Tag Archives: insider threats

Insider Threats: A CISO’s Guide

pencils in a line and a red pencil higher

According to the recent Verizon DBIR, insiders are complicit in 28% of data breaches in 2017. Broken down by vertical, insiders are responsible for 54% of data breaches in the Healthcare industry and 34% in the Public Administration. Hacking (48%) and malware (30%) were the top 2 tactics used to steal data, while human error (17%) and privilege misuse (12%) made the cut as well.

insider threat statistic

What does it all mean? Insiders have capabilities and privileges that can be abused by either themselves or bad actors to steal important data – making a CISO’s job to identify and build a defense against all of those attack vectors even more complicated.

What is an Insider Threat?

An insider threat is a security incident that originates within the targeted organization. This doesn’t mean that the actor must be a current employee or officer in the organization. They could be a consultant, former employee, business partner or board member.

Anyone who has insider knowledge and/or access to the organization’s confidential data, IT, or network resources should be considered a potential insider threat.

Types of Insider Threats

So who are the possible actors in an insider threat?

First, we have the Turncloak: This is an insider who is maliciously stealing data. In most cases, it’s an employee or contractor – someone who is supposed to be on the network and has legitimate credentials, but is abusing their access for fun or profit. We’ve seen all sorts of motives that drive this type of behavior: some as sinister as selling secrets to foreign governments, others as simple as taking a few documents over to a competitor upon resignation.

Next, we have the Pawn: This is just a normal employee – a do-gooder who makes a mistake that is exploited by a bad guy: whether it’s a lost laptop or mistakenly emailing a sensitive document to the wrong person.

Finally, we have the Impostor: Whereas the Turncloak is a legitimate insider gone rogue, the Imposter is really an outsider who has acquired an insider’s credentials. They’re on your network posing as a legitimate employee. Their goal is to find the biggest treasure trove of information to which their “host” has access and exfiltrate it without being noticed.

Common Behavioral Indicators of an Insider Threat

How do you identify an insider threat? There are common behaviors that suggest an insider threat – whether digitally or in person. These indicators are important for CISO’s, security officers, and their teams to monitor, track, and analyze in order to identify potential insider threats.

behavioral indicators of an insider threat

Digital Warning Signs 

  • Downloading or accessing substantial amounts of data
  • Accessing sensitive data not associated with their job function
  • Accessing data that is outside of their behavioral profile
  • Multiple requests for access to resources not associated with their job function
  • Using unauthorized storage devices (e.g., USB drives or floppy disks)
  • Network crawling and searches for sensitive data
  • Data hoarding, copying files from sensitive folders
  • Emailing sensitive data outside the organization

Human Warning Signs 

  • Attempts to bypass security
  • Frequently in the office during off hours
  • Displays disgruntled behavior toward co-workers
  • Violation of corporate policies
  • Discussions of resigning or new opportunities

While the human behavioral warnings can be an indication of potential issues, having digital forensics and analytics is one of the most powerful ways to protect against insider threats. User Behavior Analytics (UBA) and security analytics help detect potential insider threats, analyzing and alerting when a user behaves suspiciously or outside of their typical behavior.

Fighting Insider Threats

A data breach of 10 million records costs an organization around $3 million – and as the old adage says, “an ounce of prevention is worth a pound of cure”.

Because insiders are already inside, you can’t rely on traditional perimeter security measures to protect your company. Furthermore, since it’s an insider – who is primarily responsible for dealing with the situation? Is it IT, or HR, is it a legal issue? Or is it all 3 and the CISO’s team? Creating and socializing a policy to act on potential insider threats needs to come from the top of the organization.

The key to account for and remediate insider threats is to have the right approach – and the right solutions in place to detect and protect against insider threats.

Steps for an Insider Threat Defense Plan:

  1. Monitor files, emails, and activity on your core data sources
  2. Identify and discover where your sensitive files live
  3. Determine who has access to that data and who should have access to that data
  4. Implement and maintain a least privilege model through your infrastructure
    1. Eliminate Global Access Group
    2. Put data owners in charge of managing permissions for their data and expire temporary access quickly
  5. Apply security analytics to alert on abnormal behaviors including:
    1. Attempts to access sensitive data that isn’t part of normal job function
    2. Attempts to gain access permissions to sensitive data outside of normal processes
    3. Increased file activity in sensitive folders
    4. Attempts to change system logs or delete large volumes of data
    5. Large amounts of data emailed out of the company, outside of normal job function
  6. Socialize and train your employees to adapt a data security mindset

