Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

10/6/2017
10:30 AM
Tom Thomassen
Tom Thomassen
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Rise in Insider Threats Drives Shift to Training, Data-Level Security

As the value and volume of data grows, perimeter security is not enough to battle internal or external threats.

Data breaches continue to devastate organizations, and the threat from insiders — whether malicious or accidental — continues to grow as the value and volume of data expands at near breakneck speed.

The latest research from Verizon showed that internal actors contributed to 25% of data breaches, and other research has shown insider threats to be on the rise, with more than half of cybersecurity professionals reporting growth in insider threats over last year, according to Crowd Research Partners' 2017 Threat Monitoring, Detection and Response report (registration required). 

None of this is surprising. Enterprises are accumulating ever-more data for business intelligence. They're sharing more data with partners, suppliers, customers, and cloud providers, and they're linking more data to more applications, mobile and otherwise. This activity is the lifeblood of a robust economy and expanding Internet of Things ecosystem, but it also creates more opportunities for increasingly sophisticated cyber attacks and security breaches.

Not Just an Inside Job
With an insider threat, the culprit is already inside the network. Securing the perimeter around the network — which has long been the focus for enterprise security — does not do the job against this kind of a threat, whether it is malicious or unintentional. Nor is focusing on securing the perimeter the best strategy against many external threats. That's because data-smart companies want to be able to safely give partners, suppliers, and customers access to their networks in order to increase business opportunities.

As a result of this shift, security needs to rest with the data itself, not just at the network level. The move to the cloud elevates the need for data-level protection. To reduce the risk of insider threats, companies and organizations need to focus on three areas:

Hurdle 1: The Data
Connected enterprises need and want approved partners inside their networks, but they don't want everybody to have access to all data. As a result, database technologies today offer flexible and granular access controls to ensure that employees only have the privileges necessary to do their jobs — and nothing else. For instance, someone in Human Resources may be allowed to access work-related salary information but not personal information such as an employee's home address.

Other types of database security measures also can act directly on data. Encryption technologies require people to have encryption keys to unlock data. Redaction enables companies to hide sensitive data, but share other, related data. For instance, if a patient is enrolled in a clinical trial, data about how that patient reacts to a drug can be shared, but the patient's personal identified information is not. 

All of these tools improve data-level security. But for enterprises to really wring business intelligence out of their data, they also need to trust their data. This requires good data governance: knowing where data came from, when, how and if it was changed, and by whom. With security at the data level, inside actors face another hurdle.

Hurdle 2: Awareness Training
Employee negligence remains the number one cause of most insider security events, concluded CSO's 2017 U.S. State of Cybercrime survey. All told, 28% of insider security incidents were unintentional or accidental, 18% were intentional, and 8% resulted from theft of insider credentials, according to the survey. In healthcare, the 2017 KPMG Cyber Healthcare & Life Sciences Survey of 100 senior executives reported that a full 55% of organizations have seen employees fall prey to phishing scams. All of this points to a need for better education.

Companies vary in how and how often they train, but the key factor is that employees need to buy into the idea that security is important. Educate them on the value of company data, on different types of data, what's shareable and what's not, and why access controls are critical. Remind employees that downed networks and lost data affect business reputations, which may hinder future opportunities. Anyone can relate to the pain and cost of having their identity stolen. A company is similarly vulnerable.

Hurdle 3: Executive Buy-in
Executives set the tone for how important something really is to a particular organization. Are executives investing in security and training? Do they talk about security with employees and with board members? Despite the importance of data security in healthcare, KMPG's survey found that more than one-third of healthcare organizations don't even have a CISO, and 6 in 10 boards see cyber-risks as an IT problem as opposed to an issue that has a universal impact.

Hurdle 4: The Promise of Big Data
In the past, security detection was limited to looking for patterns in network-centric data. Now, we have data on servers and in databases, all of which can be monitored and audited to provide a richer set of detection opportunities.  Metadata — data about data, such as data origin, quality, owner, geolocation — creates new opportunities for security anomaly detection. Combine all that data with big data compute power and you have another tool to detect breaches or, better yet, stop them before they get that far.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Tom Thomassen is a senior staff engineer of security at MarkLogic. He is responsible for helping identify and implement secure development practices into the company engineering process, educating the team on security best practices, monitoring and responding to changes in ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
10/9/2017 | 3:08:24 PM
Human Resource
The rules of an HR department share in this --- and some departments interface badly with the IT sector.  In a position I left in July of this year, i still had access to email (potentially everything) for about 2 weeks.  The insider threat is very real when it comes to terminated employees, who find any number of reasons to take whatever they can before being walked out of the door.  And HR policies can be awful.  When someone is fired or let go, RULES should come into effect RIGHT THEN AND THERE.  Inventory clean up, preservation of data, legal hold, and elimination of login and access rights WITHIN 30 MIN if possible.  
hykerfred
50%
50%
hykerfred,
User Rank: Apprentice
10/10/2017 | 7:19:25 AM
Strong end-to-end data life cycle encryption
A complicating issue that you briefly touch upon is about data ownership. When partners share data, how do you maintain control? Or if you are part of a system of systems, like e.g. a smart city application, where you provide data "upwards" in the system hierarchy, but you still want to control it so that it doesn't leak to your competitors "sideways"? Or you want to have different pricing on specific data elements depending on usage and users in this ecosystem of systems?

I strongly believe in encryption as the mechanism that needs to be fully implemented, as you point out. A good granular and distributed encryption model that can handle the complicated key sharing needed can also solve many of the other issues I mention.
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Virginia a Hot Spot For Cybersecurity Jobs
Jai Vijayan, Contributing Writer,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17612
PUBLISHED: 2019-10-15
An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter.
CVE-2019-17613
PUBLISHED: 2019-10-15
qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in...
CVE-2019-17395
PUBLISHED: 2019-10-15
In the Rapid Gator application 0.7.1 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
CVE-2019-17602
PUBLISHED: 2019-10-15
An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.
CVE-2019-17394
PUBLISHED: 2019-10-15
In the Seesaw Parent and Family application 6.2.5 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.