There’s never been a shortage of risk that organizations face from insiders gone bad — those incidents where insiders steal information from their employers, clients, partners and government agencies.
Many times, malicious insiders seek monetary gain. They’ll steal information such as account information or login credentials that they can sell to criminals that operate on the Dark Web. Or, they may be carrying out an act of political activism or whistleblowing, such as exposing the deeds of an organization perceived to be doing wrong. And sometimes, insiders act out just because they feel disgruntled in the face of perceived mistreatment from their employer, or they want a jumpstart in their role with their next employer. Insiders also have been known to take product plans, source code, customer contacts and other trade secrets.
It’s clear that the threat from insiders is rising. Although it shouldn’t be — enterprises should be well aware, and well-defended, from such risks.
The Changing Insider Threat
Insider risk used to consist of things like a ream of paper walking out the door, as was the case with the Pentagon Papers. Today, however, as a result of the exponential amount of data digitization and portability over the past few decades, the risk of data theft has grown considerably.
We’re all familiar with the latest stories. Recently, three insiders at McAfee were sued for allegedly stealing company secrets before going to a competitor. We see these types of incidents way too often. But we shouldn’t.
There are lots of insider threat best practices that enterprises know that they should be following. Organizations do know that they should be protecting their essential assets. They know that they need an insider-threat program. And they know they should provide security awareness training and enforce their security policies. They know they should be doing all of these things. They just don’t. At least not consistently. But here’s a secret: Even if they did, it’s not enough.
I’m not going to argue that you shouldn’t follow these best practices. You certainly should. But most of this advice is focused on securing the network, looking at hiring practices and monitoring applications. That’s all well and good, and it’s essential to security. In fact, it contributes to many facets of a strong security program. But there’s one chokepoint that needs much more focus, and it’s far too often overlooked.
That’s the data.
Organizations need to pay much closer attention to their data. They need to know with certainty where it resides, who can access it and where it moves. When it comes to insider threats, organizations need to get to the point where they know what attributes of the threat they need to be looking for. In many cases, organizations can be looking right at the information they need to see to spot nefarious insider behavior. However, despite it being right there, with so much data moving and so much noise relative to informative signal, what needs to be seen gets lost.
Focus on Value Density
Many organizations make the mistake of judging the value of data by its size. Yet, the value of data often has nothing to do with file size. What do I mean? Imagine that someone steals 10 gigabytes of high-definition marketing video taken of the corporate campus. This video may or may not (probably not) be highly confidential. However, 10 kilobytes of code for a software company, or a small Word document with a coveted recipe for a baked goods company, are both examples of small files with very valuable data. It doesn’t matter if the data is big or small because the density of value in the data is disproportionately high, relative to its size.
This concept throws off a lot of companies. If you work in an architectural firm, then it’s design diagrams and renderings you may want to protect. In an engineering firm, it’s CAD files. Law firms want to protect legal filings and depositions. Of course, human resource data, financial data, customer and prospect lists are always proprietary. But this type of data tends to be stored in structured places and is easier to protect than unstructured data. Lawyers and architects need to share and discuss their work product; thus, it’s often unstructured data in files residing outside databases and applications and stored on file shares and cloud storage.
Of course, both structured and unstructured data needs to be protected; but how one safeguards it, and the complexity of safeguarding it, is different. When protecting intellectual property in small bits and bytes, it gets tough to spot data of high value.
Succeeding requires very close monitoring of data with a focus on what data is moving, when and where. And the monitoring needs to be throughout the organization and across all data types. One really can’t tell, based on the size of files, whether it’s valuable or not.
As the McAfee case shows, insiders that have allegedly gone wrong used usual work tools, such as USB drives, email and cloud storage services to steal information. These employees could very well have been acting within established expectations for handling this data. That’s why it’s impossible to have policies that will try to find and block everything every trusted employee may do. This is why you need to be able to closely monitor activity across all data so that events like this don’t happen.
This risk from insiders is only going to rise in the months and years ahead, and the speed of the creation and dissemination of data isn’t going to slow down. It’s only going to accelerate, and this means the ability for enterprises to monitor and protect data must keep pace. Enterprises have the tools, and the established best practices they know they should follow, to effectively manage the insider threat. The question remains: Will they?
Rob Juncker is senior vice president of research and development and operations at Code42.
Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.