Sol Cates CSO Vormetric

How to spot the Insider Threat

607 2

When the first revelations of former contractor Edward Snowden came out, it was a watershed moment for the debate on privacy and surveillance. For the data security industry, his actions revealed that insider threats remain all too difficult to detect and prevent. Yet, in the two years since the initial disclosures became public, the message to businesses about their lack of ability to deal with a data breach of this nature is yet to sink in. Indeed, we only need to look to the recent Morgan Stanley data breach to see what happens when yet another ‘trusted’ insider goes rogue.

The threat of an insider tampering with data systems has been a constant worry for IT managers over the years: an assortment of employees or associates of an organisation can either maliciously or accidentally put data at risk. Privileged users or ‘super-users’, however, invariably complicate matters. While their presence is often essential – performing key tasks like software installation, system configuration, user creation, networking, resource allocation and more – having access to private or sensitive information is not. We know that Snowden did not have to do anything extravagant – like bypassing firewalls or hacking into private databases – rather, the weak access control assigned to his policy gave him ‘unfettered access’ to systems and the data stored within them.

Unfortunately, our research confirms that the insider threat landscape is becoming more difficult to deal with as the range of miscreants moves beyond just the risk posed by employees and privileged IT staff. The advent and success of Advanced Persistent Threats (APTs) has led to a worrying spate of breaches wherein the access controls of privileged user accounts are being compromised by malicious outsiders. By hijacking legitimate credentials needed to gain access, illegitimate activities that cause operational harm and steal data can be carried out undetected for a long period of time. Unfortunately, a secret of contemporary system and network technical management is that it is very difficult to identify and track this twofold type of misconduct since sophisticated hackers manipulating the credentials of powerful administrators can create and delete multiple accounts, and even modify security event logs.

Further complicating the situation is that many business partners, suppliers, and contractors are often granted inappropriate access rights, or third-party service providers are being endowed with excessive admin privileges. Unfortunately, unless properly controlled, all of these groups have the opportunity to reach inside corporate networks and steal unprotected data. Encouragingly, however, when asked in our 2015 edition of our annual research into the Insider Threat, carried out by Ovum and Harris Poll, about who poses the biggest internal threat to corporate data, it appears that awareness is growing, albeit not as quickly as one would hope: 55 percent of business respondents globally said ‘privileged users’, 46 percent said ‘contractors and service providers’, and then ‘business partners’ came in at 43 percent.

An interesting point to note is that the research shows UK insider threat concerns are far higher than those expressed by our European neighbour Germany. And, although less worried than the UK (or US) about data breaches, Germany had the highest rates of past data breaches – 27 percent – in the region. Interestingly, though spared the levels of public exposure when a US data breach occurs, forty percent of UK companies revealed they had fallen victim to significant data breach or failed a compliance audit in the last year. And, as a result, 50 percent of UK organisations confirm that they were looking to increase spending on security and data protection in the year ahead. When considering IT security spend to counter the risk posed by insiders a burgeoning issue for businesses to consider is the continued growth of cloud and big data use across enterprise operations. We know that the direction of travel for new applications is predominantly towards choosing a cloud-based alternative rather than upgrading previous-generation on-premise options. Equally, big data strategies are increasingly being introduced to gather analytical intelligence from previously untapped sources. Concerns arise, of course, because the data volumes involved not only grow and become increasingly distributed, but also because there is a general lack of control over origins, provenance and establishing who is reasonable for governance.

While news about the malicious hacking trade and the actions of elusive cyber-criminals continue to grab headlines, it is high-time businesses took heed of the insider threat and put the necessary data protection measures in place to control and monitor the actions of their most powerful users. Encryption technology allied to strong access controls and key management is needed for all important data sources. Further, coupling a data-centric solution with data monitoring or intelligence gathering capability can also be essential to identifying unusual data usage and access patterns that may indicate a problem. While accepting that there continues to be concerns about performance from IT and business users when considering the deployment of data protection solutions, the requirement to keep company data safe – and thus reputation intact – must be the overriding factor.

by Sol Cates, CSO, Vormetric.

About Vormetric

Vormetric

vormetric

Security-conscious enterprises and government agencies turn to Vormetric for protection against both insider threats and the new breed of cyber threats, such as Advanced Persistent Threat (APT) attacks – across their physical, virtual and cloud environments.
The best way to protect what matters is to take a data-centric security approach, implementing access policies with fine-grained controls, deploying advanced encryption, key management and vaulting technologies to lock down critical data and continuously gathering security intelligence to identify emerging issues in real-time.

In this article


Join the Conversation