The Danger Within: Protecting Data From The Insider Threat
Michael Crouse, director of insider threat strategies at Raytheon, shares the results of 2014 Ponemon Insider Threat and Privileged User Survey.
Until recently, external hackers were grabbing headlines as often as they were stealing information. But data leaks that originated from inside organizations, known as insider breaches, were rarely mentioned.
Headlines like Nearly 200 Million Records Compromised in Q1 or South Korean Data Breach Linked to an Insider indicate that much more attention is being paid to the internal threat. Unsettlingly, these reports barely scratch the surface of the actual number of “inside jobs” of both the malicious and unintentional varieties — from the theft and distribution of sensitive data by a system administrator to a malware-infected PDF mistakenly downloaded at work.
Malicious or unintentional, all insider breaches hurt companies. They can damage a firm’s reputation, market advantage and bottom line, sometimes costing millions of dollars. Despite the increased awareness about the severity of the insider threat risk, a Raytheon-commissioned Ponemon survey of 693 information technology professionals indicated only 40 percent of IT budgets include funding to prevent it.
If insider threat is so well-known and damaging, why aren’t more organizations addressing the issue? One reason is that IT security budgets are largely focused on defending against external threats. While those types of attacks are greater in number, insider breaches are often far more damaging.
In fact, many outside threats depend on insider access. Forty-seven percent of respondents said it’s likely that malicious insiders use social engineering or other measures to obtain someone’s access credentials— an increase of 21 percent when compared with a similar survey from 2011. In addition, 45 percent say it’s likely that social engineers from outside the organization will target privileged users to obtain their access credentials. This underscores that an “insider” isn’t always physically based within an organization and that privileged users are truly the focus when we talk about insider threats.
Who are privileged users, and what is the “privileged user threat”?
A privileged user is an employee with a high level of access to company data and/or the power to make changes to the company’s network. Companies give users privileged access because their jobs require access to source code, file systems and other assets that allow them to upgrade systems or make technical changes. According to The CERT Guide to Insider Threats, privileged users are employed throughout nearly every company.
A privileged user’s greater system access exposes more of their companies’ sensitive data, such as financial records, customer credit card records or confidential product information. Even if they’re not technically given access to this type of data, they can often bypass measures implemented to regulate non-privileged users and access the information anyway. Another scenario involves the abuse of temporary access privileges. To address this risk, the amount of funding dedicated to insider threat prevention should match or exceed the amount of awareness indicated by the survey results. A simple first step companies can take is to tighten privileged user access controls. But even after the strictest of access control policies are implemented, privileged users with the ability and access to do damage – intentionally or unintentionally – will still exist within every organization.
To further mitigate the risk, it’s critical that organizations address the insider threat problem with a planned, layered approach to data defense. A critical element of any data security suite is an endpoint monitoring tool that analyzes user behavior to determine the context of how they’re interacting with the network, and gauge their intent. Survey respondents said the two biggest challenges companies face when addressing insider threats are having enough contextual information provided by security tools (69 percent) and security tools that yield too many false positives (56 percent.) Endpoint monitoring and auditing tools allow visibility and context.
The Ponemon survey also indicated that companies often have difficulty knowing when an action taken by an insider is truly a threat. This means that monitoring human behavior is especially important with privileged users because they know how to cover their tracks.
However, automated tools, including video replay and other deterrent capabilities, make it harder to escape notice. If privileged users know they’re being monitored, they’re less likely to behave badly. Gartner predicts that by 2018, 80 percent of endpoint protection platforms will include user activity monitoring and forensic capabilities, up from less than 5 percent in 2013.
The Core of the Privileged User Problem
At the core of the privileged user problem is this dichotomy: Privileged users’ additional access means they are simultaneously a company’s strongest line of security enforcement and its biggest security risk. Put another way, if privileged users want to do bad things, their elevated access to the company network – and all the information it contains – makes it easier to accomplish their goal.
Even a well-intentioned privileged user poses high risks. When a system administrator or network engineer with elevated access clicks on a malicious link or downloads an infected file, company-wide damage is far more likely to occur than if an employee without elevated access does the same thing.
The privileged user threat shows no signs of diminishing, in large part because economic pressures have forced companies to accomplish more with smaller staffs. Stressed-out, over-tasked employees generally pay less attention to protecting their elevated network access privileges.
To keep their data, their reputation and their finances properly secured, organizational leaders must address every issue outlined above by recognizing their most serious data security threat may be sitting in an office across the hall or answering calls in a cubicle downstairs.
Last Updated: 05/05/2015