Thales Blog

The Dimensions Of The Insider Threat – On Premise – Cloud – Big Data

April 1, 2014

Andy Kicklighter Andy Kicklighter | Director of Product Marketing More About This Author >

It may not be obvious, but there’s a common thread through the endless procession of data breach disclosures, and it’s the Insider Threat.

Insider threats are no longer just traditional insiders with access to special information within a company (a classic is the accountant that walks off with all the cash), it now includes privileged users of all types and the compromise of accounts to gain access to sensitive data.

Take a look at a couple of cases recently – In Korea where 40% of the credit cards in the country were compromised at the central credit bureau, it was a insider who surreptitiously made off with the data.  What about Target?  Well, they entered by compromising accounts at a supplier that had access to the network, and leveraged that to steal the privileged account information that allowed them to both compromise the point of sale terminals, as well as back end repositories that had emails and other detailed customer information.  And then there is Edward Snowden – who used his connections and privileged user status to compromise additional credentials and walk away with a horde of information whose depths we are still discovering.

And the dimensions expand with new technologies – cloud/SaaS, mobile and big data all contribute.  With cloud/SaaS there are new problems with who has access to data, what the security infrastructure is for the cloud provider, who has physical access to the hardware, new privileged user roles for cloud admins, storage admins and others, as well as the potential that a compromised account from another customers sharing the same hardware, or databases, could result in additional threat vectors.  Mobile is it’s own problem.  Controlling secure access to back end data that the thieves are after from these devices in a way that doesn’t kill the productivity gains organizations hope to gain from them.  And Big Data … A real two edged sword.  There are few security controls built into big data environments, and the large amount of data that reside within them results in a near certainty that private and sensitive information will be present.  This creates additional risks.  At the same time, when used for security purposes, big data can be part of the solution.  In this mode the big data environment is used to correlate information from infrastructure monitoring, data access, networks, identity management and a large set of other sources to identify patterns that can represent a threat.  Keep in mind that this isn’t “easy” – you need people with the right skills for data analysis and handling as well as experts in security, as these are not “off-the-shelf” solutions.


So what are the solutions that can help with these problems?  First concentrate on protecting sensitive data as a focus.

Perimeter defenses are necessary, but can no longer keep attacks out.  Nor will traditional interior network defenses ensure that a malicious insider cannot make off with your data.    Add core defenses directly around data repositories and locations in your network with the aim of ensuring that only authorized users have access to your data, and that you understand their usage patterns.  To accomplish the access control that only allows those with a “need to know” to have access to information, encryption of this data combined with access control is a necessary minimum.  Implementations should not result in changes to current operations, but should exclude privileged systems users (network administrators, cloud administrators, storage administrators, etc.) from see the information while allowing them to perform system backups and information.  If properly implemented, these users should never see un-encrypted information (cleartext).

At this point, you’ve limited data access to those with a “need to know”, and excluded all others.  Now you need to watch what those who are authorized to access the information do … To ensure that they are not compromised, and to avoid a “Snowden” scenario.  This requires collecting logs of data access to create typical usage patterns and identify when unauthorized users attempt access.  To do this requires consistently requires combining data access information from many sources, and requires a Security Information and Event Management (SIEM) system or a Big Data for Security implementation.  It’s a fair amount of work, but the results are critical.  This is what will enable you to catch an attack in progress – anomalous access patterns will be highlighted, possible compromised accounts identified and your organization can decide what to do about the threat.  Once identified, you even have the option of “poisoning” the data they are mining, and that could become really interesting.

Last, over time organizations have built up a complex web of solutions to address security problems, including those around data.  Multiple solutions result in multiple infrastructure sets, multiple contracts to manage, multiple resource drains, multiple implementation problems and more.  Look for solutions that can address as many of your needs as possible with a common platform, to keep costs and resource requirements to a minimum.

Insider Threats are not an easy problem today …. Look to hear more in upcoming survey results from Vormetric later this week.