A recent news story brought to mind that what we traditionally think of as insider risks, are not the whole story. Coverage in the Wall Street Journal about indictments in the works for two employees who stole source code for a trading system, and recent coverage of Advanced Persistent Threats (APTs) brought this to mind.
Traditionally, people have considered materials at risk from insider threats that were financially related, that were required to be protected for compliance purposes (legally and by industry regulatory bodies) or that were “rocket science” – the kind of IP that defense contractors and government agencies have in key parts of their organizations.
There are two areas where we all need to think about expanding this list of data at risk.
· The first is around APTs. Since APTs universally compromise insider credentials to steal data, in most ways their operations on systems and networks look just like those of a malicious insider.
· The second is about the types of information we consider critical IP. The list of critical IP also needs to be expanded based on the type of organization you are and what you find of value to protect. Manufacturers, for instance, have not traditionally protected plans, formulas and production processes – but these are often key targets these days. In the case of the Wall Street Journal article, it was source code at a trading company. But organizations don’t typically put the same kinds of protections around these kinds of assets.
How do you protect against this expanded list of Insider Threats? Traditional defenses for your perimeter won’t stop them. This year’s Mandiant report shows that organizations who were breached had up-to-date firewall, anti-virus and network defenses. And this year’s Verizon report gives a 95% chance of a click through on 15 spear phishing attempts. Only your most security sensitive employees are going to be immune to these kinds of attacks.
The solution is to first expand your list of what needs protection. Evaluate your organizations operation, and what is really critical to protect to preserve its operation. Then put the protection around the data you’ve identified to exclude unauthorized use, and watch authorized users for changes in patterns of access.
The protection from unauthorized access must allow system maintenance and administration to continue to work, or your whole operation is at risk of grinding to a halt on implementation. Access pattern information should be easily compatible with major Security Information and Event Management (SIEM) solutions like HP ArcSight, Splunk, LogLogic and other SIEM systems. This makes possible analysis that yields information in two areas. Unauthorized attempts that didn’t succeed, indicating that a malicious insider or compromised accounts is attempting to acquire your data is the first. The second is changes in access patterns by authorized users – unusual access patterns may indicate the same – that these authorized users may be compromised or trying to steal information.
It’s worth mentioning, that here at Vormetric we’re thinking about the security of our customer’s sensitive information every minute of every day. It’s the focus of our organization, and our core area of expertise. Our solutions are designed to protect data from insiders no matter what their level of access by denying access to data to unauthorized users, and tracking the access patterns of authorized users. Our solutions are scalable/enterprise ready, deploy quickly and protect without changes to your business or operational.