Certainly, not all insider threats are malicious. But it’s also true that they are not always the result of ignorance about attacker techniques. Sometimes, security conscious people make mistakes because it’s just easier to take shortcuts that help them accomplish basic tasks faster. However, these shortcuts can leave their organization exposed. I had a chance to explore this idea in greater detail a few days ago, while I was participating in a panel discussion on insider threats at Atlanta Cyber Security Summit.
During the panel discussion, my esteemed colleagues covered off many of the insider threat topics that you would expect. We discussed anti-phishing and anti-malware strategies, data loss prevention and monitoring. There was also a lively debate about whether or not user training can effectively reduce risk. In my opinion, training isn’t going to cut it now that we have so many new developments with cloud and with DevOps and with automation in general. In these new environments, it’s not so much about training anymore, it’s about people doing bad things out of convenience and out of speed.
If you try to slow these people down while you are trying to secure them, they're just going to go off and do whatever they need for speed and automation. They don't necessarily mean to do bad things. They just have a job to get done on a very short time frame. Let me give you an example of this that I shared with summit attendees in Atlanta.
Imagine that you have an employee that needs keys and they want these keys on every machine they access. So, what do they do? They bake the keys into their golden image. Then that gold image is burned and cloned and cloned and cloned again. How bad can the resulting key sprawl get? At one organization we performed discovery on several thousand servers and found over a million keys. The organization had only expected to find a few thousand keys.
That key sprawl was not the result of someone trying to do bad things. It’s just that they thought they could take shortcuts to do their job faster and better and easier. And that opened up a very, very large threat surface.
It’s simply easier for someone to use the same authentication credentials, sharing the same key across multiple cloud systems. And many companies turn a blind eye to such misbehavior when it comes to managing their machine identities. But, on the flip side, when I asked summit attendees if they would allow someone in their organization to share a password that never expires across 50 different servers, their ears began to prick up.
To avoid these types of insider threats, I recommend that you make it easier for your users to follow security best practices. As I mentioned before, training is not always the answer. Instead, you may have more success by implementing policies that actually replace shortcuts in terms of delivering convenience and speed. Sure, policies get a bad rap. Users often view policies as interrupters that don’t make any sense. Indeed, if you have policies that your users won’t follow, then you’re not helping the business, you're hurting the business. That may be why about half of the attendees indicated that they didn’t have policies in place to prevent insider threats.
What I recommend is a "don't fight it, fix it” approach to policies. Why try to force somebody to use a policy that's not good for them? Why not try to find a policy and procedure that actually helps? Your users may then actually want to follow the policy because it helps them better do their job.
I recommend setting up automatic compliance with policies through self-service capabilities. It’s easier for users to request and deploy machine identities. And because it’s automated, you’re always going to end up with machine identities that are within your security parameters. Your administrators, developers and cloud operations folks all gain the ability to do things faster but yet do it in a secure manner. So, at the end of the day, you’ve solved both the problems of speed and security with one solution.
By automating your machine identity management, you’re actually making it easier for users to request secure keys and certificates. Ultimately, you're making someone that's a potential insider threat and you’re nullifying that risk because you're removing the possibility of the insider threat occurring for reasons of speed or convenience. In other words, you’ve created a situation where the user will actually want to follow good practices and procedures because it makes their job easier, better and faster.