The insider threat issue is well-understood and something that countless surveys have shown poses almost as big a risk to enterprise data security as external attackers.
A report from Dtex this week offers a slightly different look at the problem by highlighting some of the clues that organizations should be looking for to detect and stop insiders engaged in malicious or negligent behaviors.
The Dtex report is based on an analysis of risk assessments conducted by a sample of its customer base. A stunning 95% of the assessments showed employees to be engaged in activities designed to bypass security and web-browsing restrictions at their organizations.
Examples included the use of anonymous web browsers such as TOR, anonymous VPN services, and vulnerability-testing tools such as Metasploit. The use of anonymous VPN services within organizations in fact doubled between 2015 and 2016, according to Dtex.
An overwhelming amount of data from customer assessments has shown that the use of such tools and services by employees is almost always a precursor to data theft or other malicious behavior. “Enterprises usually don’t expect to find such a high volume of employees actively trying to bypass security controls,” says Rajan Koo, senior vice president of customer engineering at Dtex.
Employees using private VPNs and Tor on an enterprise network are typically trying to hide their actions and do something that will not be detected by the organization’s security controls, he says. “Security bypass is the first step towards data theft or other destructive behavior,” Koo says.
For example, if a user threat assessment uncovers an employee using a TOR browser on the network, administrators should treat that as a red flag that the employee is engaging in prohibited or even potentially illegal behavior. Similarly, there’s a high chance that an employee who spends hours researching ways to get around security systems is trying to evade the controls within their own organizations.
“When an employee spends time researching how to bypass security controls, we often find that they are trying to exfiltrate data without being blocked by their DLP or without raising any flags on the network,” Koo says. Or they could be trying to save time by using their favorite tools that are being blocked by corporate security, he says.
Organizations should also not ignore the use of personal email accounts such as Gmail and Yahoo on corporate endpoint devices, Dtex noted in its report. About 87% of the companies, whose data Dtex analyzed, reported employees using personal web-based email on corporate devices though many of them had explicit measures in place to block such email use.
While the use of personal email by itself is not a red flag, organizations should not ignore the fact that personal email can be used to enable data theft, the report noted.
Ordinary emails, file attachments, and calendar entries are some of the more obvious ways that an employee with malicious intent can use to steal data. Users can also simply use email drafts to save and transfer corporate data out of the network without leaving an obvious trail, Dtex said.
More than half of the companies in the Dtex report also encountered potential data theft issues from people who were about to leave the organization. Leavers, for instance, tend to show higher than normal file aggregation activity in the two weeks before their scheduled departure. The kind of data at risk from such activity includes proprietary plans, client lists and even IP.
As numerous other surveys have shown, Dtex’s analysis of data too showed that malicious insiders are by far not the only insider threat. Fifty-nine percent of the organizations in the report, for instance, reported employees put them at risk via inappropriate Internet usage, such as viewing pornography or gambling at work.
“Insider breaches are a growing threat to virtually all organizations including mainframe users,” says John Crossno, product manager of Compuware’s security solutions group, which recently released a tool designed to mitigate the threat.
The increasing number of incidents where employees fall prey to phishing and other social engineering attacks and hand over authorized user credentials to attackers have made even otherwise secure mainframe environments vulnerable, he says. He points to the massive data breach at the U.S. Office of Personnel Management in 2015 as one example of how attackers are able to gain access to critical mainframe systems by acquiring the valid credentials to do it.
In the mainframe environment, “enterprises have traditionally relied on insufficient methods to identify threats including disparate logs and [system-level] data gathered by security products to piece together user behavior,” he says. What is needed is a much more comprehensive approach to monitor and analyze mainframe application user behavior to detect insider breaches.
“The best way to detect threats before they cause damage is by collecting and analyzing data from various sources which provide a baseline for behaviors and stressors most closely linked to insider threats,” says Thomas Read, vice president of security analytics at Haystax Technology, in recent comments to Dark Reading.
Often, organizations focus their insider threat mitigation efforts on the end point but do little to understand the likelihood of an insider going rogue or causing a data breach because of a lack of training.
“Harold Martin – the contractor for the NSA found with stolen classified files – had a history of bad behaviors that were never flagged by insider threat controls,” he says as one example. “He also had access to the information as part of his job, and walked off the NSA site with the files. Network controls never would have detected this.”
- Insider Threat Fear Greater Than Ever, Survey Shows
- 8 Surprising Statistics About Insider Threats
- How Cybercriminals Turn Employees Into Rogue Insiders