Setting up security mechanisms to prevent insider threats isn't enough these days -- it's equally important to implement measures that help detect threats if and when they do occur.
In other words, detection mechanisms can help you implement effective prevention methods. You must have policies and controls in place so both non-technical and technical insider threats are detected. While it is difficult to detect non-technical insider threats by using software or tools, at the very least a software application can be capable of implementing logic on the target systems to detect technical threats.
There are several enterprise products available that provide enhanced detection mechanisms to avoid security breaches and risks in a production environment. For example, by enabling video recording, you can be warned of any suspicious activities that might be taking place on target systems. Similarly, by implementing key rules to check on security group membership changes, you can be alerted when members are added and removed.
While you can always develop robust cyber-security policies and procedures, you will still need to implement an enterprise tool or software that helps you detect the threats before the attacks result in a significant damage to your business. These tools will likely provide some or all of the following security measures:
Enabling Video Recording and Alerting — Video recordings provide explicit evidence and the sufficient data to respond to a threat. You can easily know what actions a user has been taking on a PC, which, in turn, helps you understand whether the incident was a malicious attack or the user erroneously performing some actions.
Tracking Changes to Group Memberships — In a large IT environment, you might have created hundreds of security groups and you might have several IT Teams to look after operational tasks for their business units. As a result of the sheer size of the enterprise, it becomes important to track changes to the critical security groups. For example, Domain Admins is a critical security group and you may not want to allow unauthorized members to be part of Domain Admins security group, as anyone who is part of the Domain Admins security group can gain full control over an Active Directory domain.
Detecting and Monitoring Access to Sensitive Data — Employees are given permissions to access files and resources located on the file servers as long as they are authorized to access the data. It is important to understand that any user who doesn't have access to file server data will result in "failed read-attempts." It is necessary to detect failed read attempts in order to know why users are trying to access the data on a file server for which they do not have full access.
Detecting Failed Logon Activities — In a large environment, it's quite difficult to get visibility into all account logon activity. By using an enterprise auditing tool, you can understand failed logon attempts made by the users with complete details such as the domain controller and workstation where the event has occurred, the type of logon (interactive or non-interactive), the data and time when the event occurred and the possible cause for the logon failure. An enterprise auditing tool can show accounts that performed too many logons during a short time period, which might indicate a possible malware attack or an intruder trying to log on to systems.
It is important to follow a steady approach when working on a holistic cyber security program. For example, you might have implemented necessary policies to block copying of business documents to USB sticks and external hard drives, but you might have forgotten to educate employees on cyber security in terms of how to respond to a threat in a timely manner as well as the specific escalation chain employees need to follow in the case of an identified potential threat.
Similarly, you might have performed modifications in the security policies to allow only known people to be part of the local administrator security group on systems, but you might have forgotten to implement a Role=Based Access Model (RBAC) model in your environment that can control access to systems.
When you implement controls and policies, you will often be required to deploy a company-wide security program and policies that will help protect the enterprise from all insider threats. For example, educating employees to simply not log onto multiple machines using the same username and password will not work. Rather, you'll need to install an enterprise tool that can limit the logon of a user to a single machine.
Nirmal Sharma is a MCSEx3, MCITP and Microsoft MVP in Directory Services. He specializes in directory services, Microsoft Azure, Failover clusters, Hyper-V, System Center and Exchange Servers, and has been involved with Microsoft technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites and contributing to Health Packs for ADHealthProf.ITDynamicPacks.Net solutions. Nirmal can be reached at firstname.lastname@example.org.