)
And a malicious insider has systems and norms knowledge, making them an especially dangerous threat. As the 2021 DBIR says, “an insider who has decided to abuse their access to copy a small amount of data each week and sell it to their buddy, who in turn utilizes it for financial fraud, may not be caught for a very long time.”
Looking beyond trust placed in insiders and their credentials, other trust-related factors complicate safeguarding your data and assets:
- Flat network topologies, often the product of complexity and perceived tradeoffs between security and convenience, make it easier for threat actors (internal or not) to move laterally (i.e., east-west) within an environment
- Connect-then-verify architectures that operate on the premise of a trusted network and weak authentication, introducing unnecessary risk
- Overprivileged users that are the product of the complexity of managing legacy solutions and tradeoffs—when it’s too hard to precisely partition access, admins manage fewer groups and provide more access than is needed
Why are insider threats so difficult to manage?
There are multiple reasons why insider threats are difficult to manage with traditional security strategies and solutions.
First, policies may inadvertently make employees feel judged or persecuted. Plus, these approaches may not work: one of the main conclusions of a recent study from CyLab (Carnegie Mellon University’s Security and Privacy Institute)—Insider Risk Management Program Building: Summary of Insights from Practitioners—is that deterrence actions (e.g., employee constraints, monitoring, punishment, etc.) don’t reduce insider risk. (The study suggests upstream actions to create a positive work environment in which employees feel valued and trusted are much more effective.)
Second, because insiders have access privileges, there are fewer signals for automated security solutions to examine. This is especially true in flat networks where it’s tough to identify and contain lateral movement. Distinguishing infrequent-but-legitimate behavior from malicious behavior is hard and the reason why user behavior analytics (UBA) cropped up years ago. However, this reactive approach requires the malicious insider to misbehave to trigger a detection algorithm—perhaps that’s why insider threats persist despite UBA solutions having been around a long time.
Third, as noted earlier, employees are not the only insiders—contractors, vendors and other third parties may have system credentials, and managing secure access for such a diverse workforce can be cumbersome and prone to errors.
Fortunately, the Zero Trust paradigm offers a compelling solution to the problem of insider threats.
Using Zero Trust Network Access (ZTNA) to protect against insider threats
In terms of security outcomes and cost, the most effective way to manage insider threats is to enforce Zero Trust Network Access (ZTNA).
ZTNA empowers employees and other insiders (e.g., partners, contractors, etc.) with fast and secure connections to the data and services they need. Simultaneously, it limits your attack surface, prevents lateral movement and provides visibility into network activity—enabling quick containment and response should an attack take place.
By doing so, ZTNA addresses insider threats in three important ways:
- It protects against human error—those innocent mistakes that can give threat actors the opening they need
- It protects the people you trust by equipping them with exactly what they need while helping to ensure they don’t unwittingly aid external attackers
- It protects your resources by precisely controlling who can access what
Plus, ZTNA delivers all of these benefits without introducing unnecessary friction that would compromise users’ ability to do their jobs.
Mitigating insider threats with Appgate SDP
Here’s how Appgate SDP, an industry-leading ZTNA solution, combines features and technologies to mitigate insider threats.
Device ringfencing and least privilege access limit user access to only those network resources and services they need. Appgate SDP also uses dynamic policies to adjust rights as the context in which they are requested changes, so it’s easy to provision access as needed—overcoming many administrative headaches associated with more static access management techniques.
Device posture checking can detect if a legitimate user’s device has been compromised, at which point SDP denies the device access to the network. Similarly, Appgate SDP can receive vital context from other security solutions—like a security incident and event management (SIEM), user and entity behavior analytics (UEBA) or extended detection and response (XDR) platform—that aggregate many signals to detect potentially malicious behavior.
Importantly, with Appgate SDP, management of insider threats doesn’t require an all-or-nothing approach where a user either has some access or none at all. Instead, surgical access permissions mean that even if a user gets flagged or quarantined, administrators can still allow access to particular non-critical systems—so the user can keep doing their job even while investigation and remediation are underway.
Protecting enterprises from today’s top cyberthreats
Unfortunately, in addition to insider threats, enterprises are also at risk of ransomware, distributed denial of service attacks (DDoS), phishing and man-in-the-middle (MITM) attacks.
Fortunately, the Zero Trust security paradigm is well-equipped to address many modern cyberthreats. In fact, in response to many high-profile cyberattacks targeting critical infrastructure and government agencies, the White House recently went so far as to issue an executive order requiring federal agencies to adopt a Zero Trust architecture.
Learn more about how ZTNA defends against today’s top cyberthreats by reading the whitepaper now.