The Verizon Data Breach Investigation Report "Snapshot" on intellectual property theft, released today, made one thing clear: There is no one-size-fits-all approach to securing valuable data from threats.
To know if a trusted user is a threat, you need to be able to separate suspicious or malicious behavior from normal behavior.
research director, Enterprise Management Associates
Many attacks and breaches are incidents of opportunity (an insecure Web server is spotted, and therefore infiltrated), according to the Verizon RISK Team. However, the Verizon Data Breach Investigation Report (DBIR) Snapshot on Intellectual Property theft (.pdf) found that when it comes to IP theft, the attacks are often much more targeted. "The fact that it is usually a different kind of threat agent -- those looking for highly sensitive information to be used for a specific purpose, as opposed to those only looking for a quick cash out -- also changes the game," the report said.
One could assume such attackers would be much more motivated, and perhaps a little sneakier than the opportunistic attacker. While 87% of threat agents by percent of breaches involving intellectual property theft involve external attackers, 46% are from internal agents, according to the report. The reason these numbers tally higher than 100%? In many cases insiders are working with external attackers in some way.
What the data did show is that while insiders may be involved in fewer IP theft incidents, they can't be ignored by security and risk management teams. According to the Verizon report, end users counted for about two-thirds of IP theft, followed then by financial staff, executives and finally system administrators.
These insiders pose a unique threat because they often are permitted to access the very data they're stealing, said Scott Crawford, a research director at market research firm Enterprise Management Associates. In this interview, Crawford shares some insight into what enterprises are doing to mitigate the insider risk. Previously, Crawford worked as the first information security officer for the International Data Centre of the Comprehensive Nuclear-Test-Ban Treaty Organization (CTBTO), an organization that represented more than 150 nations.
What are ways enterprises should consider monitoring for insider threats?
Scott Crawford: To know if a trusted user is a threat, you need to be able to separate suspicious or malicious behavior from normal behavior. To do that, you need to understand what 'normal' activity is. The ability to determine norms and identify suspicious anomalies already exists in technologies such as fraud detection and prevention in retail banking, for example.
Other technologies that attempt to monitor suspicious activities include SIEM [security information and event monitoring] and investigative platforms such as EMC/RSA NetWitness, Solera Networks and AccessData SilentRunner, as well as technologies from data leak prevention to identity management, particularly those IAM [identity and access management] technologies focused on role and privilege definition and management. When access privileges are reviewed, those that fall outside norms for certain roles may be flagged as exceptions and should be reviewed for consistency with organizational policy.
What are traits that should be looked for, potential keys of insider wrong doing or intent?
Crawford: The red flags, in terms of access privileges, include: conflicts of interests, violations of separations of duties, or unexplained exceptions to access privileges. In the cases of Jerome Kerviel (Societe Generale 'rogue trader') and Nick Leeson (Barings Bank rogue trader), for example, inadequate oversight was a factor. Kerviel also apparently retained back office privileges while working in a front office trading role, which enabled him to bypass controls on trade oversight. Those two cases, however, beg an even larger question: Why weren't these traders better overseen? Could it be that if their employers thought they were making money, they didn't want to trifle with success?
Intellectual property protection
Verizon DBIR analysis finds intellectual property theft takes years to detect
Verizon DBIR: Identify insider threat warning signs, safeguard IP
Thus, corporate governance also plays a role.
Another aspect of insider risk is when the privileges of a trusted insider are abused by a malicious outsider. This is one area where the ability to detect activity outside the norm for a given role could be particularly useful -- when an insider's privileges are exploited by an external attacker to gain access to sensitive internal data, for example.
There are other areas where a lack of insight or control is also a factor that should also be raised as a red flag. Roger Duronio was a UBS IT admin who took advantage of his administrative privileges to attack his employer. Shared or poorly managed administrative accounts may expose IT to far too much additional risk without the ability to constrain privileged access more granularly. When privileges are shared, it may be difficult to correlate suspicious administrative activity to a specific user. Lack of adequate control over administrative privilege generally may be a factor. In the case of San Francisco's FiberWAN administrator Terry Childs, the city had no way to recover administrative access when Childs decided to withhold the administrative password in protest of the city's attempts to manage that system contrary to his wishes.
Are there ways to filter a percentage of people who could turn bad during the hiring process?
Crawford: Background checks can reveal data that could be meaningful, but it may not always. The increased availability of personal and social data may reveal even more, but its use is controversial. Organizations would be better served to consider where the actions of employees with access to sensitive resources are trusted more than verified.
With data becoming more distributed, does this make it harder to identify employees/partners doing things they shouldn't?
Crawford: Perhaps, but at the same time, organizations are becoming increasingly aware of today's capabilities of data analytics, and the innovative ways in which they are being applied. Organizations already don't make enough (or good enough) use of the data they already collect. As the interest in data analytics continues to advance, organizations may well begin to discover how they can do a better job-- and not just against insider threats -- with an even wider range of data than they make use of today.
About the author:
George V. Hulme writes about security and technology from his home in Minneapolis. You can also find him tweeting about those topics on Twitter @georgevhulme.