Tag Archives: insider threats

[Infographic] From Bad Report Cards to Insider Data Theft

[Infographic] From Bad Report Cards to Insider Data Theft

We’ve all read the news recently about employees and contractors selling internal customer data records or stealing corporate intellectual property. But insiders breaking bad have been with us as long as we’ve had computers and disgruntled humans who understand IT systems.

You may not know it, but academic researchers have also been studying the psychological insides of insiders.

Carnegie Mellon’s Computer Emergency Response Team (CERT) has an entire group devoted to insider threats. Based on looking at real cases, these academics have come up with, to our minds, a very convincing model of what drives insiders.

In short, it’s their belief that the root causes lie beyond just a raise or promotion denied, but rather in earlier traumas, likely starting in childhood.

For instance, it is thought that children who, during a famous psych experiment, immediately ate the marshmallow (instead of waiting for two marshmallows) had issues with parental and other authority figures that would later show up through impulsive behaviors. Or perhaps for a certain kind of child, not getting into the genius program for advanced 4-year-olds can have devastating consequences later!

We’ve turned the complex CERT multi-stage insider model into this more accessible infographic. Check out the original CERT paper (or read our incredibly informative series) to learn more.


Reality Leah Winner and the Age of Insider Threats

Reality Leah Winner and the Age of Insider Threats

Prosecutors allege that 25-year-old federal contractor Reality Leah Winner printed a top-secret NSA document detailing the ongoing investigation into Russian election hacking last November and mailed it to The Intercept. This raises a series of questions when it comes to protecting sensitive information from insider threats.

First, should Winner have been granted access to documents related to the Russian hacking investigation in the first place? Were there any processes in place at Pluribus to periodically review access controls and revoke access to documents and emails that employees don’t need?

According to the released affidavit, Winner had only been employee of Pluribus International Corporation since February 2017, but reportedly gained top-secret security clearance in 2013. While her access was legitimate, there is no indication that the leaked document was relevant to her job. In fact, in the affidavit, Winner admits to not having a “need to know.”

The Epidemic of Open Access

This leads to a much broader question about access control: should every employee or contractor with top-secret clearance have access to everything? Likewise, should the CEO of a company have access to every sensitive file and email in her company? Most security pros would argue no. It’s certainly a violation of the rule of least privilege.

Excessive access can be linked to increased risks from insider threats, and the problem is only getting worse. In a recent Ponemon Institute study 62% of end users said they have access to company data they probably shouldn’t see and 76% of IT pros said they’d experienced data loss or theft in the past two years.

The open access epidemic can result in even more damage when accounts are compromised. Even if Winner hadn’t intentionally leaked the document to the media, had her account been compromised by an outside attacker, that information would be vulnerable.

One has to wonder whether Pluribus has a clear picture of it’s most sensitive information. Many organizations have lost the handle on where their most sensitive information lives, who has access to it, and who might be abusing their access — in the 2017 Varonis Data Risk Report, we found that 47% of organizations have at least 1,000 sensitive files open to every employee.

Detecting Insider Threats by Combining Metadata

What’s more, there seems to have been a failure in insider threat detection. It was only when the news outlet contacted an unnamed intelligence agency that federal investigators began their audit to determine who had accessed the leaked document. Was it consistent with Winner’s normal data access behaviors to access files relating to the Russian election hacking investigation? Even though she had legitimate access, there may have been abnormalities in her data access patterns that could have sounded an insider abuse alarm.

Lastly, and perhaps one of the most interesting facets of the story, is how The Intercept accidentally outed Winner by posting a copy of the leaked document which contained tracking metadata. Winner accessed the data and then printed it. Investigators knew it was printed because of invisible micro dots on the page, so they could trace it to a specific printer and date. That narrowed it down to six users, one of which had email contact with The Intercept.

Image credit: http://blog.erratasec.com/2017/06/how-intercept-outed-reality-winner.html

It was a combination of different types of forensic metadata that identified Winner as the leaker. Just knowing the printer and date wouldn’t have been enough on its own without it being correlated with email behavior, but together Winner could be conclusively identified.

