Managing the Outsourcing Security Risks
by Csaba Krasznay, Product Manager of Shell Control Box, Balabit
In a global environment, IT responsibilities are increasingly being outsourced and proving to be a popular tool for organisations seeking to reduce costs effectively. The number of third party personnel given long term access to organisations’ critical systems and sensitive information is growing rapidly and these third parties are becoming increasingly essential to many businesses and IT operations. They may operate a network infrastructure, maintain a web site or provide email or CRM services or perform a myriad of other invaluable IT services. Adopting outsourcing as a tool for IT processes invariably involves an organisation trusting an outside party with a variety of sensitive information, be it customer or financial data, which in turn comes with its own risks. Third parties are beginning to reap the benefits of user monitoring for their own activities within the client network, as this way they can prove what they did and did not do. Having an activity monitoring tool in place, enables third parties to increase their transparency and customers can put more trust in a third party solution provider when their activities are transparent and they can see in real time who accessed what sensitive data and what is happening in their IT systems.
What are the risks?
Almost all organisations and sectors are faced with the problem of managing security breaches caused by insider threats to vital computer assets. Giving responsibility to external IT contractors could be seen as an even greater security risk as it can potentially weaken the protection controls and increases the number of third parties having the same privileges and access rights as employees.
Without the appropriate inbuilt protections a shift to the use of outsourced IT along with the high rate of worker turnover in outsourcing can lead to an increase in vulnerability for organisations, ranging from the loss of intellectual property, to the possibility of high value knowledge being transferred to a competitor or other external source. This provides the opportunity for malicious actors, who have access to sensitive information which can harm the organisation and its reputation.
The common theme of recent, high-profile breaches is that they were carefully planned and went undetected for some time with the attackers moving freely inside the victim’s IT environment. For example, a former employee at Home Depot who was authorised to have access to computer systems, leveraged that access to obtain credit card information from Home Depot tool rental transactions.
Malicious insiders hold an advantage over an external hacker in that a company’s primary security tools are often designed to protect against external threats, not against trusted employees. A malicious insider has the potential to cause huge amounts of damage to an organisation and possesses many advantages over an external attacker. For example, they often have privileged access to facilities and sensitive information, have knowledge of the organisation, how its processes work and are able to distinguish the location of valuable assets. Insiders will know in what way, what time, where to attack and how to cover their tracks after the attack which is precisely why organisation needs to recognise the need for IT security measures for privileged users.
How to overcome the security risks of outsourcing
But what measures can enterprises adopt in order to stop their sensitive data from being compromised by these third parties? In order to mitigate this risk, it is necessary to develop stringent safeguards and integrate activity monitoring capabilities when organisations employ outsourcing contractors for their IT responsibilities. Firewalls and standard application protection are not enough for protecting against insider threats. When trying to reduce the risk of sensitive data being compromised, adopting a holistic view to IT security can benefit the organisation. An approach which organisations are adopting in order to close the blind spot of traditional security monitoring tools and uncover risks that many security tools cannot identify, is through the use of examining a user’s behavioural patterns. This is carried out through analysing how we interact with IT systems which can leave a recognisable fingerprint that can then be detected. Users log into to the same applications, do the same things while working and access similar data. These profiles are then ‘learned’ and can be compared in real-time to the actual activities of a user to detect irregularities and differences in behaviour. Once the abnormalities are detected, counter actions can be applied to stop an ongoing attack or to investigate the event further.
Malicious insiders have been proven to behave differently compared to normal employees. If a resigned employee of the outsourcing company plans to steal company data, real-time user behaviour technologies enable organisations to detect this abnormal activity and will alert the relevant security team in real-time for further investigation. By detecting deviations from normal behaviour and assigning a risk value, it helps companies focus their security resources on the most important events and also allows them to replace some controls, yielding greater business efficiency. Adding more tools that restrict users won’t make your company safer, it will just make your employees less productive.
As well as identifying the unusual activities within a system, the reaction to this unusual activity is important when trying to significantly reduce the time a malicious attacker has before any counter measure is taken. By utilising different machine learning algorithms which work autonomously, organisations are now able to learn about user behaviour quickly and efficiently before it’s too late. In the majority of attack scenarios, the high-impact event is preceded by a ‘reconnaissance phase’. The swiftness of detection and response to this phase is critical when preventing any further high-impact activity from occurring. Likewise, being aware of the normal habits of high risk users is also valuable.
As outsourcing continues to gain in popularity, the threat of malicious insiders will grow in. However with the right security software in place to monitor the activity of these third parties, it is possible to mitigate the risks of opening up your sensitive data to outside agencies, as well as ensure compliance with regulations requiring the careful monitoring of data access.