Are Your Ex-Employees Insider Threats?

2016 RSA Security Conference in San Francisco

I was intrigued by Session HUM-R03F at the 2016 RSA Security Conference in San Francisco. At first I thought that the HUM session names meant that the conference organizers finally put together a security comedy track that I could kick back and enjoy.  But after reading the session description, I determined that that the topic was not only no laughing matter, but it hit very close to home.

A long time ago, I was a networking engineer for a mainframe vendor and was reading some system logs to diagnose a problem. I saw a lot of remote logins from one particular account coming in late at night so I looked her up so that I could ask her manager what she might be doing. It turned out that not only did she not work at my organization any longer, she had gone to a competitor.

By reading other logs and matching timestamps, I determined that she was downloading source code for the products that she had worked on previously. When I reported this to my manager, he went to HR and got a list of employees that had been terminated over the past few months and asked me to see if their accounts were still active. To a one, they were – and that’s when A) we discovered that IT was not part of the staff termination process; and B) I started my security career.


Times have changed since then (at most organizations anyway), and IT is included in termination notifications so that the laptop and any USB sticks come back and system access can be disabled for terminated employees.

But sending an email to IT may not remove the insider threat of a terminated employee for many reasons:

  1. Lack of centralized access tracking
  2. Access to cloud accounts such as and Google Docs
  3. Access to shared, and thus anonymous, privileged accounts such as root
  4. Company- or employee- initiated termination with notice

The first two issues are easily solved by implementing user-centric role-based tools and single sign on (SSO) while the third can be solved through the use of a privileged account control solution. The fourth issue of an employee who knows that they will be leaving your organization will take a hybrid approach.

Let’s take a look back at session HUM-R03F for some details. This session was presented by Dawn Cappelli, Vice President, Information Risk Management and Susan Schmitt, Senior Vice President, Human Resources, both of Rockwell Automation. Their task was to manage the technical and human aspects of insider threats due to reductions in force, outsourcing, global cultural and communication issues, termination for cause and other disciplinary issues.

Their premise is that the human threat to your organization’s information cannot be mitigated unless your IT and HR teams, people managers, processes, and technical tools are people-focused. The main issue is that while it’s impossible to sift through millions of security events, you can use a risk-based approach to filter out the noise and display only the specific events that can point to a threat.

Is an employee acting out of the ordinary? Do you believe that they might be preparing to trash your systems or data, or are they planning to take something with them when they leave? If they do leave, can you tell if and what they may have taken with them?

In a 2013 whitepaper sponsored by Symantec and researched by The Ponemon Institute (disclosure, I am a Fellow of The Ponemon Institute), half of the 3,317 surveyed individuals in six countries say they have taken information, and 40 percent say that they will use it in their new jobs. A study by the Software Engineering Institute says that 50% of insiders who steal IP do it within 1 month of leaving the company, 70% within 2 months, and over 80% take information within 3 months prior to their departure date.

Like the Ponemon study, the analysis shows that organizations can reduce their risk of insider theft of IP through increased review of departing insiders’ actions during a relatively small window of time prior to their departure – if you have the partnerships and tools to do so and you use them before the employee walks out the door.

What can be done?

Many organizations are already running some of these tools, starting with a Security information and event manager (SIEM). But unless you have solutions for identity management, user activity and change monitoring, privileged account management, and data loss prevention (DLP), your SIEM will force you to try to locate a needle in a haystack. Why are these additional products so important?

Identity management enforces real-time identity and access management through policies that do not require human intervention—constant, consistent reconciliation against what role an employee is in and what he or she can access. An access review tool will let you collect then slice and dice user account information based on attributes such as groups, entitlements or high-risk applications. By integrating access review with your identity manager you can automate revocation for a closed-loop approach to user access.

A user activity and change monitoring solution enables your cyber security professionals to detect and respond to potential breaches in real time. This system can provide intelligent alerting of unauthorized configuration changes to systems and applications, or access and changes to critical files, all linked to a specific user account.

Privileged account management locks down named or shared administrator and root accounts and helps customers demonstrate that they are in control over who can access their environment with privileged entitlements. It helps them automatically track who is accessing which account, on which system and at what time. Additionally, intelligent, real-time keystroke or screen video logging will tell you exactly what they did with that account.

One way to protect privileged entitlements is to allow users to “check out” a password from a secure password vault for a specific period of time, then check it back in when they are done with it. Because Micro Focus Privileged Account Manager supports real-time keystroke logging, the session can be automatically terminated and the user’s access revoked if they are caught performing a risky activity, such as accessing restricted data or stopping a service.

Auditors can view recorded keystrokes and if an event requires further analysis, a workflow process escalates the event to the appropriate managers who can take immediate action.

Data loss prevention managers are available with various feature sets. Depending on the solution(s) that you install, a DLP can watch which files are being accessed or to where they are being moved, prevent the attachment of removable media on servers, desktops, and laptops, or can manage or prevent the copying of files to removable media, email, or cloud services.


Your IT and HR teams, people managers, and processes need to be partners. You need to be aware of changes in your employees’ behavior that could signal that they are about to sabotage systems or download confidential information. And while IT can respond to breaches, it cannot be their responsibility to allow or deny access; that should be up to your line of business managers – which means that you need access management tools in place that allow policies to be set by GUI and not by unintelligible strings of technospeak. Those tools better be in place before an employee who wants to harm your organization starts planning their exit.

What is Threat Intelligence?

Avatar photo
Share this post:

Leave a Reply

Your email address will not be published. Required fields are marked *