It’s equally important to have a response plan in place in order to respond to a potential data breach:

  1. Identify threat and take action
    1. Disable and/or logout the user when suspicious activity or behavior is detected
    2. Determine what users and files have been affected
  2. Verify accuracy (and severity) of the threat and alert appropriate teams (Legal, HR, IT, CISO)
  3. Remediate
    1. Restore deleted data if necessary
    2. Remove any additional access rights used by the insider
    3. Scan and remove any malware used during the attack
    4. Re-enable any circumvented security measures
  4. Investigate and perform forensics on the security incident
  5. Alert Compliance and Regulatory Agencies as needed

The secret to defending against insider threats is to monitor your data, gather information, and trigger alerts on abnormal behavior.

The Varonis Data Security Platform identifies who has access to your data, classifies your sensitive data, alerts your teams to potential threats, and helps maintain a least privilege model. With the proper resources, CISO/CIO can gain visibility of highest risk users and gather the intelligence needed to avoid insider threats.

Is Your Biggest Security Threat Already Inside Your Organization?

Are insiders compromising your security

The person in the cubicle next to you could be your company’s biggest security threat.

The large-scale attacks we’re accustomed to seeing in the news — Yahoo, Equifax, WannaCry ransomware — are massive data breaches caused by cyber criminals, state-sponsored entities or hacktivists. They dominate the news cycle with splashy headlines that tell an all-too recognizable story: one of name-brand corporations vs. anonymous cyber villains.

We focus in outsider threats because they’re both terrifying and thrilling, and because they’re familiar. They often have a clear-cut storyline, one that we’ve seen before. But the hyper-focus on cyberattacks caused by outside parties can lead organizations to ignore a major cybersecurity threat: insiders already in the organization.

We’ve seen these threats before too: attacks of dramatic espionage from Snowden, Reality Winner and Gregory Chung — but insider threats aren’t always so obvious, and they pose a risk for organizations that don’t operate in the national security space. In fact, research suggests that insider threats account for anywhere from 60 to 75 percent of data breaches.

They’re dangerous for a number of reasons, including because of how much they vary: from rogue employees bent on personal gain or professional revenge to careless staffers without proper cybersecurity training, insider threats can come from almost anyone, making them a prime concern for businesses. Check out our full infographic to learn more about the motives and methods behind these types of threats.

Insider threats cybersecurity

Are you doing everything you can to prevent insider threats?

If you’re granting unnecessary internal permissions, lack an auditing system for high-risk people or sensitive data, or aren’t paying close attention to possible behavioral indicators of malicious activity, your organization is at risk. You’re more vulnerable than you think — assess your risk today to see what you can do to ward off threats that come from the inside.

Infographic sources:
U.S. Department of Homeland Security | 2018 Insider Threat Report | Digital Guardian | MetaCompliance | ITProPortal | IT Governance | Wired

[Infographic] From Bad Report Cards to Insider Data Theft

[Infographic] From Bad Report Cards to Insider Data Theft

We’ve all read the news recently about employees and contractors selling internal customer data records or stealing corporate intellectual property. But insiders breaking bad have been with us as long as we’ve had computers and disgruntled humans who understand IT systems.

You may not know it, but academic researchers have also been studying the psychological insides of insiders.

Carnegie Mellon’s Computer Emergency Response Team (CERT) has an entire group devoted to insider threats. Based on looking at real cases, these academics have come up with, to our minds, a very convincing model of what drives insiders.

In short, it’s their belief that the root causes lie beyond just a raise or promotion denied, but rather in earlier traumas, likely starting in childhood.

For instance, it is thought that children who, during a famous psych experiment, immediately ate the marshmallow (instead of waiting for two marshmallows) had issues with parental and other authority figures that would later show up through impulsive behaviors. Or perhaps for a certain kind of child, not getting into the genius program for advanced 4-year-olds can have devastating consequences later!

We’ve turned the complex CERT multi-stage insider model into this more accessible infographic. Check out the original CERT paper (or read our incredibly informative series) to learn more.

 

Reality Leah Winner and the Age of Insider Threats

Reality Leah Winner and the Age of Insider Threats

Prosecutors allege that 25-year-old federal contractor Reality Leah Winner printed a top-secret NSA document detailing the ongoing investigation into Russian election hacking last November and mailed it to The Intercept. This raises a series of questions when it comes to protecting sensitive information from insider threats.

