A new report from Verizon offers an insightful view into one of the most overlooked areas of the security landscape: the insider threat.
The Insider Threat Report, produced by Verizon’s Threat Research Advisory Center, uses statistics and learnings from recent Data Breach Incident Reports (DBIRs) to illuminate how the insider threat fits into the larger cyber-threat landscape.
The report provides readers with a comprehensive characterization of insider threat actors and actions, underscoring the ease with which insiders can navigate internal controls, and compromise and exfiltrate data at a breakneck pace—while, by contrast, detection can take years.
As with its Data Breach Incident Reports, Verizon is able to draw on lessons learned from hundreds of investigations conducted by their internal forensics teams. The combination of an extensive data set and eye-opening, real-world examples brings the insider threat to life on the page.
As a career security professional with more than 20 years of experience delivering and leading IT security in fast-paced environments, here are my five key takeaways from the report.
1. Why Detection Must Supersede Prevention
The Insider Threat Report shines a spotlight on one of the biggest weaknesses of many cyber security programs: threat detection. Today, there seems to be a lot of focus on prevention strategies. While prevention should be part of an effective and holistic security and response program, too many organizations lack a solid foundation of best practices that enable security teams to defend them. Here’s how I think of it: while prevention is ideal, detection is a must. Metaphorically speaking, you should go for an annual physical, but if you suddenly find yourself very sick, the most important thing is access to effective treatment.
To get more specific about what that defense should look like, the report states that, “Insider threat detection tools are often signature-based. These techniques (such as watch list IP addresses, hash signatures, specific strings in packets, etc.) are useful, but may be analogous to reading yesterday’s news. Consider supplementing them with behavioral anomaly detection methods.”
We recommend focusing not on data classification schemes, logs, and signatures, but instead on user and data activity. The former will always lag behind the rapid pace of data creation and movement, while the latter will give you a direct window into specific actions that actually indicate an insider threat (for example, the unsanctioned use of removable media devices).
2. Time to Detection: The Scariest Insider Threat Stat
Verizon points out that, while insider threats can happen at break-neck speed due to access and privilege, the time from incident to discovery can be glacial. The report states that, “External attackers can compromise systems in hours or even minutes, while it can take months or more for organizations to detect intrusions. Since insiders have fewer barriers to overcome and compromises don’t require circumventing controls, the time-to-compromise and time-to-exfiltrate metrics for insider threat actions are grim.” The majority of insider threat incidents are discovered months or years after the fact.
Again, these trends reflect a need to focus more acutely on user activity within the walls of an enterprise. Using an insider threat detection platform that focuses on anomalous user activity will greatly improve the odds that an enterprise is able to discover, investigate, and respond to an incident in a timely fashion, instead of finding out about it the hard way and far too late.
3. Who’s On First… And Second… And Third
The insider threat problem doesn’t discriminate by industry, and none are immune. However, it can be a bit surprising which ones make it into the top spots.
The report shows that, “When we examine the combination of sensitive internal data (Internal), intellectual property (Secrets), and classified information for the previous five DBIRs (2014- 2018), we see vast diversity in industry representation.”
The top five industries with the highest percentages of insider and privilege misuse over a one to five-year period are:
- Professional, Scientific and Technical Services
- Public Administration
- Mining, Quarrying, and Oil and Gas Extraction
- Financial Insurance
Some types of data are inherently more “monetizable” than others (including payment card or banking details). But trade secrets, intellectual property, and other forms of sensitive data can be just as appealing to insiders looking to misuse their privilege.
This data is a good reminder that, just because an enterprise isn’t in financial services doesn’t mean it can’t or won’t be a target for a data breach. All the more reason to have an effective strategy in place to quickly and accurately identify unusual activity that involves sensitive data—of any sort.
4. Categorizing the Insider Threat
Phishing and social engineering scams take up many of the incident headlines on a day-to-day basis. There is something about the shadowy, external “bad guy” that seems to grab our imaginations. But what about the employee or vendor that is trusted with access to confidential or sensitive data and uses this privilege to either intentionally or accidentally disrupt the business? Whether this means making unauthorized changes to a database or simply deleting data and wreaking internal havoc by affecting the integrity of critical data, insider threats come in a wide variety of guises.
It is particularly interesting to note that the Insider Threat Report breaks these out into five different categories:
- The Careless Worker
- The Inside Agent
- The Disgruntled Employee
- The Malicious Insider
- The Feckless Third Party
I would argue that there is often overlap between some of these categories, and fundamentally the most important distinction is between malice and negligence. Why? Well, that difference will have a major impact on how an organization responds to an insider threat. A careless worker may just need a reminder of the rules. A feckless third party who made a mistake may need to be reprimanded, or perhaps fired. But an inside agent, stealing information on behalf of outsiders, will require a full investigation and unassailable proof of the wrongdoing.
Having an insider threat detection and response platform in your arsenal that can quickly produce the context required to differentiate between accident and malice (and provide airtight proof) is key to taking the right actions before, during, and after an insider threat incident.
5. Why Regular Joe Might Be the Biggest Threat
It’s no longer system administrators or other IT employees who pose the biggest risk of an insider threat incident. In today’s business ecosystem, every end user has access to at least some sensitive data and can inadvertently or maliciously cause data loss or other forms of business disruption. As the report puts it, “Regular users have access to sensitive and monetizable data and are behind most internal data breaches.” (Emphasis ours.)
This reality underscores the importance of implementing a user activity monitoring platform that does not discriminate by level of privilege, but rather looks for patterns and builds context quickly using easily searchable metadata that works to paint the full picture of an incident.
What to Do, What to Do
Many will read the Verizon report and think, “Data Loss Prevention (DLP) is the answer.” However, many of the statistics and observations in the report highlight the reasons why user and data activity monitoring is far more effective.
DLPs tend not to provide the level of visibility required to identify and understand insider threat incidents. In general, DLP platforms, if (and it’s a big if) properly calibrated, can classify data and prevent access and exfiltration based on the data classification parameters. However, they can’t provide the visibility and context around user and data activity necessary to understand an incident. Who was behind it, really? Was it malicious or accidental? Did data leave the organization? How? Where did it go? DLP also comes with a substantial technical cost and can impact availability and uptime, which can have a negative impact on operations.
The Verizon report covers several aspects of security hygiene and best practices—from onboarding and offboarding tactics to training to tooling. We agree that a fully comprehensive insider threat program is necessary, one that hones in on user and data activity to provide full context before, during, and after an incident. Only with this level of holistic visibility will an organization be able to properly defend itself against the all-too-common insider threat.
Check out the full Verizon Insider Threat report here.
Other thoughts? Observations? Tweet us @Proofpoint!
Subscribe to the Proofpoint Blog