New York City has had more than its share of winter this year (not to slight this winter’s weather endurance contest winner – Boston). Despite school closings and transportation delays, the snowy winter does have its bright spots. There is nothing quite like seeing the city freshly blanketed with clean, unspoiled snow. My daughter loves the snow because “it covers up all the garbage.” She’s right, but nothing remains pristine for long in New York City. Soon residents churn the white snow into a gray, slushy mess, and the garbage beneath pokes through.
Speaking of gray, slushy messes full of garbage, how’s your network doing? Has your clean, shiny, unsullied infrastructure become a dark, shadowy world of orphaned files, nasty binaries, and data-siphoning ghouls? Just as New Yorkers quickly spoil their winter wonderland, users drag every network into blight and decay when they connect to it – and through it to the outside world. Ultimately, it comes down to the users. As they go, so goes network security.
Company after company has seen its network compromised by a seemingly endless barrage of attacks from, well, anywhere. Media reports on state-sponsored attackers and foreign criminal masterminds have drawn corporate attention outward. The security industry has responded with a dizzying array of tools and technology designed to keep the bad guys out. “Next-generation” firewalls, antivirus protection “on steroids,” and “advanced threat detection” capabilities have proliferated, helping create a $70 billion information security market.
Bruce Schneier, information security expert and occasional industry provocateur, has bluntly stated, “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.” Yes! To be fair, today’s unprecedented array of tools empowers network defenders, but without strategic focus, sound processes, and informed people, the gap between the defenders and the attackers will remain.
And make no mistake – the attackers are winning and expanding their lead despite huge investments by defenders. While current and former employees cause 66% of security incidents, maybe as victims of phishing attacks or through slightly careless internet usage, an estimated 90% of security spend focuses on perimeter protection.
We’re looking out when we should be looking in.
Almost all attacks involve compromised credentials, and 84% of attacks for financial gain are “non-technical.” The attacks slip past millions of dollars of technical and physical protection mechanisms. If attackers want access to a computer system, they just ask for it with a cleverly crafted spear phishing email.
The good news is that the “human layer” has received little attention and security investment recently, leaving lots of room for improvement and an orchard full of the proverbial low-hanging fruit.
Certainly malicious insiders are dangerous. A trusted insider with authorized access is well positioned to steal, destroy, or expose sensitive data. Many companies have been burned by disgruntled IT staff or pilfered by departing sales staff. Malicious insiders are hard to detect. “Signs” that someone is going rogue could be “signs” of an overachiever: working long hours, accessing the network remotely, or taking an interest in other areas of the company. However, SIEM technology and content-aware DLP systems successfully leverage big-data analytics to tackle this problem. For companies ready to shift some resources from the castle walls to the interior, the return can be substantial.
But it ain’t easy.
The malicious insider is generally not the greatest threat at the human layer. Often, the loyal, well-intended but careless or uninformed insider somehow, unwittingly, aids the enemy. Maybe it’s the “road warrior” who stores business data on personal devices and cloud platforms, connects using “free WiFi” pretty much anywhere, and circumvents security controls to “maximize efficiency.” We have all seen it – and many of us have (gulp) done it.
[Learn more from Jason about insider threats and building a culture of security at his Interop session in Las Vegas on Friday, May 1.]
Or how about the imperious executive who wants 360-degree access to everything 24/7, gets the latest gizmos recommended by “tech whisperers,” blows off two-factor authentication, browbeats the help desk for policy exceptions, and auto-forwards corporate email to a personal webmail account.
Let’s not forget your vendors. Many companies rely on contract language, vendor reps and warranties, and insurance coverage for protection from attacks by vendors or third parties. Unfortunately, you can’t prevent the reputational damage, data loss, or other financial harm stemming from a significant breach. Moreover, when vendors connect to your network, it’s on you to restrict access and monitor activity appropriately.
And the list goes on.
Now hold on. Take a deep breath. Before you lock down your network and install 24/7 video surveillance cameras, think practically. First off, most users will help you if you educate and empower them appropriately – they want to protect your business as much as you. Second, some incredibly powerful tools are available to support your insider risk management program.
Any protection measure that impedes value creation should be carefully considered against its likely return. The last thing a company should create is a “police state” that monitors every digital step or unduly punishes well-intended employees for a simple mistake. Start with the basics, like acceptable use policies, email and web filtering, encryption and password policies, two-factor authentication, and remote access policies. A realistic, executive-sponsored, business-centric security awareness program (as opposed to a mandatory, 15-minute canned video for new employees!) can tremendously reduce insider risks. And the same SIEM, DLP, and behavioral analytic technologies that detect malicious insiders can help identify risky behavior by trusted users.
There is no “easy button.” IT resources alone cannot accomplish the hard work of creating reasonable, effective policies and implementing behavioral analytic tools. However, with committed key business stakeholders, an organization can dramatically improve security.
Along with warmer weather and melting snow (you may have to wait another month or so, Boston), spring brings the perfect opportunity for user engagement. Along with a sensible dose of technology, you can plant seeds of cultural change to protect your company in today’s cyber risk environment. You have a choice: your users can remain your biggest vulnerability, or you can transform them into your most sophisticated security devices.