What I Think Gartner’s Approach to Insider Threats is Missing

HII_Insider_Insight_Image

A recent report by Gartner analysts Anton Chuvakin and Eric Heidt called “Understanding Insider Threats” (May 2016) defines insider threats “as individuals who were deliberate in their theft, misuse or destruction of data or systems.”

Gartner limited its analysis to only deliberately malicious insiders. The paper is a good read. However, I’d like to take (friendly) issue with generally limiting the definition of an insider threat to deliberately malicious insiders.

About two years ago, we at Imperva decided to take on the challenge of insider threats and think through what our products could do to help solve the problem. From a product point of view, the ultimate result (so far) was our recently announced Imperva CounterBreach product line. But along the way we did a lot of research and customer trials. We then packaged that work into a research report (anonymized, of course) titled Insiders: The Threat is Already Within.

Our research findings revealed that any full accounting of the insider threat needed to include not only the malicious insider, but also what we call the careless and compromised insiders.

An example of a careless insider anomaly we saw involved a DBA who used a service account to access a sensitive database. This is a serious breach waiting to happen. First, service accounts have high privileges that cannot be managed, meaning users can access anything they like using these accounts. Second, the actual identity of the user responsible for operations conducted using a service account cannot be established, meaning there’s little traceability or accountability into these actions. That DBA could take whatever data they want and sell it to the highest bidder. So we can see that disregarding careless insiders is ignoring an imminent and potentially very damaging event.

An example of the compromised insider would be a case discovered by Imperva in which we observed multiple failed login attempts. It involved a user that usually accessed a specific database, but tried to log in to a different database they had never connected to previously, using three different DB accounts. The user finally succeeded in logging into the database using a service account that happened to exist on this machine. In fact, that user was a hacker using a compromised insider’s credentials and enumerating the network. This case illustrates the significant risk your hard working employees pose when infected by malware which enables external hackers to stroll around your corporate systems trying to hack into data sources, steal data and even infect other users. Without identifying compromised insiders, it’s likely this compromise would have continued on unnoticed, indefinitely.

A focus on the malicious insider, while ignoring the potential damage from the careless and the compromised insider, misses a significant part of the risk we’ve seen from insiders. My suggestion to the industry experts who focus on the narrower definition of insider threats is to widen their definition to include the careless and compromised insiders who pose just as much of a threat-if not more.