A briefing on what we know now on Insider Threats!

129

Although external data breach threats are extremely mysterious and alluring to organizations, the number one threat to businesses still happens to be from insiders. A recent show on MR. Robot reflected the same notion that subjects which are present inside your organization’s firewall often prose as biggest threats to your business. The reason, they have access to sensitive data and often poor communication between departments and lack of awareness leads to a pitfall.

Recent reports from Haystax Technology and the annual Data Breach Incident Report (DBIR) from Verizon throw some light on insider attacks. Though the two studies tried to highlight the issue through two different lenses, they eventually arrived at a consensus that insider threats are now the biggest concern to businesses.

The Haystax report was completely based on the responses from more than 500 members of the Information Security Community on LinkedIn and Crowd Research Partners.

On the other hand, the Verizon report was prepared based on the 10,489 real life incidents with 172 established data breaches. Haystax reports that 74% of respondents who participated in the survey feel that businesses are vulnerable to insider attacks. Among them, 54% say that insider attacks have increased since last year.

Verizon survey differs a bit from what has said above. It says that insider abuse has ebbed slightly, as the latest numbers suggest that data breaches committed by insiders have come down in 2016 from 2015.

Thus, when we consider the ratio between the perceptions (Haystax) vs. reality (Verizon report) it is evident that the problem is getting worse, without any evidence to show up.

The other area of disagreement between the two studies is the ‘most vulnerable’ part of the enterprise. Haystax claims that 57% of endpoints are vulnerable with mobile at 36% and cloud at 20%. The survey discovered that customer data is most vulnerable to insider threats standing at 63%, with corporate financial at 55% and intellectual property at 54%.

Verizon investigation carried out in 2016 says that it has almost zero evidence to prove that mobile and cloud can be seen as attack vectors in organizations. The survey also confirmed that insider threats took a longer time to be discovered between 2014 and 2015. And this was due to the fact that bank employees providing critical data in the past are now taking longer time for discovering the facts on data breaches.

Even the difference between the industrial verticals is also leading to the cause of concern. On this Haystax comes up with a different viewpoint. It’s finding says that detection and recovery time has improved steadily. But this may be more a perception among employees than documented evidence.

However, the two reports have a consensus on means, methods, and motivation of the insider threats.

Means aka who is committing these insider attacks- Haystax report says that 67% of respondents agreed that insiders have credentials to access the network. Among these, 60% agree that managers are posing as biggest threats. The attack percentage from contractors being considered as a traditional source of attacks remains at 57%. And the percentage of regular employees is seen as a 51%.

The DBIR report prepared by Verizon in 2016 reports the same. It says that admins represent 14%, while one-third were end users who needed access to data as a part of their daily job activity.

The method employed for data breach- Haystax survey reports that the means of exfiltration increased by 53% due to the usage of Web Mail and Dropbox where both are customized by corporate IT policies. Here the policy doesn’t include behavior monitoring- such as why did a transaction take one minute to occur in Oklahoma City, whereas the same transaction took 2 minutes in Dubai. 49% of the respondents said that they rely on server logs, which are not real time and not very granular.

The other reason cited by Haystax for insider attacks is a lack of collaboration between departments, as over 48% of respondents voted for this reason.

Verizon has a different perspective on the insider attack when it comes to the methodology employed in insider attacks. It cites hardware such as USB sticks and skimmers as most common insider threats to organizations.

Motivation- Both Haystax and Verizon conclude a single point of this note and that most of the insider threats are financially motivated. In the Haystax survey, 55 percent of respondents cited monetization of sensitive data is vital. Only 42 percent cited as sabotage, with 38 percent saying espionage. The Verizon report also kept financial motivation at first position in its threat rankings from 34% investigated incidents. Espionage stood at second position with 25% votes and grudge claimed the third spot with 25% votes.

Now, with all the info available, here comes the big point. How to deal with the problem of insider threats? Haystax recommends behavior monitoring for dealing with the situation.

It recommends single screen data sharing environments so that IT managers can have a clear view of what’s going on. Haystax also recommends an aggregated screen to display what risks are going to organization-wide.  Verizon concurs with Haystax thought and precisely suggests that one should focus on the level of access, irrespective of the job title they hold.

On an overall note, after going through the two surveys, we can come to a conclusion that both Verizon and Haystax compiled reports can help the industry in knowing the facts about insider threats. And until innovative technology and solutions are available, the problem is likely to persist.

SHARE
Naveen Goud is a writer at Cyber Security Insiders covering topics such as Mergers & Acquisitions, Startups, Cyber Attacks, Cloud Security and Mobile Security