Want to learn more about insider threats and techniques to mitigation them? Troy Hunt produced an hour-long video course called The Enemy Within. It’s 100% free. Click here to enroll.

If you want to get a handle on insider threats within your organization, Varonis can help.

The Enemy Within: A Free Security Training Course by Troy Hunt

The Enemy Within: A Free Security Training Course by Troy Hunt

It takes a very long time to discover a threat on your network according to the Verizon DBIR:


Which is mind-boggling given the most devastating breaches often start with an insider—either an employee or an attacker that gets inside using an insider’s credentials. Target, OPM, Panama Papers, Wikileaks. The list goes on and on.

The truth is that many organizations are behind the curve when it comes to understanding and defending against insider threats.

So when we were tossing around topic ideas with Troy, it quickly became clear what our next video course should focus on.

I’m happy to announce the third course in our free, CPE-eligible security training series—The Enemy Within: Understanding Insider Threats.

Get all the videos now

What’s inside?

The course is broken into 8 video modules totaling over an hour worth of entertaining material covering where insider threats originate from, how they exfiltrate data, and how to stop them.

More free content

While you’re at it, grab the previous two courses in the series:

About Troy

Troy is a Microsoft Regional Director, most Valuable Professional and top-rated international speaker on online security, regularly delivering the number one rated talk at events across the globe. He’s also the author of 26 online Pluralsight courses which frequently feature at the top of the charts. Troy’s site, HaveIBeenPwned.com, is one of the world’s most popular data breach verification sites.

[Podcast] Attorney and Data Scientist Bennett Borden, Part II: Find Insider...

[Podcast] Attorney and Data Scientist Bennett Borden, Part II: Find Insider Threats

This article is part of the series "[Podcast] Attorney and Data Scientist Bennett Borden". Check out the rest:

Leave a review for our podcast & we'll send you a pack of infosec cards.

In this second podcast, Bennett continues where he left off last time. Borden describes his work on developing algorithms to find insider threats based on analyzing content and metadata.

Interesting Deloitte Research on Insider Threats

Interesting Deloitte Research on Insider Threats

We’re excited that Deloitte, the international auditing and consulting firm, has been raising the alarms on insider threats. They have some content in the CIO section of the Wall Street Journal that’s worth your time.

Take a look at this infographic they put together based on their own research. There are two key data points to note in the graphic: 92% of insider threat cases were preceded by a negative work event, and 51% of employees involved in insider threat had a history of IT security violations.

The infographic also lists some of the common precursors that disgruntled employees will start to exhibit before the actual incident. These include expense report abuse, change in job performance, and most interestingly (for us), unusual email activity and access level abuses.

Thank you Deloitte for bringing this to the attention of our corporate elite.

In the Varonis IOS blog, we’ve also been pointing out some of the interesting behavior patterns of insiders. We know from Carnegie Mellon’s CERT research, for example, that insiders will rehearse their data heist and probe defenses.

Of course, this means that if you have a baseline of their online behaviors, you can use UBA technology to spot their trial runs and then stop them before they go further.

Deloitte’s Adnan Amjad and Michael Gelles have some great advice on how to set up an insider threat program. Stakeholder buy-in, training, and auditing are part of their 9 point threat mitigation program.

Their program also includes behavior analysis and analytics. Amjad and Gelles note insiders exhibit observable behaviors that can be detected once you “build baselines of normal behavior to help identify anomalies”.

Amjad and Gelles, by the way, cite the aforementioned CMU CERT studies in supporting their behavior monitoring recommendations.

We approve!

Overall, it’s great to see that some of the very encouraging research and positive prognosis about insider threats is getting more attention: it’s a problem that can be directly addressed and mitigated.

