Despite the endless drumbeat of data breach headlines, insiders — not outsiders — are the greatest concern to organizations. To take the pulse of IT security professionals on this threat, our company conducted a survey at this year’s RSA Conference which revealed that 72% of the 650 international respondents canvassed feel vulnerable to attacks from insiders.
Interestingly, those canvassed ranked user errors (39%) and malicious insiders (35%) as more worrisome than account compromise (26%) by external attackers. Adding salt to their wounds, nearly half of respondents said they can’t detect insider threats before data has left their companies.
The breach at Wipro earlier this year is a powerful reminder that account compromise attacks are essentially insider threats. In the case of Wipro, the Indian IT outsourcing and consulting giant, employee user account credentials were stolen in phishing attacks, allowing the fraudsters to look like insiders and to target the company’s downstream customers.
As the Wipro example illustrates, IT supply chains are popular targets because they have many vulnerabilities. Contractors, vendors and partners pose some of the greatest risks.
For convenience, companies often grant third parties privileged remote access to accomplish their work. Often, this access is forgotten and not deprovisioned once the work has concluded, leaving businesses vulnerable to attacks. These remote access pathways are often insecure, untracked and can be taken over by attackers.
Conventional remote connectivity methods, such as VPNs, lack granular access controls and can be exploited via stolen credentials and session hijacking.
The 2018 Ponemon Institute survey found that 59% of companies have suffered a breach caused by one of their vendors.
If you are concerned about inside security threats at your company, here’s what to be aware of and how you can better protect your organization.
Employees As A Security Risk
Despite the threat of account compromise attacks, leaders should understand that disgruntled or departing employees remain a security risk.
These employees can exfiltrate confidential data for financial gain or retaliation for some perceived wrong such as being passed over for a promotion.
Unfortunately, security information event management (SIEM), data loss prevention (DLP), and other rules-based security products can only detect known threats, while insider attacks represent unknown threats.
While external attackers must first penetrate the network before finding the information they seek (while remaining undetected), malicious insiders already know where all the valuable data is and how to access it.
To protect against insider threats, organizations should implement the following best practices:
- Create specific policies, procedures and access rights for each employee role
- Establish user training about the dangers of phishing and the importance of not opening untrusted links and attachments, etc.
- Implement multi-factor authentication (MFA) on critical systems, applications and transactions
- Remove administrator rights on desktops
- Segment the network
While most of these techniques are fairly well known, it’s surprisingly common for many large enterprises to overlook these security best practices. Furthermore, insider threats are not always carried out by people within the organization. They can also occur when an employee’s credentials are shared or compromised. Once a legitimate user’s access is hijacked by an attacker, the intruder can remain undetected for long periods of time. To minimize the risk, organizations should provide unique credentials for every critical account on the network and continuously update those credentials.
In addition to these best practices, new approaches that use security analytics to profile normal human and entity/device behaviors are demonstrating the ability to detect insider threats that elude traditional security products. These types of solutions use machine learning to profile normal behaviors and then apply algorithms and statistical analysis to detect meaningful anomalies that may be associated with sabotage, data theft or misuse of access privileges.
To better understand behavior analytics, consider the previous privileged account compromise example. The moment the hijacked account is used to login, security analytics would flag the activity as anomalous because the legitimate user never logged in from that location, and the IP address of the device has never been seen before. The session would be monitored. If the attacker, now logged in as a legitimate user, attempts to send spear phishing emails to customers an alert would be created and sent to the security team in real-time.
Behavior analytics can help address another major challenge in detecting insider threats, namely digital transformation initiatives that involve hybrid (on-premise and cloud) environments.
This computing architecture creates an extended attack surface. This can create new and potentially bigger issues. For example, in the recent CapitalOne breach, a former Amazon employee accessed data belonging to the credit card company that was stored on an Amazon Web Services server. Without implementing proper security controls and monitoring in cloud infrastructures, digital transformation projects are vulnerable to the same threats as their traditional data center brethren.
To put the scale of digital transformation initiatives and threats into perspective, 90% of companies will move to a hybrid cloud infrastructure by 2020, according to a forecast by research firm Gartner.
In my experience helping large health care, financial services and information technology organizations implement security analytics systems that monitor user behavior, I’ve found this approach can span and protect new hybrid cloud environments. This global view makes it possible to detect unusual activity, like the attacker in the CapitalOne data breach who accessed a server and downloaded millions of records.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives.
Saryu Nayyar is CEO of Gurucul, a provider of behavioral security analytics technology and a recognized expert in cyber risk management.