Insider Threat Protection

Published by Macy Sears on August 23, 2021

PeopleSoft Security Strategies

An insider threat is a user with permitted access to an organization’s assets, network, or data who uses their access to cause harm to the organization. An insider threat isn’t always a current employee of the firm. They can be former staff, third-party contractors or vendors, or even stakeholders. Oftentimes, it’s the ones you least expect.

In this post, we’re looking at the impacts of insider threats and breaking down the steps of internal defense plans that help keep your PeopleSoft systems protected.

Types of access controls for insider threat protection

Impacts of Insider Threats

A number of terms describe the people behind an inside job, such as pawn, goof, collaborator, lone wolf, and turncloak. While not all insiders may be alike, their impacts are among the most damaging.

Internal harm to a business can be the result of an intentional or unintentional act. In many cases, a series of contributing factors lead to an insider attack.  And while not always the case, most individuals don’t begin working at a company with the intent to take it down.  Over time, these users become accustomed or involved in such behaviors for many reasons: 

  • Anger, greed, or revenge
  • Corporate espionage or sabotage 
  • Negligence or normalization of deviant behavior  
  • Financial gain 
  • Human error

60% of all reported data breaches are caused internally. 

A recent study by the Ponemon Institute revealed the number of inside security incidents grew by an alarming 47 percent since 2018. And that’s not all – the average cost of a threat is up too. The report notes a 31 percent increase between 2017 and 2019, going from $8.76 million to $11.45 million.

As the number of cyberattacks continues to climb, insider threat security plans are imperative for protection. Organizations rely on HR as the first line of defense for keeping risk out. However, that alone isn’t merely enough. IT security teams also play a vital role in protecting the business from harm.  It takes a team effort, but the fight against insider threats is possible with a plan of action. 

While specific business or system aspects may vary, key actions in defense strategies are grouped into four main categories: 

Four categories of insider threat mitigation plans

Define

The basis of any insider threat protection program begins with understanding and defining the organization’s risk factors. This includes a firm’s assets, personnel, resources, equipment, network, or systems. It requires knowing where the sensitive information lives and determining who should access those files. Additionally, the organization must prioritize the risk levels associated with the classified information. 

PeopleSoft applications are built with layers of information and sensitive data. Knowing what a user can access and which Roles provide the access can be challenging for many administrators. Transparent user security and viewing menus how the user sees them in PeopleSoft provides an easier way of administration. The concept takes the guesswork out of identifying what users can access in PeopleSoft. This provides the foundation for managing PeopleSoft security in Sentinel. 

Preventative access controls are deployed to stop unwanted or unauthorized access from occurring. They act as the initial support for preventing internal security incidents.

Enterprise-wide measures for prevention include security cameras, security policies and procedures, and antivirus software. It also involves providing staff members with security awareness training, provided by companies such as InfoSec.  In PeopleSoft, preventative access controls for security include password controls, lockout times, history logs, segregation of duties, and sensitive data access controls.

Deterrent access controls are deployed as the next level of defense. They serve to discourage the violation of security policies based on the fear of being caught or the consequences. 

The certainty of being caught is a stronger deterrent than a punishment. You won’t see many criminals engaging in crime if they know upfront they’ll get caught. 

Deterrent controls are similar to preventative measures, but pick up where a preventative control leaves off. In the example of security cameras, the camera alone has the chance to stop a person from committing a wrongful act. However, when it’s apparent that the camera is recording or directed onto them, the likelihood of engaging in a crime is far lower.

Security for PeopleSoft applications operates in the same context. Deterrent access controls for protecting our systems from insider threats include PII/PCI data tracking, transaction monitoring, and approval notifications for privileged access. Sentinel is delivered with built-in and customizable audit controls to serve as a deterrent against insider threats to your PeopleSoft systems.

Detect & Identify

Risk-based mitigation strategies require a threat detection system for identifying visible, concerning behaviors or actions of potential insider threats. This involves both human and technological aspects for validity.  People serve as sensors, picking up on unusual activities or encounters with their peers and coworkers. Technology activity monitoring aids in discovering actions below the surface.  

Detective access controls are deployed to discover unwanted or unauthorized user activity. Typically these measures are after-the-fact rather than real-time controls.  

Examples of detective controls within an organization include security guards, recording and reviewing camera footage, and incident investigations. In PeopleSoft, detective access controls include reviewing transactional history records, audits, and user access reviews. 

Managers and data owners should know what their users can access in order to mitigate the risk of unauthorized access. Access monitoring with notifications is a simple but effective way to identify users who shouldn’t have access.  Easy-to-read reports of segregation of duties conflicts and users with PII/PCI access can also help pinpoint when someone poses the risk of being a potential threat.

Sentinel privileged access audit report

Assess

When something isn’t quite right, it should trigger the next level of a defense plan –  threat assessment. This includes looking into the person of concerns’ interests, motives, intention, and desire to hurt an organization or others. There is no standard practice when it comes to this step, as threat assessments are based on behaviors, not profiles.   

When a potential insider threat is discovered, it prompts the need for an initial screening. This allows the organization to decide if the concern is unwarranted, requires a non-emergent threat assessment, or if emergency intervention is necessary. The circumstances and outcome of the situation will drive the actions of the next step. 

Threat assessments should be conducted by an established threat management team consisting of:

  • Existing internal members – CIO/ CISO, HR, General Council, etc. 
  • External resources – Investigator, Medical or Mental Health Counselor (As needed).
  • Trusted sources – Direct reports and staff members.

*Some large enterprises may also require additional support from an insider threat analyst.

Manage

Once an internal threat is detected, proactive management strategies can help turn a harmful outcome into an effective relief. 

Corrective access controls are deployed to restore systems to normal following an unwanted or unauthorized activity. These controls are often very simple and have limited capability to respond to access violations.  

Enterprise corrective controls include alarms or intrusion detection systems. In PeopleSoft security, corrective action measures include locking and removing access for inactive or terminated users. Sentinel automates provisioning and deprovisioning access based on specific job criteria or actions. The capability serves as a further opportunity for a business to reduce risk or likelihood of human error.   

Recovery access controls are deployed to repair or restore resources or functionality after a violation has occurred. These controls are more advanced and provide additional backup when an insider threat has occurred.  

Examples of recovery controls include backups and restores, disaster recovery, fault-tolerant drive systems, server clustering, and database shadowing. Not only do these measures aid in damage repair, but they can prevent further damage from happening.  

Compensation access controls are deployed to satisfy the requirements of a security policy on existing controls. These are commonly known as alternative controls. 

Compensating controls are used to satisfy compliance standards, but are typically less desirable than separation of duties. These practices are more prevalent among businesses with small teams. Examples of compensating controls include additional oversight, personnel supervision, and monitoring.  

Directive access controls are deployed to direct, confine, or control the actions of subjects, enforcing compliance with security policies. 

Directive controls include security personnel, tailgating controls, policy notifications, recertifications, and mandatory training for security awareness. 

Access controls for mitigating insider threats are further categorized based on implementation. Controls can be administrative, logical/ technical, or serve as physical barriers. The use of security access controls allows an organization to better prepare, detect, and avoid insider threats. For more information on how Sentinel leverages access controls to simplify managing PeopleSoft security, contact our team today.

Sentinel access controls for insider threat protection

Related Articles