April 7, 2015

Threats From Within: Insider Attacks

IP Protection

Many current security tools (e.g., encryption, network defense and signature-based products) are focused on preventing outsiders from gaining access to sensitive internal file systems and databases. However defending organizations from insider attacks is becoming a growing concern. In a recent study Insider Threat Report from Vormetric, 89% of global senior business managers and IT professionals polled felt that their organizations were now more at risk from an insider attack; 34% felt very or extremely vulnerable.

This report found that the most dangerous insiders are those who have privileged access, followed by contractors and business partners, as shown in the figure below.  

Figure 1: The percentage of insiders by user group who pose the largest risk to an organization.

Recent major security breaches of government assets, retail chain records, film studio, and health records underscore the findings of this report. Recently, Edward Snowden obtained administrative passwords from co-workers at the NSA; andmisused or stolen user credentials were responsible for major data breaches at the NSA, Target, Home Depot, Sony and Anthem. In Anthem case, hackers were able to steal the credentials of five different technical employees during thier attack and access records of up to 80 million account holders.

Delays in Detecting Security Breaches Prove Costly

According to a recent study by FireEye, a cybersecurity firm, it takes on average 229 days for an organization to detect a data breach. In two-thirds of the known cases organizations learn about a breach from a third party, rather than discovering it themselves.

Additionally, some security professionals believe that most data breaches are slow to be discovered because the attacks also rarely cause external disruption to services. Organizations simply can't know what they don’t know. Alternatively, firms may be inundated with too many security alerts and not reacting quickly enough because disparate teams are using many different security tools. Many of the tools require time-consuming manual correlation of critical data, and may not be correctly tuned or pre-configured to accurately identify the most recent critical security threats.

For example, a recent major security data breach compromised 40 million credit/debit cards and resulted in hundreds of millions of dollars in damages. In that case, the retail company was informed by a malware detection system of intrusion, but the response was likely unnecessarily delayed because their other security tools failed to detect the intrusion.

In order to address this insider threat problem, organizations first need high-resolution early visibility into who, when, and how critical IP is being accessed in an anomalous manner. Being able to overcome ‘security alert noise’ and accurately identify high-risk threats is also necessary.