There’s a Thin Line Between Malicious Insiders and External Attackers

hacker sitting in dark room at his computers

Security in the past followed a castle-and-moat approach. All of an enterprise’s crown jewels were in one spot, so companies erected castles and moats around that location. They would then put guards on the perimeter to prevent outsiders from coming over the bridge.

But the cloud, digital transformation and the pandemic moved digital assets far and wide. Now a thief could be right next to the king’s treasury, and an enterprise would have no idea.

Businesses Now Lack the Visibility They Need to Understand Today’s Threats

If the crown jewels had been within the castle beyond the moat and the guards were watching who was coming and going, the enterprise would know if its walls had been breached. But in today’s IT environment, enterprises don’t have those constructs, so they have lost that visibility.

As a result, companies often fail to realize when bad actors are inside their environments, watching what people are doing and using those details to learn where the crown jewels are.

Security Is No Longer About Keeping the Enemy Beyond the Gate

Clearly, cyberattacks today are no longer just smash-and-grab jobs. Adversaries now know that they can establish footholds to maintain access, monitor to locate the most valuable assets and strike when the time is right. That’s what happened in the Colonial Pipeline ransomware attack. Bad actors laid a trap that enabled them to extract significant revenue – roughly $5 million.

This cautionary tale highlights the need for businesses to change the way they address security. Companies must rethink traditional notions about bad actors and understand that security is not about making distinctions between insiders and outsiders – because they’re all the same.

Attacks Can Originate From Any Endpoint – Even a Device Used By a Company Employee

Any endpoint, whether it’s an employee’s laptop or any other device, could become malicious at any point in time. Bad actors could then use that endpoint to expose a company’s secrets, encrypt an organization’s data and demand an exorbitant ransom to have it decrypted, or bring down critical systems that could put an enterprise’s reputation or even people’s lives at risk.

To avoid such outcomes, organizations need to understand their own systems; get the visibility that they need to look for deviations from patterns; and have the context to recognize which deviations are just variations in how people work and which represent actual, significant risk.

Know Your Data and Users, and Leverage Your Existing Investments

Gaining visibility requires organizations to have the right technology and cybersecurity talent to know the knowns, know the unknowns and get a better handle on the unknown unknowns.

Knowing the knowns starts with defining things that you know are predictable. That includes documenting where your critical data lives and who and where your users are and to what they have access. Knowing these knowns increases visibility so you can more easily spot anomalies.

To begin to know the unknowns, define the things that you don’t know. For example, you may not know what a general user’s behavior looks like or what websites employees visit. Once you document these things, it’s possible to establish baselines to make these unknowns knowns.

Leveraging Microsoft technologies like Office 365, which is used by more than a million companies worldwide, provides great insight into known knowns and known unknowns. That’s why our team of cybersecurity experts uses Office 365 and other Microsoft tools to understand what is common, what is not and how best to respond to incidents that represent real threats.

Helping mid-market businesses to make sense of what’s happening in their IT environments in this way enables them to make more informed decisions on what to do next – because you can’t make a good decision quickly to contain threats if you have to wade through 500 options.

It is possible to take a similar approach with the unknown unknowns by looking at whether anomalies or security alerts link to a known entity. This helps eliminate some of the noise so you can be confident that something is malicious and can quickly take action to address it.

Get the Right Talent and Technology to Establish Repeatable Security Missions

Yet most organizations are stuck in firefighting mode, chasing after alerts rather than advancing their security maturity. They don’t have the talent or technology to conduct and improve upon their work to establish and execute repeatable cybersecurity missions around the clock.

But forward-looking organizations are partnering with managed detection and response (MDR) experts to efficiently detect and remediate threats – wherever or whenever they may arise; protect their data, devices and stakeholders; and increase their business resilience.


* indicates required