Fireside chat with Amichai part 2: Solving the insider threat, looking beyond machine learning
In the previous blog, Amichai laid the foundation for today’s biggest threat to enterprise data – insider threats. In this discussion, he discusses the missing pieces that are needed to tackle threats from within.
Q: What is the right approach to detecting and containing insider threats?
Organizations need to have a handle on three things to detect data breaches:
- Who is accessing my data and what data has was accessed?
- Is that access okay?
- How do I respond quickly?
Going deeper into the attribution factor, knowing who is accessing your data is a critical piece of the trifecta. It’s not only about collecting login information and access violations to your data, but going deeper into the details of file and table level access of databases to get a complete picture. One has to understand the timing, the agent behind the data access, and the tools involved.
The second thing here is very important: is the data access okay? Is it based on a legitimate business activity? This is a very grey area for CIO/CISOs because they often do not know what it is they are missing. Understanding normal data access and building a solid baseline is essential for a robust solution. Too much logging results in the signal getting lost in the noise. The ability to discern between abnormal, but admissible, behavior and truly malicious behavior requires knowledge of users and how they access enterprise data.
Reaction time on the detection of a breach is the final piece. Security teams today are inundated with thousands of logs from disparate security solutions, making it near impossible to find the truly worrisome incidents. The ideal solution needs to drown out the noise and help security teams focus on the truly abnormal and suspicious activity. The distinction between compromised, careless or malicious is also required to set the right priority to the incidents.
Q: Now that we are aware of better detection, how should one contain the insider threat?
The main line of defense must be around your data. These are the only assets you can control. It may not be a physical location—it could be in the cloud. There are endless possibilities for the ways a hacker or bad actor can get in, so you can’t try to control it all.
The right approach to managing the insider threat problem starts with protecting against inappropriate access to all of your data repositories–databases, file servers and cloud applications.
Q: What is Imperva CounterBreach? And how is Imperva uniquely positioned?
CounterBreach helps organizations detect compromised, careless and malicious users that are putting organization’s data at risk—doing this requires an expert understanding of data and how it is accessed.
I want to re-emphasize my previous comment “This goes beyond just ‘knowing’ that a user logged into, or tried to log into, a database server. It gets to the details of knowing what actual data records a given user accesses or attempts to access.”
CounterBreach takes a layered approach by applying both positive security model and a negative security model. We have applied machine learning–positive security model—to create a powerful engine that builds a baseline of what typical user data access looks like, and then detects critical deviations from that baseline. Crucial deviations are not just taking into account the amount of data accessed; we also consider the sensitivity of the data involved and the method used to retrieve data.
For the negative security model, we have included deception mechanisms that quickly identify bad behavior and bad actors. Combining these two methods is the secret behind the success of CounterBreach.
Imperva is in a unique position to detect data breaches. We have the most experience with data access as compared to others in the market because we have been focused exclusively on data for over 12 years. SecureSphere data and web application protection solutions have been market leaders for over a decade.
Q: Final thought on insider threats?
With the vast majority of data breaches resulting from insiders that have legitimate access to your data, companies need to look for solutions that focus on protecting what exactly what matters most: the sensitive and valuable data assets within the organization.
The next set of discussions will focus on the product and research teams who developed and validated CounterBreach. More information about CounterBreach is available here.