WikiLeaks recently began a new series of leaks on the United States Central Intelligence Agency, codenamed Vault 7. It is the largest ever publication of confidential 
documents on the CIA—and, according to WikiLeaks, “eclipses the total number of pages published over the first three years of the Edward Snowden NSA leaks.”
WikiLeaks tweeted the leak, and claims the information came from a network inside the CIA’s Center for Cyber Intelligence in Langley, Virginia. Thus surfacing yet another case of insider threat within the U.S. Government.
Questions abound in the aftermath of the leak of alleged CIA hacking and surveillance program information, the most critical of which may be: who gave the classified program information to WikiLeaks? And how was this data exfiltrated?
As Time Magazine points out, WikiLeaks didn't say “whether the files were removed by a rogue employee or whether the theft involved hacking a federal contractor working for the CIA or perhaps breaking into a staging server where such information might have been temporarily stored.” So, while the source has not yet been disclosed, it’s likely an insider was involved in this unprecedented breach. And, while nobody knows exactly how classified documents were exfiltrated in the case of Vault 7, a full investigation will very likely take place.
In the meanwhile, security teams may be wondering what they can do to protect their organization from the damage caused by insider threats–especially when government agencies that are supposed to be among the most secure in the world have been breached.
Below are tangible steps enterprises can take to reduce the risk associated with insiders – including how a user behavior monitoring and analytics solution like Proofpoint ITM can help provide irrefutable evidence to apprehend insiders who have gone rogue.
Know who accesses documents (and when) with user activity monitoring.
Internal privileged users and external vendors and consultants (who typically access internal systems from remote locations) hold the “keys to the kingdom.” These are the people with the greatest potential to cause data breaches, configuration faults or other system damage, whether intentionally or inadvertently. It is critical for the organization to be aware of exactly what these privileged users and third party organizations are doing inside the network, both during and after their activities.
Here’s how Proofpoint ITM helps prevent insider threat with user activity monitoring and analytics:
- Proofpoint ITM generates rich metadata encompassing all actions performed by users on Windows, Mac, Unix and Linux servers in all applications and systems, with no gaps.
- Proofpoint ITM features custom-defined activity alerts can inform administrators, in real time, whenever suspicious activity is occurring.
- Proofpoint ITM proprietary keyword-based activity search makes it easy to discover exactly who did what, for faster and easier after-the-fact forensics investigations.
- Proofpoint ITM can record all user actions and configuration changes made to server settings, network hardware and other devices. Native integration with IT ticketing systems allows administrators to click a link within any ticket record to immediately access video recordings and textual activity logs of all sessions related to a ticket.
- Proofpoint ITM activity logs can be integrated into log management, SIEM and NMS systems for user activity analytics in those systems.
Know who is sending large amount of data and when it is happening by monitoring data exfiltration points.
Common exfiltration points include sending large print jobs to the printer, sending documents to personal email, chat, USB drive, DropBox, and other similar cloud apps capable of handling large amounts of data.
Here’s how Proofpoint ITM monitors vulnerable data exfiltration points:
- When documents are copied to a USB device, Proofpoint ITM alerts security teams about the action and allows them to quickly investigate what was copied to the device with rich metadata and video-like playback.
- When documents are sent to the printer, Proofpoint ITM alerts security teams that a user printed an unusually large volume of data. Subsequently, teams can quickly investigate what was printed by watching a video replay of the incident.
- When data is uploaded to a cloud storage application like DropBox, WeTransfer, Pastebin, or Google Drive, it can be difficult to track with ordinary log files. Proofpoint ITM alerts administrators about the event and security teams can quickly review what was uploaded by watching a video replay of the event.
- To gain access to this kind of classified information in the first place, it might point to other personnel or nefarious outsiders being involved. This kind of collusion can be identified—even after the fact—with Proofpoint ITM’s records.
Integrate Security Tools for Better Visibility
When there are too many security tools in place, the security team may have challenges identifying which alerts to follow. Proofpoint makes wading through the noise easier by bringing other security tools to life.
Teams can work within the dashboards of other security tools like: Splunk, Arcsight, IBM QRadar, CA Access Control, Citrix XenApp® and Citrix XenDesktop®, Lieberman Software, Tibco LogLogic, RSA enVision and ServiceNow IT ticketing system, so they don’t have to switch between applications.
The Vault 7 leak is just the latest in a series of data breach
es over the past 3 years, concentrated on the US intelligence sector. The insider threats in these cases include employees of the CIA, FBI and the NSA, plus their contractors, such as Booz Allen Hamilton.
While questions about the source of data breaches swirl, and insider threat remains at the front and center of news headlines, cybersecurity teams in every type of organization are interested in two things; the detection and elimination of insider threat.
With Proofpoint ITM's user activity monitoring and analytics solution, security teams can quickly detect and investigate data breaches. Large print jobs from computers, USB data exfiltration, Cloud Drive uploads, sending data to personal email addresses, or sending files via Instant Messenger no longer have to be investigated by combing through event logs. With just the simple push of a playback button, the monitoring of these exfiltration points is so much easier and investigations can occur that much more quickly.
Are you ready to protect your organization’s data and reputation from Insider Threats? Start today with your free 15-day trial of Proofpoint ITM to see what you've been missing. Or, request a demo with one of our experts to learn more.
Subscribe to the Proofpoint Blog