Holidays and Insider Threats — Exabeam Answers Questions From the Field

I hear a lot of questions at security field events that I attend, both as a presenter and helping out the team doing booth duty. Because so many of these questions seem applicable as we approach the end of the year, I thought I’d share them here for you to think about. This year, all the questions and discussion boiled down to the same themes:

• Management is doing layoffs — what should we (security) look out for?
• We did some hiring, and the new people failed our phishing tests. How do we communicate the risks upward?
• We have a change freeze coming up for Christmas. Anything you recommend that we do?
• We have an executive budget to create an insider threat team. Where do we start?

In this article, I’ll break down some of the best responses to each of these questions, which may help us all get through this season together. Winter is coming — but maybe it can mean cocoa and cozy fireplaces instead of ghosts and wolves. 

In this article:

• Layoffs
• New employees and phishing
• Change freezes
• Standing up an insider threat team
• Consider Exabeam solutions for your security wish list
• How to Build an Insider Threat Program with Exabeam

Layoffs

Like the turning of the seasons, whenever organizations (particularly publicly-traded ones) are faced with shortfall or lower stocks, there are nigh-inevitable layoffs. Why? Because after layoffs hit the public news, people buy the stock. It’s one of the cheapest ways to increase stock prices (if you don’t care too much about your employees), because brokers see it as a sign that the company is taking action to address low sales and missed margins by cutting down on overhead, and people are cheaper to replace than capital assets.

So with Christmas layoffs upon us, a proactive security team should sigh heavily and reach out to HR and ask for a meeting. Every company of a certain size should plan for layoffs under any circumstances — and that means communication of what to monitor more closely. If the company does “security walkouts” where they surprise-fire people, IT needs to be able to cut off all accesses and permissions that day —or, ideally, a few minutes before. Angry employees are prone to take things with them — and while you cannot protect your staplers and peripherals, you should keep a very close watch on your IP.

Don’t forget — disgruntled employees may only take IP and customer data to their new home, but there are marketplaces where they can sell their existing login credentials to threat actor groups like Lapsus$. Selling access to the company that they feel wronged them is profitable — and misuse of legitimate credentials is a clear ingress into your organization. 

Best practice is for security to have a clear picture of every employee, their group membership, what they normally access, and a full list and controls for how to shut access down. This can lead to challenges, as many departments “own” their own SaaS systems — from cloud-based project management tools to websites and dev tools. Seeing normal helps you see anomalies. 

The best tools for the security team under these instances are data loss prevention (DLP) solutions, email security solutions, and something with user and entity behavior analytics (UEBA) to look at all the sources together and determine when anomalous behavior may be threatening. Both current and historic views matter. 

New employees and phishing

Take a moment and be kind in your thoughts to the new employee. They are being bombarded with about a gazillion new systems to log into, secure access to, single sign-on (SSO) and privileged access management (PAM) tools, and more. Getting provisioned and learning your way around can take anywhere from days to weeks, depending on their level of tech savviness.

Malicious actors know it. Some of them monitor LinkedIn companies and users, looking for new hire or title change announcements. This is a prime time to jump on the phishing bandwagon and send these users carefully crafted emails that look like legitimate IT or account setup messages, attempting to lure them into clicking a link. I don’t care how clever or suspicious you are — ANYONE can accidentally click a link that has big, friendly “ADOBE” or “Your Okta account” links when they’re first getting set up. (These are real examples of phishing emails that I saw in my own inbox a few months back.) 

Email security is, again, a big help here. And, of course, endpoint security. But this is also where I’d counsel an organization to start a  new employee’s first day with a “Watch this first” video to educate them on how a phishing attack, successfully executed, can lead to ransomware, Trojans, and other threats. Their manager should watch along, too. (There are many good security training companies that you can partner with — no need to spend hours building it yourself.) Coincidentally, this starts to inform your management of what is possible, what is likely, and the general risk level.

Arm new employees with lists created by management and IT of all the actual tools currently in use by their department. For all the people who do not work in security, taking a moment to talk about how it works can be worth your time. And again, a UEBA solution that monitors behavior, comparing the new employee to others in their group and organization, can send up a warning flag to Security if something goes wrong.

Change freezes

There is always some kind of new development combined with a change freeze over the holidays. In ideal conditions, a change freeze prevents new vulnerabilities from being introduced into the environment when there is only a skeleton support crew monitoring the systems. In a perfect world, your change freeze starts at the end of the first week of December — the 15th at the latest — to avoid being short-staffed in the event of emergency response.

