Insider Security Threats
Insider threats have been on the rise in recent years, and this vulnerability should be a primary concern for companies of all sizes.
Join the DZone community and get the full member experience.Join For Free
Great talking to Christy Wyatt, CEO of Dtex Systems to get her insights on the current state of proactive security. Prior to becoming the CEO of Dtex, she was the CEO of Good Technology and oversaw the 2015 acquisition by Blackberry.
How is your company involved in security?
We help businesses understand what their users are doing so they can pinpoint user behavior anomalies and proactively address breaches. Our Advanced User Behavior Intelligence platform combines endpoint visibility with analytics to proactively see and understand user behavior. The lightweight, scalable collector provides complete visibility into everything users do on their work devices - on and off the corporate network - without compromising employee privacy. The analytics engine quickly establishes baseline user patterns and provides actionable, contextual alerts when anomalies are found. We help organizations eliminate insider threats, protect against outside infiltrators, and find gaps in their existing security initiatives.
What do you see as the most important elements of data security?
One of the most important elements of data security is the human element. Employees can be huge assets in building a culture of data responsibility, transparency, and accountability, but they also pose a threat. Whether it is from malicious intent, negligence or compromised credentials, people are the common root cause in 90 percent of total security incidents that result in data breaches. Understanding what users are doing with corporate data has become a critical part of proactive security practices.
As companies naturally shift to securing data through user behavior intelligence and analytics, the balance of security and employee privacy will be an increasingly important element of data security as well. This is why we mask the information collected from endpoints. This provides enterprises with visibility into user behavior on and off the corporate network while protecting employees’ privacy, complying with even the strictest privacy protection laws.
How is the cybersecurity threat landscape changing?
The enterprise security perimeter is evaporating. Over the past few years, we’ve seen a fundamental change in how people and businesses use technology. Distributed enterprises, remote workforces, and bring-your-own-device policies continue to contribute to the blurring security perimeters. Gartner analysts predict that by 2018, 25 percent of corporate data will completely bypass perimeter security and flow directly from mobile devices to the cloud.
Also, the prevalence of cloud services such as Dropbox and Google Drive provides organizations with much-welcomed increases in productivity and efficiency while streamlining workflows. However, these tools are not inherently secure and pose major vulnerability risks because the default account settings often do not provide sufficient protection for files saved in the cloud. The URLs established to share and access the files can be indexed by search engines, allowing it to be found in the public domain by external parties through a simple online search. Sixty-four percent of companies we assessed in the last year found publicly accessible corporate information out on the web.
These changes in the way people work and interact with data are forcing CISOs to approach security differently. Security executives are increasingly finding that user-driven solutions like the use of personal mobile devices and implementing cloud services present a major barrier to traditional data breach prevention and response strategies. Perimeter-based security approaches simply aren’t adequate anymore because technology is moving quickly and users are becoming savvier. Enterprises can no longer count on restricting employees with lock-and-block techniques. In a world where the user cannot be contained, the ability to gain visibility into user behavior at the endpoint, while respecting user privacy, is critical to securing the enterprise.
What are some real-world problems being solved by securing data?
The following are some real-world security issues that were addressed through increased visibility into user behavior on corporate endpoints:
At a large telecommunications company, a marketing employee was using a highly abnormal number of hacking tools while also doing a number of “how-to” searches about bypassing security. Over time, this employee had installed these high-risk applications and was using them to attempt low-level hacking attacks on websites, but the company was alerted of this behavior. It was revealed that the websites the employee hacked belonged to a company that was undergoing a merger with a telecom enterprise, opening the company up to legal and financial risks. By having visibility into the employee’s anomalous actions, he was stopped and both companies involved communicated to address the incident before any real damage had been inflicted.
At a multinational company, an employee would open a personal email account in Chrome’s Incognito Mode - an obvious attempt to cover his tracks - and use these accounts to illegally sell company property. By having visibility into the endpoint itself, the company was able to track this activity regardless if the devices were connected to a corporate or personal network. After being alerted of this activity, the company opened an investigation and collected evidence against the employee that was used in legal prosecution.
An employee that was leaving a financial institution on good terms was found to have had transferred personal and corporate data onto an external drive from the laptop that was provided by the company. Because the company had visibility into this behavior, the employee was brought back to the premise to remove the corporate data from his drive.
A company that needed strong physical security was in the process of moving to a new location. It was discovered that their architectural and security plans were publicly accessible on a cloud storage website through the contractors that they were working with. The physical security designs of this new location were so important that if they were compromised, the plans would have to be completely re-architected. Early detection of this incident led the security team to verify that the plans had not been accessed and allowed them to mitigate the problem before a breach occurred, saving the company untold time and money.