First, should Winner have been granted access to documents related to the Russian hacking investigation in the first place? Were there any processes in place at Pluribus to periodically review access controls and revoke access to documents and emails that employees don’t need?

According to the released affidavit, Winner had only been employee of Pluribus International Corporation since February 2017, but reportedly gained top-secret security clearance in 2013. While her access was legitimate, there is no indication that the leaked document was relevant to her job. In fact, in the affidavit, Winner admits to not having a “need to know.”

The Epidemic of Open Access

This leads to a much broader question about access control: should every employee or contractor with top-secret clearance have access to everything? Likewise, should the CEO of a company have access to every sensitive file and email in her company? Most security pros would argue no. It’s certainly a violation of the rule of least privilege.

Excessive access can be linked to increased risks from insider threats, and the problem is only getting worse. In a recent Ponemon Institute study 62% of end users said they have access to company data they probably shouldn’t see and 76% of IT pros said they’d experienced data loss or theft in the past two years.

The open access epidemic can result in even more damage when accounts are compromised. Even if Winner hadn’t intentionally leaked the document to the media, had her account been compromised by an outside attacker, that information would be vulnerable.

One has to wonder whether Pluribus has a clear picture of it’s most sensitive information. Many organizations have lost the handle on where their most sensitive information lives, who has access to it, and who might be abusing their access — in the 2017 Varonis Data Risk Report, we found that 47% of organizations have at least 1,000 sensitive files open to every employee.

Detecting Insider Threats by Combining Metadata

What’s more, there seems to have been a failure in insider threat detection. It was only when the news outlet contacted an unnamed intelligence agency that federal investigators began their audit to determine who had accessed the leaked document. Was it consistent with Winner’s normal data access behaviors to access files relating to the Russian election hacking investigation? Even though she had legitimate access, there may have been abnormalities in her data access patterns that could have sounded an insider abuse alarm.

Lastly, and perhaps one of the most interesting facets of the story, is how The Intercept accidentally outed Winner by posting a copy of the leaked document which contained tracking metadata. Winner accessed the data and then printed it. Investigators knew it was printed because of invisible micro dots on the page, so they could trace it to a specific printer and date. That narrowed it down to six users, one of which had email contact with The Intercept.

Image credit: http://blog.erratasec.com/2017/06/how-intercept-outed-reality-winner.html

It was a combination of different types of forensic metadata that identified Winner as the leaker. Just knowing the printer and date wouldn’t have been enough on its own without it being correlated with email behavior, but together Winner could be conclusively identified.

Want to learn more about insider threats and techniques to mitigation them? Troy Hunt produced an hour-long video course called The Enemy Within. It’s 100% free. Click here to enroll.

If you want to get a handle on insider threats within your organization, Varonis can help.

The Enemy Within: A Free Security Training Course by Troy Hunt

The Enemy Within: A Free Security Training Course by Troy Hunt

It takes a very long time to discover a threat on your network according to the Verizon DBIR:

breach-discovery

Which is mind-boggling given the most devastating breaches often start with an insider—either an employee or an attacker that gets inside using an insider’s credentials. Target, OPM, Panama Papers, Wikileaks. The list goes on and on.

The truth is that many organizations are behind the curve when it comes to understanding and defending against insider threats.

So when we were tossing around topic ideas with Troy, it quickly became clear what our next video course should focus on.

I’m happy to announce the third course in our free, CPE-eligible security training series—The Enemy Within: Understanding Insider Threats.



Get all the videos now



What’s inside?

The course is broken into 8 video modules totaling over an hour worth of entertaining material covering where insider threats originate from, how they exfiltrate data, and how to stop them.

More free content

While you’re at it, grab the previous two courses in the series:

About Troy

Troy is a Microsoft Regional Director, most Valuable Professional and top-rated international speaker on online security, regularly delivering the number one rated talk at events across the globe. He’s also the author of 26 online Pluralsight courses which frequently feature at the top of the charts. Troy’s site, HaveIBeenPwned.com, is one of the world’s most popular data breach verification sites.

[Podcast] Attorney and Data Scientist Bennett Borden, Part II: Find Insider...

[Podcast] Attorney and Data Scientist Bennett Borden, Part II: Find Insider Threats

This article is part of the series "[Podcast] Attorney and Data Scientist Bennett Borden". Check out the rest:

 

Leave a review for our podcast & we'll send you a pack of infosec cards.


