Insider threats are tricky. With most security solutions designed primarily to keep the bad guys out, addressing attacks which originate inside your organisation demands a new mindset and different technology.
There’s no doubt that insider threats are an issue. In a study of over 5,000 organisations around the world, Kaspersky Lab and B2B International found that over 50% of businesses believe that their employees are their biggest IT security weakness. 28% had lost sensitive information and 25% payment information because of irresponsible employees.
The challenge is real, but difficult to pin down, understand and address. In this article, we explore three things to know about insider threats – and what to do about them.
1. Insiders Leave a Trail
As your employees use data, they leave a trail behind them – the data they’ve accessed, how much there is of it, when they accessed it, the devices they used, and more. This information can be used to paint a picture of each employee’s data use. Much as credit card companies profile their customers’ spending habits to spot fraud, employees’ data usage profiles can help identify signs of data misuse.
2. Access Control is Often Out of Control
According to risk assessments, 20% of folders are accessible to all employees and even contractors, usually by mistake. It’s not just low-risk data, either. Almost half of all organisations have at least 1,000 sensitive files open to all insiders. A rogue user could potentially steal such data simply by mapping a drive, and of course, the mishandling of just one of those files could spell disaster.
3. Data Goes Stale
Data tends to hang around long after it has ceased to be useful – over 70% of data on live systems hasn’t been touched in months. As well as taking up valuable storage without adding measurable value, stale data also adds significantly to risk. It should be archived to more secure, lower cost, long term storage, automatically.
These three issues are key to understanding and addressing insider threats.
Detection and Response
Effective data usage profiling is key to successful insider threat detection and response. Key to this is the automated collection of information about how users interact with data, from a wide range of platforms. Some of these will provide adequate auditing to support such data collection through their APIs, while others will not.
The scope of such data is broad, including Active Directory events such as logins and group changes, permissions and control list information, DNS server, web proxy and VPN concentrator telemetry, and other sensitive information hidden inside files.
Working with this information, a data usage profile can be built for each user. These can, in turn, be used to highlight possible attacks, even triggering predetermined automated responses when meaningful deviations from the norm are detected.
Compromised accounts should be shut down immediately in the case of ransomware or similar attacks, limiting the resulting damage, while a comprehensive log audit and query system can help IT to assess damage swiftly.
Unduly broad access permissions are often granted through global groups, permissions malfunctions or excessive group memberships. By analysing activity, file system permissions, and user and group relationships such excessive permissions can be identified. Reduced access configurations should be tested in a sandbox or other development environment before they are applied to live systems.
The ability to safely and automatically remove global access groups over entire shares or servers is important in order to limit the damage that rogue users can inflict.
Automating data clean-up helps lock down and quarantine sensitive stale data, archiving it and restricting access to it, while simply deleting non-business data.
Data meeting predetermined sensitivity and relevance criteria should be automatically moved or deleted, with permissions translated across data stores and domains, reducing the damage that can be done, wilfully or accidentally, by insiders.
Is Your Data Safe?
Data security and insider threat detection solutions bring together sophisticated information gathering, leading-edge permissions management technology and powerful analytics to deliver rapid attack detection, optimised access control and data-driven policy enforcement to protect against insider threats.
”Is our data safe?” is among the more important questions for IT to ask, especially when considering insider threats. To find out more download the white paper, 3 Ways Varonis Helps You Fight Insider Threats.