Varonis CEO Comments on Panama Papers Leak

Varonis CEO Comments on Panama Papers Leak

The Panama Papers doxing attack has been one of those watershed moments in cyber security. It can be argued that it’s a far more serious indication of what’s wrong with our cyber defenses than the Sony document incident. After all, the attackers were able to access extraordinarily sensitive information on banking transaction for a class of people who paid for “bullet proof” privacy.

Varonis CEO Yaki Faitelson’s recent Xconomy article points out that we’re going to see more of these C-level attacks. He cites a recent PwC report that sees a rising trend in cybercrime and other studies have noticed a lack of security awareness on the part of CEOs and other high-level execs.

It’s a deadly combination.

Faitelson notes if you were spying on a company, the CEO’s mailbox would be “a pretty fantastic place to see what was going on”. Email accounts are poorly secured, and executive email accounts are typically configured to allow access by assistants and others.

A phishing campaign targeting anyone in the C-suite could get them the access rights they need to steal the ‘keys to the kingdom’!

Leaking 2.6 Terabytes is likely an inside job

Mossack Fonseca’s official statement described their breach as an unauthorized leak, but they insinuated an outside attack was to blame. Faitelson provides a different perspective: it’s unlikely, he says, that 2.6 terabytes of data being extracted over the Internet goes unnoticed.

He uses an analogy to describe the likelihood of that possibility: “Pulling that much data by mining an e-mail server over the Internet is like using a straw to draw down a lake.”

A more likely scenario is that an unauthorized insider had access to the data.

In short, Yaki tells we’re not going to be able to stop these attacks, but we can at least detect them while they’re in progress and prevent the damage from being too great.

Read the whole article. It makes a powerful case for the Varonis way of looking at security.

Varonis Keeps Union Bank’s Data Safe from Insider Threats and External At...

Varonis Keeps Union Bank’s Data Safe from Insider Threats and External Attacks

Today we’re excited to share another interesting customer success story out of the UK. Union Bank UK PLC needed better visibility into the different types of sensitive data its employees were storing and accessing across its file systems. Regulatory requirements necessitated that the bank’s IT department regularly audit and report on who was accessing sensitive data, when and where, but they had no way of doing so efficiently. Also, with malware and ransomware on the rise, the bank needed a solution that could quickly alert the IT staff to unusual file access behavior such as rapid encryption of files stored on its servers.

The search led Union Bank’s IT team to our DatAdvantage and DatAlert solutions. Union Bank’s IT team is now alerted in real-time to any breach of its file systems, and they’re able to put control over file access in the hands of data owners, eliminating much of the burden previously placed on their team. They are also able to keep an eye on access privileges and ensure that no one is getting access to data that they do not need.

  • DatAdvantage makes it easy to see and report on who can access, and who does access data in the bank’s Windows, Exchange, and Active Directory environments by tracking and monitoring file activity.
  • Union Bank can intelligently identify who owns which data, and can alert on unusual activity through DatAlert, which uses user behavior analytics to spot insider threats like abusive administrators, ransomware, compromised accounts, and rogue employees.
  • Keeping files secure when employees leave the company was another important capability identified by Union Bank. Varonis allows the bank to monitor and baseline employees’ access profiles and detect if files are unusually accessed prior to their departure.

David Pennant, an IT Manager at Union Bank told us, “Before Varonis we had no real view of what was happening on the file servers or changes happening on a day-to-day basis. We can’t afford to spend a large amount of time sifting through logs – we need to stay focused on day-to-day tasks and therefore needed a more efficient approach. It was obvious straight away that Varonis could give us the automated, efficient approach we were looking for. Thanks to Varonis, IT now has better insight into the bank’s data, and that of course reduces security risk, which is something which you can’t always put a price on.”

Varonis Risk Assessments quickly show you where your most vulnerable data is stored, who is accessing it, and what needs to be done to secure it.  Learn more here.

Varonis is Now Integrated with IBM Storwize V7000 Storage Systems

Varonis is Now Integrated with IBM Storwize V7000 Storage Systems

We’re excited to announce yet another technology integration today – our Metadata Framework is now interoperable with IBM Storwize V7000 version 1.6 storage systems. The integration will provide IBM Storwize users insight, intelligence and control over their information that Varonis solutions bring to thousands of organizations around the world.

