iscover
Joanne WongShare this article on:
The so-called “great resignation” has been a topic of discussion in business circles for months, Joanne Wong of LogRhythm, writes. Following the restrictions of the COVID-19 pandemic, an increasing number of people are taking the opportunity to quit their jobs and seek fresh opportunities.
What is now becoming apparent is that this trend has a significant fallout when it comes to IT security. Many organisations are reporting incidents where departing staff are taking with them copies of valuable and sensitive data.
There are differing motivations for this insider-threat behaviour. Some disgruntled departing employees are intent on causing harm while others are keen to offer a commercial advantage to their new employer.
The size of this problem is increasing at an alarming rate. According to the US-based Ponemon Institute, insider threat incidents have increased by 44 per cent during the past two years with the global cost per incident increasing to US$15.38 million.
Achieving effective protection
Businesses faced with these threats are finding they can be a challenge to prevent. Detecting the theft of data by an employee is difficult as it can closely resemble legitimate business activity. In recent years, it’s been made even more challenging as a result of the increasing use of cloud platforms and work-from-home patterns.
To overcome these challenges, IT teams need to make use of a variety of analytical methods and observational vantage points to provide the best possible detection posture. Putting automated tools in place can increase the likelihood that data theft will be spotted and employees questioned about their activity.
One of the most prevalent ways used by departing staff to steal company data is to transfer it via a personal email account to a web storage service such as Google Drive or Dropbox. In these instances, security information and event management (SIEM) tools can be used to constantly monitor email activity and spark alerts when certain events are spotted.
SIEM tools can be configured to flag activity that meets certain pre-defined triggers. Those triggers could include the movement of large files at times of day that are not typical, such as after hours. Also, traffic between company servers and web storage services could be seen as unusual and receive closer attention.
To reduce the number of false positives, additional rules can also be put in place. These could include only checking emails that contain attached files and are being sent to an external address.
On-premise detection
Spotting and countering data exfiltration attempts also require an organisation to be able to identify unusual activity within its internal networks. This could be caused by an employee gathering files from a range of internal sources and collating them on their workstation.
In this type of scenario, network detection and response (NDR) tools can be used to provide real-time threat detection across endpoints, data centres, and cloud platforms. The tools can monitor for unusual activity such as a sudden increase in file transfer activity by an individual employee.
NDR tools can also be configured to trigger alerts when large, collated files are sent to a service such as Dropbox. This could be a warning sign that the files are being transferred illegally and for nefarious reasons.
When used effectively, NDR tools can significantly reduce the workload faced by security teams. From the massive number of alerts triggered every day, they can identify those most likely to represent a data exfiltration event and allow the security team to focus on analysing them.
The focus of security teams should also be concentrated on staff who have offered their resignation. Once this has been done, their personal network traffic can be more closely monitored for signs of illegal activity.
This can be achieved by using advanced intelligence engine (AIE) tools that have been pre-populated with a list of departing staff. The tools can be configured to watch for particular behaviour patterns within this group and alert the security team when they occur.
The current pattern of heightened staff departures is likely to continue in the short to medium term within many organisations. For this reason, it is important to ensure that appropriate security mechanisms are in place to limit the likelihood that sensitive data departs with them.
Joanne Wong is the vice president, international marketing, APAC and EMEA at LogRhythm.
Be the first to hear the latest developments in the cyber industry.
