Thales Blog

The Spending Gap – APTs And Insider Threats For Government

April 15, 2014

Just released is our latest Vormetric Insider Threat Report.  This latest report focuses on Europe, and an earlier version in September of last year detailed responses from the US.  Today, I’m taking a deeper look at the combined government data from both US and European government at a level you won’t see elsewhere.

One point before I get to the results – Insider Threats aren’t just traditional insiders, people with access to sensitive data in the course of accounting, financial, engineering or other work. The definition also needs to include privileged users, people who have access to systems and infrastructure to manage and maintain them.  And last, it also has to include the compromise of these accounts by APTs and other advanced attacks.  Privileged users especially are prime targets, as their access typically provides them with the ability to see all kinds of data.

The biggest finding for the entire combined set of Government responses?   A real gap in funding that’s going to lead to hard choices for organizations:

  • 52% are planning to increase funding to offset the threat
  • But only 6% feel secure.

Let’s think about that for a moment.  There’s a huge gap here – 42% of organizations don’t plan to increase spending to offset the threat, but are never-the-less very much at risk in their own eyes.  This is going to mean that agencies and other organizations are going to have to look closely at where their security dollar is being spent, and how effective that spend is.  Most government organizations have invested heavily over time in firewalls, network monitoring, IPS/IDS, end-point security and even data loss prevention – but the facts are that these technologies have proven ineffective against APT style attacks and even knowledgeable malicious insiders.  These are definitely tools that have a place in a layered security strategy, but they are the equivalent of a house in a bad neighborhood that puts out a security patrol sign, and doesn’t sign up for the service when it comes to protecting data.

Organizations without the dollars to increase security spend, but a real need to protect from APTs and other insider threats, are going to have to make hard decisions about where the money they have needs to be invested, and that investment strategy will need to change.  Moreover, the acquisition process will need to be agile and allow emerging technologies to be implemented without the lengthy approval process to add advanced protection to the security stack.

What’s proven to work for protecting data is encryption + access control + security intelligence.  Encryption + access control locks down the data so that unauthorized users can’t see the data.  These are important elements addressed in the NIST 800-53 regulation which Vormetric supports from several aspects (maybe a link to the whitepaper?).  This is the base level control needed to protect from the vast majority of privileged user related threats to data.  Security intelligence feeds SIEM and Big Data for Security implementations with the access pattern information to data that allows alerting on anomalies in attempted accesses and successful ones.  It can even see if the security staff is following standard access patterns to detect compromises there as well.  At Vormetric we do this well, but no matter what solutions are selected, this combination is sorely needed to reduce organization’s threat profiles, and cut the cadence of lost intellectual property, government secrets and citizen private information.

Other key findings for Government included:

  • For people related risks - Government employees were the top concern at 50%, followed by 3rd party contractors at 44% and privileged technical users at 40%
  • Cloud usage is another top concern (especially in European Government organizations) with 60% concerned about the potential for unauthorized access to data, and 57% with lack of visibility into cloud security
  • And very few felt safe from abuse of compromised credentials as a result of a cyber attack (4%) or abuse of privilege user access rights (7%)

The good news is that people and organizations are aware of the threats posed, and many are making plans to act.  Let’s hope that action comes sooner rather than later.

-- Wayne Lewandowski, @Wayne42675