I was reading this post by Richard Bejtlich and it reminded me of a little pet peeve.
It seems some people out there criticize Richard for focusing more on external threats than the big bad, “internal threat”. I’ll admit I used to use the term frequently when I was a little naive, but I finally realized it became code for “scary stuff you’ll never be able to protect yourself from without spending a lot of money on our products.”
Yes, there is an insider threat, but we abuse the heck out of the term.
There are a few principles I like to keep in mind when discussing the insider threat. Some are a little redundant to make a point from a slightly different perspective:
- Once an external attacker penetrates perimeter security and/or compromises a trusted user account, they become the insider threat.
- Thus, from a security controls perspective it often makes little sense to distinguish between the insider threat and external attackers- there are those with access to your network, and those without. Some are authorized, some aren’t.
- The best defenses against malicious employees are often business process controls, not security technologies.
- The technology cost to reduce the risks of the insider threat to levels comparable to the external threat are materially greater without business process controls.
- The number of potential external attackers is the population of the Earth with access to a computer. The number of potential malicious employees is no greater than the total number of employees.
- If you allow contractors and partners the same access to your network and resources as your employees, but fail to apply security controls to their systems, you must assume they are compromised.
- Detective controls with real-time alerting and an efficient incident response process are usually more effective for protecting internal systems than preventative technology controls, which more materially increase the overall business cost by interfering with business processes.
- Preventative controls built into the business process are more efficient than external technological preventative controls.
Thus, the best strategy includes a mix of technology and business controls, a focus on preventing and detecting external attacks, and reliance on a mix of preventative controls and detective controls with efficient response for the insider threat. I really don’t care if an attacker is internal or external once they get onto a single trusted system or portion of my network.
The “insider threat” isn’t a threat. It’s become a blanket term for FUD. Understand the differences between malicious employees, careless employees, external attackers with access inside the perimeter, and trusted partners without effective controls on their systems and activities.