Inside Verizon's Insider Threat DataVerizon Business' latest Data Breach Investigations Report shows insiders as a growing threat -- but increase comes from a selective data set
For security firms that argue malicious insiders are a greater threat than outside attackers, the latest Verizon Data Breach Investigations Report seems like vindication: The proportion of incidents with an insider agent doubled to 48 percent, while attacks with an external hacker dropped to 70 percent. Incidents involving data theft from the outside still account for the majority of attacks -- with insiders catching up.
The driving factor behind the increase in insider attacks was not the economic downturn -- an oft-argued opinion -- but rather the inclusion of a new data set in Verizon's database, says Alex Hutton, principal of research and intelligence for Verizon Business. The U.S. Secret Service joined much of its caseload data to Verizon's database, adding a large number of incidents where the victim had a better idea of the identity of the attacker and believed the person could be prosecuted. Both factors tend to favor incidents with an insider component. "With the Secret Service [cases], we got exposed to a whole new set of data," Hutton says of the report.
Overall, Verizon still sees external attackers as the major threat, however. When an outsider steals data, he absconds with a massive number of records. In 2009, breaches caused by outside criminals accounted for about 139 million stolen records, while insiders accounted for only 2.6 million records. "A record that has been exposed is 70 times more likely to have been exposed by an external source than in internal source," Hutton says.
Verizon doesn't refute the threat of insiders -- just the assertion that insiders pose the greatest risk. Companies should have defenses that work against insiders, outsiders, and partners, Hutton says. Identity and access management are essential controls that companies need to block -- or at least, slow down -- attackers.
"We are not dismissing the insider threat at all," he says. "We are asking people to prioritize their records. If you are the CIO and in charge of security, you should certainly have controls."
Typically, executives, network administrators, and finance staff are the most problematic insiders: They tend to have higher privileges within the company and are less likely to be subject to oversight. While Verizon's report found that half of all IT security incidents were caused by regular workers, privileged employees usually are the ones to target the company's most sensitive data. In many cases, those breaches are not considered IT security issues.
Software developers are another class of privileged employee who companies have not typically scrutinized. At the recent Defcon hacking convention, security firm Fortify Software touted a specialized ruleset for its code-analysis product that aims to catch malicious code inserted into programs by developers. "Developers have access to a lot of sensitive information in the company," says Matias Madou, principal security researcher for Fortify.
In 2008, a financial firm readying a round of layoff for its internal developers approached Fortify for a way to make sure unwelcome surprises were not left behind, Madou says. So Fortify started working on an add-on ruleset that catches time-sensitive destructive code as well as backdoors. "There is a lot of malicious code put in by insiders," he says. "Some of these pieces of code can be dormant for a long time."
Verizon's report ranks software developers as the sixth biggest insider threat (lower than the help-desk staff), with only 3 percent of incidents involving a developer.
One lesson learned from the Verizon report: Check your logs. According to the report, 90 percent of the time, companies had logs available from the time of the incident, but only managed to discover breaches in five percent of cases. "We have little doubt ... that if the organizations we've studied had tuned their systems to alert on abnormalities like this and actually looked into them when alarms went off, that five percent [of discovered breaches] would be a lot higher," Verizon stated in the report.
Finding evidence of an attack is easier when you know there has been a breach, but Verizon points to three flags in log files that indicate an attack has happened: a large increase in logged data, entries in the log that are abnormally long, or an abrupt decrease in log data. Rather than searching for exact signatures in the logs -- the proverbial needle in a haystack -- look for the major characteristics, the company advises.
"It cannot be a pleasant experience to learn that the six months of log data you've been collecting contained all the necessary indicators of a breach," Verizon says in the report, adding, "the value of monitoring -- perhaps we should say 'mining' -- logs cannot be overstated. The signs are there. We just need to get better at recognizing them."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.