In this second podcast, Bennett continues where he left off last time. Borden describes his work on developing algorithms to find insider threats based on analyzing content and metadata.

Interesting Deloitte Research on Insider Threats

Interesting Deloitte Research on Insider Threats

We’re excited that Deloitte, the international auditing and consulting firm, has been raising the alarms on insider threats. They have some content in the CIO section of the Wall Street Journal that’s worth your time.

Take a look at this infographic they put together based on their own research. There are two key data points to note in the graphic: 92% of insider threat cases were preceded by a negative work event, and 51% of employees involved in insider threat had a history of IT security violations.

The infographic also lists some of the common precursors that disgruntled employees will start to exhibit before the actual incident. These include expense report abuse, change in job performance, and most interestingly (for us), unusual email activity and access level abuses.

Thank you Deloitte for bringing this to the attention of our corporate elite.

In the Varonis IOS blog, we’ve also been pointing out some of the interesting behavior patterns of insiders. We know from Carnegie Mellon’s CERT research, for example, that insiders will rehearse their data heist and probe defenses.

Of course, this means that if you have a baseline of their online behaviors, you can use UBA technology to spot their trial runs and then stop them before they go further.

Deloitte’s Adnan Amjad and Michael Gelles have some great advice on how to set up an insider threat program. Stakeholder buy-in, training, and auditing are part of their 9 point threat mitigation program.

Their program also includes behavior analysis and analytics. Amjad and Gelles note insiders exhibit observable behaviors that can be detected once you “build baselines of normal behavior to help identify anomalies”.

Amjad and Gelles, by the way, cite the aforementioned CMU CERT studies in supporting their behavior monitoring recommendations.

We approve!

Overall, it’s great to see that some of the very encouraging research and positive prognosis about insider threats is getting more attention: it’s a problem that can be directly addressed and mitigated.

Varonis CEO Comments on Panama Papers Leak

Varonis CEO Comments on Panama Papers Leak

The Panama Papers doxing attack has been one of those watershed moments in cyber security. It can be argued that it’s a far more serious indication of what’s wrong with our cyber defenses than the Sony document incident. After all, the attackers were able to access extraordinarily sensitive information on banking transaction for a class of people who paid for “bullet proof” privacy.

Varonis CEO Yaki Faitelson’s recent Xconomy article points out that we’re going to see more of these C-level attacks. He cites a recent PwC report that sees a rising trend in cybercrime and other studies have noticed a lack of security awareness on the part of CEOs and other high-level execs.

It’s a deadly combination.

Faitelson notes if you were spying on a company, the CEO’s mailbox would be “a pretty fantastic place to see what was going on”. Email accounts are poorly secured, and executive email accounts are typically configured to allow access by assistants and others.

A phishing campaign targeting anyone in the C-suite could get them the access rights they need to steal the ‘keys to the kingdom’!

Leaking 2.6 Terabytes is likely an inside job

Mossack Fonseca’s official statement described their breach as an unauthorized leak, but they insinuated an outside attack was to blame. Faitelson provides a different perspective: it’s unlikely, he says, that 2.6 terabytes of data being extracted over the Internet goes unnoticed.

He uses an analogy to describe the likelihood of that possibility: “Pulling that much data by mining an e-mail server over the Internet is like using a straw to draw down a lake.”

A more likely scenario is that an unauthorized insider had access to the data.

In short, Yaki tells we’re not going to be able to stop these attacks, but we can at least detect them while they’re in progress and prevent the damage from being too great.

Read the whole article. It makes a powerful case for the Varonis way of looking at security.

Varonis Keeps Union Bank’s Data Safe from Insider Threats and External At...

Varonis Keeps Union Bank’s Data Safe from Insider Threats and External Attacks

Today we’re excited to share another interesting customer success story out of the UK. Union Bank UK PLC needed better visibility into the different types of sensitive data its employees were storing and accessing across its file systems. Regulatory requirements necessitated that the bank’s IT department regularly audit and report on who was accessing sensitive data, when and where, but they had no way of doing so efficiently. Also, with malware and ransomware on the rise, the bank needed a solution that could quickly alert the IT staff to unusual file access behavior such as rapid encryption of files stored on its servers.