It’s critical for organizations to go beyond perimeter protection and understand the relationships between users and data. The integration of the Varonis Metadata Platform with IBM Storwize brings two leading technology platforms together to help organizations of all sizes manage and protect their rapidly growing volumes of unstructured data from insider threats.

The market-leading file analysis, audit and protection capabilities of Varonis DatAdvantage can prevent many of the data breaches that are happening with such frequency. The ability of Varonis DatAlert to provide real-time alerts can detect potential security breaches before they cause major damage, and the Varonis Data Classification Framework discovers sensitive content and its possible exposure, then helps you lock it down.

In the related press release we issued today, Eric Herzog, Vice President Marketing IBM Storage Systems at IBM, said, “Our clients store some of their most valuable and sensitive data on IBM Storwize, so the ability to monitor who has access to which files and when they actually access that data is critical. The Storwize V7000 Unified and Storwize V7000 systems provide the latest storage technologies for unlocking the business value of stored data. Together with the Varonis solutions, they provide valuable, complementary capabilities designed to give our clients peace of mind. The Storwize family supports the massive volumes of data created by today’s demanding applications. Together with Varonis, we can provide best-of-breed efficiency, ease of use and dependability for organizations of all sizes looking to glean insights and monitor their unstructured data.”

To learn more visit https://www.varonis.com/.

Varonis DatAdvantage and DatAlert Are Now Interoperable with LogRhythm’s ...

Varonis DatAdvantage and DatAlert Are Now Interoperable with LogRhythm’s Security Intelligence Platform

Today we’re happy to announce the interoperability of our DatAdvantage and DatAlert solutions with the LogRhythm Security Intelligence Platform.

With the new interoperability, customers can combine critical security insight from LogRhythm with Varonis intelligence about file systems and unstructured data – the type of data they typically have the most of and know the least about. Varonis and LogRhythm can help organizations proactively spot signs insider threats before they end up in the news because of a data breach.

How does it work?

Varonis can automatically send alerts from Varonis DatAdvantage and DatAlert into LogRhythm Security Intelligence Platform and thereby increase the speed and accuracy with which customers are able to identify, prioritize and investigate unusual user behavior surrounding unstructured data. Anomalous activity spotted by Varonis analytics includes unusual access to sensitive and stale data, mass deletions and modifications, malware and ransomware infections like CryptoLocker and Cryptowall, privilege escalations, unusual access to PII, multiple failed login attempts, and many more potential warning signs. Installation of Varonis DatAdvantage and DatAlert can take as little as an hour, and integration with LogRhythm is as simple as configuring an IP address.

Click here to learn more.

Come See Us at RSA Conference

Come See Us at RSA Conference

Below is a quick overview of some of the things Varonis has on tap for RSA Conference next week in San Francisco (February 29 – March 4). You’ll find us at booth #3126 in the Moscone Center’s North Hall.

But first …

  • Pre-Gaming RSA: Join us this Thursday, February 25th for our first “Inside-Out Security Show” on YouTube. We’ll be discussing current infosec events and sharing a list of speakers we’re excited to see at RSA.

