11:51 AM

Insider Threats Get More Difficult To Detect

User diversity and growth in network activity including cloud services are among reasons it's getting harder to guard against insider data breaches, says Fortune 1000 survey.

-- 27% say advanced persistent threats complicate detection and prevention of insider threats. There's the sense that insiders are also using sophisticated attack techniques that emulate "normal" behavior.

As a consequence, nearly half (46%) of the IT pros surveyed say they think their organization is vulnerable to a variety of insider attack methods, including: abuse of privileged employee access rights, theft of devices containing sensitive data, and abuse of access rights by non-privileged employees or contractors.

The risk that system administrators and other employees might abuse their access privileges, however, has gained wider senior management attention. Nearly half (45%) of those surveyed say that the Snowden affair has changed their organization's perspective on insider threats either substantially or somewhat.

The biggest threat, say 51% of survey respondents, is likely to come from non-technical employees with legitimate access to sensitive data and IT assets, followed by third-party contractors (48%); IT administrators (34%); business partners, customers or suppliers (24%); IT service providers (24%); or other IT employees or executives.

What can enterprises do? One tip comes from the NSA's director, Gen. Keith Alexander. After the Snowden leak, the NSA instituted "a two-person rule," requiring two authorized individuals to be present whenever specific kinds of information are to be transferred onto removable media. Enterprises also need to assess what data is most important, where it's located and how it's protected, said Sol Cates, Vormetric's chief security officer. "You can slice and dice who has privileges, but not enough goes into what they can do with those privileges" or the data they're handling, he said.

To further reduce the risk of insider threats, enterprises need to:

-- Limit the data IT administrators can access to only the data they need to do their jobs.

-- Use data encryption technology.

-- Continually monitor access to sensitive data for signs of abuse.

-- Implement automated alerts when suspicious/malicious behavior is suspected.

The challenge, Cates concedes, is that as the volume of data and activity continues to grow, it's not easy to distinguish malicious behavior from the norm. The goal, he says, is to remove people from the equation and automate data access so that the infrastructure is essentially "blind" to the data.

2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Andre Gironda
Andre Gironda,
User Rank: Apprentice
10/15/2013 | 7:03:49 PM
re: Insider Threats Get More Difficult To Detect
Dear Editor,

Great article and comment -- allow to please speak to both.

In your article, only one vendor is mentioned, Vormetric, a classic data security company. However, data security is not the correct control against insider threats using any information security management model, principle, or control set. The gap that exists is primarily due to 3 factors:

First is application security -- the Intranets of yesteryear require the same application security controls as everything "outside the firewalls". Second is threat intelligence -- Vormetric will not help if you are facing AVT (Advanced Volatile Threats, an APT that uses strictly in-memory techniques). Lastly, you must have enough staff to handle and respond to incidents at scale. If you want big data for your cyber security programs, you best use your best data to know when to hire, how many, what specific attributes/skills you need pre-/post- COE, and how you're going to be able to hire and train them in time to respond to all of your incidents (including insider threats) at scale.

The insightful comment you gave coincides with my last point -- that identity and authentication/authorization access controls should be modernized and integrated with people. Google, who has used big data to optimize their ID/AuthN systems, will be adding Universal 2-Factor (U2F) to defend their business and assets come January 2014. This is a bold move away from the hokey biometric systems we're seeing in the media. Google, clearly knowledgeable about technologically-advanced insider threats against sensitive operations, does employ role compartmentalization with separation/rotation of duties.
User Rank: Apprentice
9/27/2013 | 9:39:19 PM
re: Insider Threats Get More Difficult To Detect
NSA's decision to go to "two-man rule" in handling sensitive data, following Edward Snowden incident, may give a new spin to the notion of two-factor authentication.
Register for Dark Reading Newsletters
White Papers
Current Issue
E-Commerce Security: What Every Enterprise Needs to Know
The mainstream use of EMV smartcards in the US has experts predicting an increase in online fraud. Organizations will need to look at new tools and processes for building better breach detection and response capabilities.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio