Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/1/2015
10:30 AM
Jason Straight
Jason Straight
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
67%
33%

Spring Cleaning In The SOC: Focus On the Inside Threat

Along with warmer weather and melting snow, spring brings the perfect opportunity for user engagement. Here's how to transform insiders into your most sophisticated security device.

New York City has had more than its share of winter this year (not to slight this winter’s weather endurance contest winner – Boston). Despite school closings and transportation delays, the snowy winter does have its bright spots. There is nothing quite like seeing the city freshly blanketed with clean, unspoiled snow. My daughter loves the snow because “it covers up all the garbage.” She’s right, but nothing remains pristine for long in New York City. Soon residents churn the white snow into a gray, slushy mess, and the garbage beneath pokes through.

Speaking of gray, slushy messes full of garbage, how’s your network doing? Has your clean, shiny, unsullied infrastructure become a dark, shadowy world of orphaned files, nasty binaries, and data-siphoning ghouls? Just as New Yorkers quickly spoil their winter wonderland, users drag every network into blight and decay when they connect to it – and through it to the outside world. Ultimately, it comes down to the users. As they go, so goes network security.

Company after company has seen its network compromised by a seemingly endless barrage of attacks from, well, anywhere. Media reports on state-sponsored attackers and foreign criminal masterminds have drawn corporate attention outward. The security industry has responded with a dizzying array of tools and technology designed to keep the bad guys out. “Next-generation” firewalls, antivirus protection “on steroids,” and “advanced threat detection” capabilities have proliferated, helping create a $70 billion information security market.

Bruce Schneier, information security expert and occasional industry provocateur, has bluntly stated, “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.” Yes! To be fair, today’s unprecedented array of tools empowers network defenders, but without strategic focus, sound processes, and informed people, the gap between the defenders and the attackers will remain.

And make no mistake – the attackers are winning and expanding their lead despite huge investments by defenders. While current and former employees cause 66% of security incidents, maybe as victims of phishing attacks or through slightly careless internet usage, an estimated 90% of security spend focuses on perimeter protection.

We’re looking out when we should be looking in.
Almost all attacks involve compromised credentials, and 84% of attacks for financial gain are “non-technical.” The attacks slip past millions of dollars of technical and physical protection mechanisms. If attackers want access to a computer system, they just ask for it with a cleverly crafted spear phishing email.

Really.

The good news is that the “human layer” has received little attention and security investment recently, leaving lots of room for improvement and an orchard full of the proverbial low-hanging fruit.

Certainly malicious insiders are dangerous. A trusted insider with authorized access is well positioned to steal, destroy, or expose sensitive data. Many companies have been burned by disgruntled IT staff or pilfered by departing sales staff. Malicious insiders are hard to detect. “Signs” that someone is going rogue could be “signs” of an overachiever: working long hours, accessing the network remotely, or taking an interest in other areas of the company. However, SIEM technology and content-aware DLP systems successfully leverage big-data analytics to tackle this problem. For companies ready to shift some resources from the castle walls to the interior, the return can be substantial.

But it ain’t easy.

The malicious insider is generally not the greatest threat at the human layer. Often, the loyal, well-intended but careless or uninformed insider somehow, unwittingly, aids the enemy. Maybe it’s the “road warrior” who stores business data on personal devices and cloud platforms, connects using “free WiFi” pretty much anywhere, and circumvents security controls to “maximize efficiency.” We have all seen it – and many of us have (gulp) done it.

[Learn more from Jason about insider threats and building a culture of security at his Interop session in Las Vegas on Friday, May 1.]

Or how about the imperious executive who wants 360-degree access to everything 24/7, gets the latest gizmos recommended by “tech whisperers,” blows off two-factor authentication, browbeats the help desk for policy exceptions, and auto-forwards corporate email to a personal webmail account.

Let’s not forget your vendors. Many companies rely on contract language, vendor reps and warranties, and insurance coverage for protection from attacks by vendors or third parties. Unfortunately, you can’t prevent the reputational damage, data loss, or other financial harm stemming from a significant breach. Moreover, when vendors connect to your network, it’s on you to restrict access and monitor activity appropriately.

And the list goes on.

Now hold on. Take a deep breath. Before you lock down your network and install 24/7 video surveillance cameras, think practically. First off, most users will help you if you educate and empower them appropriately – they want to protect your business as much as you. Second, some incredibly powerful tools are available to support your insider risk management program.

Any protection measure that impedes value creation should be carefully considered against its likely return. The last thing a company should create is a “police state” that monitors every digital step or unduly punishes well-intended employees for a simple mistake. Start with the basics, like acceptable use policies, email and web filtering, encryption and password policies, two-factor authentication, and remote access policies. A realistic, executive-sponsored, business-centric security awareness program (as opposed to a mandatory, 15-minute canned video for new employees!) can tremendously reduce insider risks. And the same SIEM, DLP, and behavioral analytic technologies that detect malicious insiders can help identify risky behavior by trusted users.

There is no “easy button.” IT resources alone cannot accomplish the hard work of creating reasonable, effective policies and implementing behavioral analytic tools. However, with committed key business stakeholders, an organization can dramatically improve security.

Along with warmer weather and melting snow (you may have to wait another month or so, Boston), spring brings the perfect opportunity for user engagement. Along with a sensible dose of technology, you can plant seeds of cultural change to protect your company in today’s cyber risk environment. You have a choice: your users can remain your biggest vulnerability, or you can transform them into your most sophisticated security devices.

 

Jason Straight<http://www.unitedlex.com/about-us/jason-straight.php> is the Senior Vice President and Chief Privacy officer at UnitedLex<http://www.unitedlex.com/>. He has more than a decade of experience assisting clients in managing information security risks, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Franois Amigorena
100%
0%
Franois Amigorena,
User Rank: Author
4/2/2015 | 6:26:28 AM
2015 could be the year for tackling insider threat

Great article Jason. Agree there is a lot that organizations can do now to help mitigate the risk from the insider threat. The good news from our latest report is that over a third of US professionals are planning to launch an insider threat program this year. They are also planning a combination of tactics with the majority including technology (66%) and organization-wide security training and awareness (57%) in their plans. 2015 could well be the year for tackling the insider threat!

DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19037
PUBLISHED: 2019-11-21
ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be zero.
CVE-2019-19036
PUBLISHED: 2019-11-21
btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because rcu_dereference(root-&gt;node) can be zero.
CVE-2019-19039
PUBLISHED: 2019-11-21
__btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in a certain ENOENT case, which allows local users to obtain potentially sensitive information about register values via the dmesg program.
CVE-2019-6852
PUBLISHED: 2019-11-20
A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
CVE-2019-6853
PUBLISHED: 2019-11-20
A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.