What are some common issues you see affecting the security landscape?
Security bypasses and increased user savviness: employees attempting to bypass security are the first indication towards data theft or other risky and destructive behavior. This includes the use of vulnerability testing or hacking tools such as Metasploit, anonymous web browsers such as Tor, and anonymous VPN programs. Such tools are becoming increasingly common among everyday users. In 95 percent of our assessments, companies have discovered staff researching, installing, or executing security or vulnerability testing tools.
Increased user productivity also increases data exposure: today’s modern businesses rely more than ever on the cloud due to the increase in virtual offices and remote team members, making it easier for employees to unknowingly expose sensitive corporate data. Cloud services offer a lot in the way of efficiency and productivity gains but many users are not mindful of the security implications that these services may pose if used without security in mind. Sensitive data is frequently available via the public web – mostly because users share information in insecure ways. Companies are struggling with protecting their data, especially off the corporate network, while empowering employees to get their jobs done efficiently.
Leavers and Joiners: most employers already know that employees are riskiest when they’re about to leave the company. Everyone has heard the stories of product managers who steal proprietary plans, engineers who sneak out valuable code, or salespeople who poach critical client lists. Our own assessments have shown that more than half of organizations had this problem. While leaving employees are a pervasive security risk, it’s also important not to forget about joiners – new hires joining your organization. Oftentimes, no one gives new hires a second glance. However, it is surprisingly common that new hires bring stolen data into a new organization. In addition to the questionable morality issues of this behavior, it’s legally risky. We’ve seen companies harshly burned for having stolen data in their network and exposed to serious legal action.
Compromised users: a common issue is the use of personal email accounts on corporate devices. Eighty-seven percent of our assessments revealed personal email use on corporate endpoints. By using third-party email clients, employees open up new entry points for hackers, allowing an easy and direct route onto an organization’s network and a prime target for credential theft.
Do you have any concerns regarding the current state of security?
Spending on cyber security is expected to top $1 trillion from 2017 to 2021. Yet, companies are still facing crippling data breaches due to sensitive data leakage and exfiltration. Why are we seeing this rise in data breaches despite increased investment? The answer lies with company insiders. The insider threat is on the rise and should be a primary concern for companies of all sizes, but solving insider threat requires a new approach.
We have found a majority of security vulnerabilities can be traced back to insiders and their behaviors. Sixty-eight percent of insider breaches stem from employees and contractors who are negligent and not aware or do not care that they are compromising the safety of their organizations. The vast majority of today’s security risks are simply innocent mistakes. Twenty-two percent of insider incidents are the result of malicious insiders who continue to find new ways to steal data or put sensitive data at risk in order to intentionally harm an organization. Another 10 percent of insider breaches are the result of outside infiltrators taking advantage of vulnerable insiders to gain access to company data.
Today, many security teams focus solely on finding and stopping the specific malicious event itself – the specific act where a user steals data, commits sabotage or engages in another malicious or prohibited activity. From there, security teams have to build signatures and indicators of compromise based on that event. However, this method falls short when it comes to stopping unusual or never-before-seen attacks or even stopping an attack before it happens. In almost every case, it is easier to detect the suspicious activity leading up to an attack than it is to detect the attack itself. Security bypass is a common example. We have stopped hundreds of potential attacks by flagging users attempting to circumvent security – an extremely common first-step to data theft. Security teams need to get visibility into user behavior in order to proactively eliminate insider security threats.
What's the future for security from your point of view? Where do the greatest opportunities lie?
The technological world is evolving rapidly so preventing user threats will never be easy or straightforward – there is no single bulletproof solution. Despite spending millions on traditional security measures such as intrusion detection and advanced firewalls, enterprises still have blind spots in their protection, and they still fall victim to breaches and data theft.
Executives must engage in consistent and open communication with their IT and security teams about adding new technologies to the organization’s security infrastructure. Doing this means taking a forward-looking approach to monitoring and detecting security vulnerabilities. Executives often go to security teams for one of two reasons: a major data breach has occurred, or changes need to be made that impact the bottom line of the organization. Rarely is it a discussion about detection and prevention of security risks. Since prevention is key to hardening the modern enterprises’ porous perimeter, executives and IT security teams need to have these conversations early on. They need to be proactive instead of reactive. By having these discussions and implementing early detection systems, company executives and IT security teams can have peace of mind that they will jointly stop sensitive data and IP from leaving the organization’s network.
Opinions expressed by DZone contributors are their own.