Carrie McDaniel, lead on our newly announced Imperva CounterBreach product line, and I had the privilege of talking to our dynamic CTO/Co-founder Amichai Shulman on the topic of data breaches in the context of insider threats. Amichai has decades of experience dealing with data access and data security and should need no introduction! We have captured his thoughts and vision on the topic of threats from within to shed some light on the ballooning problem badly in need of an efficient solution.
Q: What are insider threats, and why are they difficult to uncover?
Data breaches occur at the intersection of users and data. Internal users and endpoints need to have legitimate access to data, which makes it very challenging for organizations to discern between normal and suspicious access. Insiders can do more damage than external attackers – they have the right access and vast opportunity. We group insider threats into compromised, careless and malicious users. Careless users who circumvent enterprise guidelines and policies to reduce workload are the ones that increase the attack surface disproportionately.
To sum it up: the problem starts with the fact that you HAVE to trust insiders. At the same time that you trust them, you need to monitor their access to sensitive and valuable data, so that you can find out when that trust is breached or abused by bad actors on the inside. Trust, but verify.
Q: How are insiders increasing the attack surface?
What organizations fail to realize is that the attack surface available to insiders is much larger than the technical perimeter of their network. This fact exposes your organization to more risk than ever before. If you, for example, look at the number of interaction points between the endpoints of an enterprise network and the Internet and compare that to the number of employees you see the magnitude of the problem. Now, if you see the employee interaction across personal and office email, file shares and cloud storage, the many social networks like FaceBook, Twitter, Whatsapp, Snapchat and Linkedin from many mobile devices and endpoints, the picture becomes clear.
It is a lot easier for threat actors to penetrate the attack surface through users and applications vs. the fortified network.
Q: What is the end game for hackers and malicious insiders?
The target is always the same whether you’re dealing with internal or external threats – hackers and bad actors inside the organization are after data. Enterprise data being the sought after prize is the one thing you can be absolutely sure.
Q: Why are current controls are not working?
We know that current controls are not working because we see that insiders are causing the largest data breaches to date. This creates far-reaching consequences. Employee Training has been proven ineffective. For example, JP Morgan Chase performed a test post-breach on phishing effectiveness. They found that 20% of their employees were tricked by the phony email.
Organizations do not have the safeguards in place to identify risks and threats that involve insiders. Also, current solutions fail because they are designed to detect malware and tools that hackers use. They are absolutely not focused on the target of the attack: “your data”. You cannot isolate just the compromised insider or the malicious insider or just the careless insider—you need a solution for the whole problem.
Q: Who should be worried? Is it only about Fortune 500 companies?
It is important for organizations to know that insider threats are not a state sponsored issue. This is not a problem reserved for Fortune 500 organizations that are being specifically targeted—it concerns everyone.
Lately, we have seen a lot of criminal activity, and it may have started with larger companies, but now it’s affecting even smaller ones. These are campaigns against individual enterprises. Everyone is a target.
Why? Because attackers are after data, and that can be found everywhere—no matter your size or industry. The threat may even be worse for smaller companies since they may not be able to recover given their limited assets.
Stay tuned for the part two of the fireside chat where Amichai discusses the right approach to solving insider threats. Take a look at the following blogs for more information on the serious consequences and innovative approaches to the issue.