Page 83 - Cyber Defense eMagazine forJune 2021
P. 83
Best Practices for Mitigating Insider Threat Risks
Despite the challenge of these evolving risks, there are best practices that organizations can employ to
fortify their security posture and mitigate insider threats.
How should companies mitigate those risks?
1. Visibility
a. Mandiant recommends organizations invest in purpose-built insider threat data loss
prevention solutions which can detect, alert, and block (if necessary) malicious
behavior as well as work while both being connected and disconnected to the internet.
2. Least Privilege
a. In both production and development networks, Mandiant recommends organizations
implement user access controls across all environments on their networks to ensure
users, developers, and administrators only have the necessary access to perform their
assigned responsibilities.
b. Limit and audit users who can create accounts in on-premise networks and cloud
environments
3. Logging
a. Mandiant recommends logging and event aggregation sent to a Security Information
and Event Management (SIEM) system. This provides a level of mitigation if a
malicious insider attempts to clear logs, because separate, streamed logs to another
system would be available.
4. Network Segmentation
a. Mandiant recommends organizations investigate their network segmentation, and limit
unnecessary traffic to highly sensitive environments from lesser trusted environments.
This will help prevent an insider from moving laterally or connecting from an internal
network segment to a cloud environment. Additionally, all systems that do not need to
be publicly facing should be segmented from public access and restricted as much as
possible.
5. Offboarding
a. Mandiant continues to remind clients who may have to terminate employees or
contractors to not give advance notice, limit communications, and remove network
access immediately. This is also true if an employee voluntarily resigns or retires.
Additionally, all SSH keys, PEM files, MFA, service passwords, and application
passwords the individual had access to should be rotated for all environments (e.g.,
developer and production), and unenrolled in the case of MFA services each time
when an employee or contractor with these accesses leaves the organization.
6. Assess
a. Mandiant recommends organizations have an insider threat program assessment
conducted with defined, key outcomes of actionable, organization-specific risk
mitigation recommendations, prioritized intelligence requirements based on the
current and horizon intelligence landscape, and roadmaps for all maturity levels of
insider threat security programs. Assessing annually with different tools can reveal
varied areas of focus and identify gaps in capabilities that could be rectified.
Cyber Defense eMagazine – June 2021 Edition 83
Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.
