Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Community Blog

The Malicious Insider

Created: 13 Oct 2013
Todd Y's picture
+1 1 Vote
Login to vote

Whether we're discussing an employee with the desire to steal data for personal gain, fulfill a vendetta or they just don’t know better, the results are the same.  What's at risk is damage to brand, customer loyalty, revenue, pipeline, etc.   While the threat of a Malicious Insider is nothing new.  What is new or at least changing is the attack vectors and gaps in security being exploited.   An examination of the most recent breaches clearly shows they are becoming more frequent and more damaging.  

Take for instance the Snowden breach.  Snowden was a trusted insider who successfully circumvented some of the tightest security in the world and walked out of an NSA facility with a thumb-drive full of classified information.  The sexy story to tell would be that he is a world class spy or hacker that gained access to sensitive documents.  The reality is, he simply exploited the permissions and privileges he had been given.  In fact, the NSA is lucky he only stole documents, the damage could have been much worse.  

To build on the Snowden case, lets pretend he was a VMware administrator?  With the proliferation of virtualization and cloud infrastructure, comes a consolidation of supporting technologies and roles.  In this new world, administrators now have God-like privileges to all virtualized resources.  This concentration of risk has huge implications from a security, risk, and audit perspective.   In this scenario could Snowden have walked with an image of critical defense systems?  Would anyone have known?  What auditing capabilities exist "inside" the virtual world?  Are there checks and balances?  The answer is generally no.
Let me take a step back and look at the Malicious Insider from two different perspectives;  physiological and technological.  From a physiological perspective, we need to look at what factors contribute to someone stealing IP?  Factors like corporate culture, work conditions, personal issues, financial gain, etc.  From a technological perspective, what technologies are required to address the Malicious Insider threat.  I'd like to offer a view into what we are seeing on the technology side.

The technology required to effectively detect and ultimately prevent Malicious Insider theft is fairly broad.  Effective detection requires a holistic effort, communication, and coordination between disparate technologies.  The more technologies "talk", the more effective analysts will be at finding the needle in the haystack.
To make it easier I've broken it down into two basic buckets; Standard and advanced.


  • Education/awareness
  • Encryption
  • Endpoint Protection
  • Enforce separation of duties and least privilege
  • Logging
  • Patch


  • Threshold Detection
  • Configuration Management
  • Device Control
  • Security intelligence
  • App Wrapping
  • SIM
  • Virtual Data Center security
  • Server Hardening
  • GRC
  • DLP

Best Practices:

  • Apply context to analysis.  Learn the actions and behaviors of employees with access to sensitive data.   For Example; if an employee uploads code as part of their job and they work 8-5, you wouldn't expect to see a large upload at 2:00am.
  • Don't get hung up on the tool.  Tools have rules and no matter how robust they are, they still operate within those rules.  Hackers have no rules, don't get bogged down in features, embrace a process.
  • Use strong authentication - 2FA and strong password
  • Deterrence.  Warning users or alerting them, will prove more valuable than any detection tool.
  • Security should be front and center, involve employees.
Blog Entry Filed Under: