Data Security Has Become Job Security

The urgency to stop inside attacks has come to a head. Over the weekend, Sage, which provides accounting software to enterprises, announced that “there has been some unauthorized access using an internal login to the data of a small number of our U.K. customers.” But The Guardian reports, via a source, that this data breach at Sage, one of the UK’s largest tech companies, may have actually compromised “the personal details of the employees of about 280 British companies.”

Reports are already attributing the attack to an insider, even though the investigation has barely started. This raises an important question, one that Anton Chuvakin, Research VP at Gartner’s GTP Security and Risk Management group, discussed in a recent blog: What is an “Insider Threat” and what is the “Threat Inside”?

Anton writes: “THREATS INSIDE—drive spending on UBA / UEBA, traffic analysis (NTA), SIEM, deception, lots of other tools, etc. A BIG DEAL! INSIDER THREAT—drive almost no spending (as per our research, <10% of security budget). For a small number of organizations, this is a big deal too. For most others, this is a ‘meh!’ issue.”

Whether this comes from trusting employees too much or a fear of playing big brother, most companies spend little on insider threat detection. The 2016 Verizon Data Breach Reports showed that outside attacks have a high success rate by penetrating perimeter defenses and becoming a “threat inside” the network. East-West threat detection is becoming a big priority.

So maybe this becomes a “kill two birds with one stone” opportunity?

A targeted attack that has broken inside and an insider attack have a lot in common: The attacker must locate the data they want, access it, move it to a location that they can steal it from, and find ways to hide their theft. Detecting either attack means looking in the right places for the right indicators of compromise (IOCs). Account compromises are often first detected in directories’ authentication data.

Both insider threats and account compromises leave indicators in the access logs of servers, file shares, and applications. They also leave data reconnaissance and data staging IOCs in the logs of repositories. Based on your industry, these could be product lifecycle management (PLM) systems, Source Code Management (SCM) systems, Electronic Medical Record/Processing (EMR) systems, SharePoint, Client Record, and Point of Sale (POS) systems.  Attacks that started outside your organization will attempt to move data to weakly defended servers or cloud environments, which insider attacks often use as their endpoint. So consider capturing activity data from those systems, too.

When you are hunting across data sources, or using a UBA/UEBA product to automatically detect anomalies inside the network, make sure that the data sources you are collecting include the log files from the systems where your sensitive data is stored. Make sure that the threat-detection or analytics engine you are using can track and measure authentication and access log data from directories like AD, and can also look for data-level access, movement, and storage events captured in network traffic and in the log files of repositories, enterprise applications, and file-share servers.

From a risk-management point of view, you can mitigate both the insider-threat risk and the threat-inside risk with the same technology and program, increasing security efficiency. I am sure the security team at Sage wishes they had. One final note: If you do extend your inside-threat detection program to cover both, make sure you define separate incident-response processes for each type of threat. When insider attacks are detected, privacy issues may be a concern, and groups like HR and Legal also come into play.