And then at the show …

  • Meet with Varonis Experts: We’ll share best practices on how to utilize Varonis software solutions for a wide range of use cases, including data protection, file analysis, identity management, UBA threat modeling, archiving and migration, file synchronization and mobile data accessibility.
  • Live Demos: At the conference, we’ll demo all of our solutions including the latest Metadata Framework 6.2.5 and advanced user behavior analytics (UBA) threat models found in our DatAdvantage and DatAlert solutions for monitoring unstructured data — the largest, most valuable and most sensitive type of data and therefore the target of most cyberattacks. (Both were announced in beta availability in late 2015.) The newest capabilities represent the most advanced analytics and predictive threat modeling available to help organizations stop breaches that are caused by undetected insider access.
  • Speaking Session:How do you spot the insider threat?”
  • I’m scheduled to present in the South Expo Hall on Tuesday, March 1st, at 3:30 p.m. PT. My presentation, “How do you spot the insider threat?” will discuss how, with user behavior analytics, managers can pinpoint when an employee is accessing data outside of their normal work habits, either maliciously or as a victim of credential theft.  Spotting these abnormal trends can warn organizations when their company data is vulnerable.
  • Happy Hour – Wednesday March 2: Relax after a day of sessions and walking the trade show floor by joining us from 6:30-8:30pm PST at the iconic View Lounge atop the San Francisco Marriott Marquis 780 Mission St, San Francisco, CA. We will have raffle prizes and a photo booth, and the most awe inspiring views the city has to offer! RSVP

We look forward to seeing you in San Francisco!

Five Insights from the Biggest Insider Data Breaches Around the World

Five Insights from the Biggest Insider Data Breaches Around the World

Earlier this year, Andy blogged on Carnegie Mellon University’s Computer Emergency Response Team (CMU CERT) research on insider attacks: specifically their motivation, means and opportunity, and what we can do to prevent them. To quickly review, insiders know that information is an asset. They often have access to the data, know where the data is stored, and have context as to why it’s important. Then a trigger event happens—“you missed your quotas this quarter”—and they steal it!

The CERT sample was small, so I became curious how their model and data aligned with recent insider threat data breaches. I searched for insider data breaches that occurred within the past two years, and I filtered out “catastrophic” and “severe” cases (ones with one million to over 100 million records breached).

A quick glance at the search results reminded me that data breaches happen globally and affect all verticals – healthcare, financial education, government, etc. These recent incidents also support many aspects of the CMU research.

But here’s a pattern in my own quick research that’s worth noting: insiders can quickly and anonymously sell bulk PII to a well-established black market. In other words, it’s easier than ever to monetize the data.

Here are five insights I learned from my own research:

1. Who are the insiders?

These stealthy insiders are former employees, current employees, as well as unscrupulous contractors. What’s most alarming is that it just takes only one individual or a couple of people to steal a few records, up to over 100 million records!

2. What did they steal?

These insiders took trade secrets, customer data, financial data, credit card numbers, government- issued ID card numbers, sensitive patient and organizational data.

And what do these insiders do with the data after it’s stolen? In hopes of financial gain, one sold it to various online data brokers, who then sold it to other data brokers. Some teamed up to extort their former employers. Another insider wanted to move back to his home country, stealing company data with the intention of taking it to a competitor.

These insiders exploited vulnerabilities, abused their credentials, or simply emailed stolen data from their work email.

3. When does the breach happen?

It can happen at any time. One took over the course of a year and a half. Another had regular access to personal information of customers from around the country and took the data intermittently.

4. Where are the stolen data stored?

Insiders downloaded valuable data they knew were important to the company and then copied it onto an external drive. Afterwards, some might enlist their family members to hold the devices. Others simply sent it to their personal email accounts.

5. Why do insiders get away with it?

Because employees and contractors think they can. This is one of the most important points of the CMU research! When employees see that the employer doesn’t view their data as valuable and worth protecting, they’ll draw their own conclusion—“no one cares if I copy this customer database.” One even wrote to management to admit that he stole company data while he was an employee.

Even though it was reported that some insiders weren’t authorized to use the data and that the data wasn’t necessary to their work, they did have access to the data. In fact, all insiders had access to the data.

Paging all CEOs, CTOs, CIOs, CISOs, and security experts: monitor employee access and use UBA to alert on anomalous behavior!

Insider threat data breaches are very real. They’re expensive—PWC says they’re more costly than outside attacks—and in the case of IT sabotage or public exposure of internal records, the attack can be catastrophic, destroying reputations and disrupting operations.

Need a refresher on data security best practices for insider threats? CMU CERT research team came up with these top five tips.