The search led Union Bank’s IT team to our DatAdvantage and DatAlert solutions. Union Bank’s IT team is now alerted in real-time to any breach of its file systems, and they’re able to put control over file access in the hands of data owners, eliminating much of the burden previously placed on their team. They are also able to keep an eye on access privileges and ensure that no one is getting access to data that they do not need.

  • DatAdvantage makes it easy to see and report on who can access, and who does access data in the bank’s Windows, Exchange, and Active Directory environments by tracking and monitoring file activity.
  • Union Bank can intelligently identify who owns which data, and can alert on unusual activity through DatAlert, which uses user behavior analytics to spot insider threats like abusive administrators, ransomware, compromised accounts, and rogue employees.
  • Keeping files secure when employees leave the company was another important capability identified by Union Bank. Varonis allows the bank to monitor and baseline employees’ access profiles and detect if files are unusually accessed prior to their departure.

David Pennant, an IT Manager at Union Bank told us, “Before Varonis we had no real view of what was happening on the file servers or changes happening on a day-to-day basis. We can’t afford to spend a large amount of time sifting through logs – we need to stay focused on day-to-day tasks and therefore needed a more efficient approach. It was obvious straight away that Varonis could give us the automated, efficient approach we were looking for. Thanks to Varonis, IT now has better insight into the bank’s data, and that of course reduces security risk, which is something which you can’t always put a price on.”

Varonis Risk Assessments quickly show you where your most vulnerable data is stored, who is accessing it, and what needs to be done to secure it.  Learn more here.

Varonis is Now Integrated with IBM Storwize V7000 Storage Systems

Varonis is Now Integrated with IBM Storwize V7000 Storage Systems

We’re excited to announce yet another technology integration today – our Metadata Framework is now interoperable with IBM Storwize V7000 version 1.6 storage systems. The integration will provide IBM Storwize users insight, intelligence and control over their information that Varonis solutions bring to thousands of organizations around the world.

It’s critical for organizations to go beyond perimeter protection and understand the relationships between users and data. The integration of the Varonis Metadata Platform with IBM Storwize brings two leading technology platforms together to help organizations of all sizes manage and protect their rapidly growing volumes of unstructured data from insider threats.

The market-leading file analysis, audit and protection capabilities of Varonis DatAdvantage can prevent many of the data breaches that are happening with such frequency. The ability of Varonis DatAlert to provide real-time alerts can detect potential security breaches before they cause major damage, and the Varonis Data Classification Framework discovers sensitive content and its possible exposure, then helps you lock it down.

In the related press release we issued today, Eric Herzog, Vice President Marketing IBM Storage Systems at IBM, said, “Our clients store some of their most valuable and sensitive data on IBM Storwize, so the ability to monitor who has access to which files and when they actually access that data is critical. The Storwize V7000 Unified and Storwize V7000 systems provide the latest storage technologies for unlocking the business value of stored data. Together with the Varonis solutions, they provide valuable, complementary capabilities designed to give our clients peace of mind. The Storwize family supports the massive volumes of data created by today’s demanding applications. Together with Varonis, we can provide best-of-breed efficiency, ease of use and dependability for organizations of all sizes looking to glean insights and monitor their unstructured data.”

To learn more visit https://www.varonis.com/.

Varonis DatAdvantage and DatAlert Are Now Interoperable with LogRhythm’s ...

Varonis DatAdvantage and DatAlert Are Now Interoperable with LogRhythm’s Security Intelligence Platform

Today we’re happy to announce the interoperability of our DatAdvantage and DatAlert solutions with the LogRhythm Security Intelligence Platform.

With the new interoperability, customers can combine critical security insight from LogRhythm with Varonis intelligence about file systems and unstructured data – the type of data they typically have the most of and know the least about. Varonis and LogRhythm can help organizations proactively spot signs insider threats before they end up in the news because of a data breach.

How does it work?

Varonis can automatically send alerts from Varonis DatAdvantage and DatAlert into LogRhythm Security Intelligence Platform and thereby increase the speed and accuracy with which customers are able to identify, prioritize and investigate unusual user behavior surrounding unstructured data. Anomalous activity spotted by Varonis analytics includes unusual access to sensitive and stale data, mass deletions and modifications, malware and ransomware infections like CryptoLocker and Cryptowall, privilege escalations, unusual access to PII, multiple failed login attempts, and many more potential warning signs. Installation of Varonis DatAdvantage and DatAlert can take as little as an hour, and integration with LogRhythm is as simple as configuring an IP address.

Click here to learn more.