There are plenty of other reasons winter holidays are dangerous for IT security teams. Students around the world often get a midwinter break, which gives them ample time to do searches on hacking tools and attempt to use them. Malicious actors with a little more time on their hands can dig deeper into vulnerabilities announced online or as part of recent patches, and seek out and exploit new systems. For some industries it might make sense to shut down your domain to traffic coming from .edu —  as .mil and .gov used to do — but that’s a little harsh and not achievable for all.

The best bet is to work with your dev teams to make sure that only bug fixes are being pushed in December — nothing earthshakingly new. This is especially true for websites/portals — although a good DAST or penetration test can alleviate some of the risk. Make sure that someone has clearly documented all the libraries and versions of all the tools — and make sure that Security can access this file in case of anomalous activity being seen. (Example: remember Log4j? How long did it take you to find out if you used this common logging tool in any tools in your environment?) 

The two best defensive tools here are a clean record from your AppSec testing for the new release, and a solid cloud security suite if you’re doing your development work in GCP, AWS, Azure, IBM eBusiness, etc. You own the security on your authentication and authorization — and plugging those public cloud security tools or webhooks into your security information and event management (SIEM) or UEBA can make it easier to track incidents. Additionally, if you’re looking backward for indicators of compromise (IoCs), having a central historic search repository can save literally hours of overtime. 

Standing up an insider threat team

If I were standing up an insider threat team, the first question I’d have would be, ”What tools do we have in the greater security stack and what precisely are we most concerned with protecting?” Insider threats are visible across multiple tool sets — but depending on the ingress and egress points, there are different locations for finding what’s going on. 

If your organization has a SIEM, inquire what security logs are feeding into it as well as whether you have access to it. Key inputs for detecting anomalous activity include:

• Endpoints
• Active Directory/IdP/SSO systems
• VPNs
• Email
• Cloud security tools

The easiest way is to view them all with UEBA. Ideally, you’ll find a solution that provides analytics and layers on top of your existing SIEM or data lake tool, which is already collating and correlating all these data sources in use. 

Visibility is key, and tracking at the user session level in a timeline will do three-quarters of the work for you. The five locations you’ll want automation for are: 

1. Gathering the log data into one tool for analytics
2. Adding threat intelligence and other IoCs to build meaningful events
3. Creating a timeline of every user (or entity/device) session, so that you can see what happened in what order across multiple global time zones
4. DLP or CASB solutions to see what was accessed and where it went, and potentially encrypt documents automatically
5. Responses — anything that can be automated for triggering MFA, account shut down, etc. is helpful

Whether accidental or deliberate, insider threat risks are higher during the holiday season. While security operations teams are focused on intrusion and detection, if they don’t have a specific charter to focus on insider threat and the tools to effectively do so, they may not see the suspicious behavior of compromised credentials and lateral movement. 

Consider Exabeam solutions for your security wish list

If you currently have a SIEM or data lake and want to add UEBA capability and workflows for your team, consider taking a look at Exabeam Security Investigation or Exabeam Security Analytics to add key UEBA detection and risk scoring to your SOC workflows. Exabeam Security Analytics combines weak signals from across your security ecosystem into session timelines that show risk and changes by users and entities that can represent insider threats. Exabeam Security Investigation adds playbooks and automation, speeding resolution and offering protection via triggering automatic responses to common insider threat use cases.

If you need an “all in one” solution and are looking to either invest in a SIEM or replace your current SIEM, Exabeam Fusion combines all the features of Exabeam Security Investigation with a full-featured SIEM that allows you to store security data up to 10 years as needed for governance and compliance, with integrated threat investigation and workflows with full SOAR capabilities. Preventing botnets, Trojan activity, and malware proliferation through lateral movement should be on everyone’s holiday gift list.

Talk to your HR and finance teams today, and ask if UEBA is right for your year-end security needs to prevent insider threats and reduce the risk of the holiday freeze. Or, sign your team up for an Exabeam CTF competition to get a glimpse of the possibilities.

For more insights, watch this on-demand webinar with Andy Skrei and me.

Sometimes even having a SOC isn’t enough to address insider threats. Security operations teams are managing massive amounts of data across billions of events from on-premises and the cloud, but looking for specific needles like insider threats has special requirements that encompass both searching historic data and seeing evolving credential behavior changes as they happen.

Whether from downsizing or expanding business, employees, vendors, contractors and others are moving in and out of your environment. And often, it is during these turbulent times that insider threats go unobserved — because everything is changing.

In this webinar, you will learn about:

• The four common scenarios where you need an insider threat team, and how to build a mission statement and tools
• Four attributes of a successful insider threat program
• How behavioral analytics baselines “normal” behavior of users and devices — showing risk faster
• Automated investigation experience that automates manual routines and guides new insider threat teams