When the Privileged Insider Goes Bad – 5 More Ways to Tackle Insider Threat


Last week Stephane Charbonneau, TITUS CTO, laid out 5 steps to help tackle insider threats. These tips focused on user training, user involvement and fostering a culture of security in order to prevent accidental user leaks and to [hopefully] prevent users from crossing the line into malicious behaviors. But what if the user is committed to abusing their internal access privileges for their personal gain?

Undoubtedly there are departments or data within your organization where a zero trust model might need to be enforced because the risks posed by a rogue employee are too high. There are likely areas where users have access to data so important and valuable that they are motivated to steal, sell, or otherwise leak data. For those who have access to this data stronger measures need to be in place.


With that in mind, let’s look at 5 more ways classification can limit insider threats to your data. This time, focusing on the 4% of users with malevolent intentions.*

  1. Apply persistent classification metadata – Knowing what data is sensitive is crucial to enforcing proper data protections. TITUS applies persistent metadata which clearly identifies the email, document or file’s sensitivity so that security policy knows exactly how it should be handled, protected and shared. Think of classification as an RFID tag on an item in a store that sets off the alarms and enables security to prevent the [data] goods from being stolen.
  2. Automate classification – In Steph’s blog, he talks about involving the user in the classification process and how that helps to foster a culture of security. But there may be instances when you don’t want to provide your users with the opportunity to set the classification too low, or you want to make sure a file contains specific metadata that maybe the user does not even know about (for example, files generated by the R&D department could be specially tagged). TITUS can identify data based on the location, the creator, the content, the environment, and multiple other criteria. Based on any one or any combination of these, TITUS can automatically apply the appropriate classification. As with user applied classifications, this metadata can be used to trigger the appropriate security policies within TITUS or your security ecosystem.
  3. Ensure consistent application of encryption and information rights management – Classification is not encryption, but it does make its application much easier. Based on the classification applied to the data, the appropriate information rights management and encryption can be applied to protect the file. Simplify the protection of your most sensitive files with classification. Completely hidden from the user, TITUS can classify and trigger the sometimes complicated data protection process. From an authorized user perspective, they can access and exchange information seamlessly with other authorized users while the rights management and encryption technologies can ensure that the data remains safe from copying and printing. Encryption also ensures that if a malicious user manages to get the file outside of your control, the information remains protected.
  4. Protect data in the cloud and on mobile – In the previous blog Steph spoke about how identifying metadata can help strengthen your data loss prevention (DLP) systems on the network and endpoint. The same is true for the new breed of DLP systems or cloud access security brokers (CASB). They too can leverage classification metadata to prevent the exfiltration of sensitive data to unauthorized clouds.
    The mobile world poses a slightly different problem. As workers split time between desktops and mobile devices, it is more important than ever to ensure proper identification of sensitive data because mobile apps work differently than their desktop counterparts. Mobile apps often make their own copies of data and are usually designed for easy sharing with other apps, email, or cloud sync-and-share services. Controlling data flow to, on, and from mobile devices is a high a priority for companies that want to ensure the bad employee can’t skirt around the traditional network border by sending data to a mobile device. TITUS classification metadata can be leveraged on mobile devices the same as on the desktop, preventing users from sharing files to unauthorized email recipients or cloud services. In addition, TITUS Classification for Mobile supports data encryption and information rights management (Microsoft RMS) on mobile devices, allowing for an efficient mobile workforce while ensuring that extra layer of protection should the file manage to find its way into unauthorized hands.
  5. Keep eyes on your sensitive data with reporting – Key to catching the enemy insider is to monitor what they are doing. There are several applications that help uncover insider threat through a deep analysis of user activity, but without classification metadata on the files these workers access, creating a threat profile is much harder. Classification illuminates exactly when a user tried to exfiltrate a sensitive file. It also provides another key threshold for identifying a bad user. Since classification triggers security policy, a user downgrading files so they can share them via email, thumb drive or cloud will clearly be visible in a TITUS report. TITUS reports can be shared with your SIEM and threat analysis tools (such as Intel McAfee ESM) as well to provide a much more accurate user profile and quicker threat detection.

*Symantec Data Loss Prevention Risk Assessment Findings

Leave a Reply