Insider attacks are on the rise – a cyber strategy focused on protecting the perimeter is futile.
Employees are now the perimeter and they’re always on the move; remote working opens organisations up to increased risks surrounding their data.
What does the Insider Threat look like?
2. Background
Jonny Tennyson
Head ofCustomer Success
• Spun out ofNapier University Edinburgh by current CEO&Founder DrJamie Graves in 2011
• Multiple awardsfor CyberInnovation, Best Product, Best StartUp
• Global customers – ZoneFox Headquarters in Edinburgh
• Startup toscale - 3 people to30+
• Growth driven byinnovation anddifferentiation
• Customers in Finance, Retail, Legal, Technology, Manufacturing
3. Who are we?
ZoneFox is an award winning market leader in User
Behaviour Analytics, providing critical insights around
data-flow that you need to secure against theInsiderThreat.
A few of our reference customers…
4. Cyber Security - traditional methods
Intrusion Detection
Perimeter Protection
Anti Virus
Firewalls
Application Whitelisting
Network Packet Inspection
Encryption
Next Generation Anti Virus
Log aggregation & SIEM
6. Why such a risk in business today?
People working from home “a threat to
Cyber Security” charities warned
Neil Sinclair, London Digital Security Centre
7. So what is Insider Threat
?
• People – asset and a liability
• Accidental, malicious, careless, collusion
• Causes - lack of training, lack of controls, lack of
visibility, easy to bypass controls
10. Sandra the Spy
• Financial Pressures
• Personal Matters that may lead
to blackmail
• Disgruntled – Show of defiance
11. Careless Caroline
• Ignorant of Security Policy
• Not been Trained
• Under Pressure
• Trying to get her job done
• Victim of Phishing/Social
Engineering
12. Did I just
accidentally send
that customer list
to someone?
I’ve just been
offered job with
our biggest
competitor
I’m really
annoyed that I
didn’t get that
promotion
The Insider Threat - Your top-
performing team…..
My account has
been compromised
13. Relevance to the Enterprise
Job titles that didn’t really exist 3 years ago;
• Head of Insider Threat Deloitte
• Insider Threat Consultant EY
• Insider Cyber Risk Assessor Barclays
• Insider Threat Analyst BAE Systems
• Director of Insider Threat GE
• Head of Investigation & Insider Threat Worldpay
• VP of Insider Threat Citizens Bank
• Insider Risk Manager Lloyds BG
• Head of Data – Insider Risk HSBC
Source - LinkedIn, Sept 2018
14. Telecom giant accuses employee
of data theft - May 2016
“Company insiders are behind 1 in
every 4 data breaches” The Register,
April 2018
15. Analyze. Detect. Protect.
Conclusion
• People / Employees are the perimeter
• Partners are the perimeter
• Supply chain is the perimeter
• Is there really a perimeter?
Good morning, and thank you in advance for your attention over the next 15 minutes.
We are ZoneFox, and today I’ve been asked to talk about the perimeter within the modern business, and whether it actually exists.
Some Background first - ZoneFox was started out of Napier University in Edinburgh in 2011 and we shipped our first product to customers in 2013. We’ve won multiple awards since.
Our growth curve has been incredible during that time and we consider ourselves now to be exiting the start up phase and truly entering the scale up phase.Our Initial investment has gone into R&D and now we are using that investment to Market and Sell ZoneFox on a Global basis. We’ve had a strong emphasis on the UK market to start, but we have some fantastic clients in the US and we’ll be using that to grow other markets in 2019.
ZoneFox is an award winning market leader in User Behaviour Analytics, providing critical insights around data-flow that you need to secure against the insider threat.
Below we have a number of publicly available reference clients that we work with. There are many verticals here, as you can see but these are companies with a familiar and very common challenge. Namely; Protection of their IP, their Brand Value and Reputation, Compliance, and more.
Lots of recognisable names here - Rockstar North, who use our solution to protect the Grand Theft Auto game series, Pinsent Masons - a very well-known UK based international law firm. And some very well known Retail clients; such as Pret a Manger, and the Central England Co-operative group.
On to the topic itself. This is what IT Security has looked like for the last 20-25 years. It’s the traditional Castle and Moat model. We have some very valid and necessary technologies here - [Name a few,] Simply put - exterior security, wrapped around everything you want to keep safe, with a secured entry in and out.
It’s not an ineffective approach by any means, we’ve been doing this for so long for a reason; but today we let so many people inside this perimeter; family, friends - external partners and suppliers. Our focus on keeping the bad people out over the last two decades or more has taken us away from looking - and I mean really looking - at the threats that already exist inside the castle, and who has keys to the drawbridge.
It’s no longer about blocking everything - it’s about getting an understanding of what’s going on inside your business.
It’s time to do something different.
This is an old slide but very pertinent, I think this sums up the secure perimeter approach quite well!
You can build up your layered security - adding more and more layers until you have a layered wedding cake of a perimeter - but you’re still going to miss the key threats already within.
So why is this such a risk in business today?
Home working is becoming more and more common for a proportion of the week, in fact recently some of the largest financial institutions have downsized their real estate footprint to take account of this. The Head of Estates & Property at a large Bank recently told us that “if every employee turned up to the office one morning, we would have a huge problem” and I’ve spoken to employees at two other similarly sized organisations who say the same thing, and have enforced work-from-home days for their employees.
The leader of the TUC stated only last week that, with the introduction of AI technologies that our jobs are easier to do, and that a 4 day working week is a reality in the UK very soon. Now I know; that’s an exciting prospect but that’s not my point - I’m just as excited as you are. But it highlights a very real and growing risk and this is one that is already prevalent across many organisations.
Its true to say that people are our biggest asset. We are told this all the time. But, people make mistakes and people don’t always act as we expect them to, hence they are also one of our biggest weaknesses.
We see this all the time and there are a few common themes of Insider Threat that can be identified.
Let’s take a look at these now. First up…
There comes a time in almost everyone’s career where they decide that a change is necessary.
If they can’t change positions within their organization, they often leave for pastures new.
Everyone wants to be able to provide value in their next role, but they may do it in different ways. In the case of Quittin’ Quentin, he decided to take customer data with him to provide great value to his new employer. When it comes to dealing with employee exits, be mindful of those who have access to:
Dave was a bright employee who was promoted quite quickly. He thought he was helping the company by bringing to light a vulnerability in the company’s software, but since there was no real-world exploit, the management team decided to accept the risk for now and push forward. Dave’s advice was not heeded, although he thought he was really on to something. He tried several times to sway public opinion, and in the end his anger pushed him over the edge, causing him to resort to destroying a software release to prove a point.
A point to note - some of the reasons that employees become disgruntled - and remember, these issues are from the employee’s perspective so can be difficult to spot:
Forced into being a bad actor.
Sandra the Spy’s situation is not unique. Many employees are in positions where they don’t make enough money. This isn’t necessarily an opinion, but a result of life choices.
Sometimes parents need to care for their kids, but don’t feel that they make enough money to do so. Sometimes a couple would like to get married or put a down payment on a house, but money is perpetually tight.
On occasion, a competing entity with few morals may take advantage, presenting an offer that the potential spy can’t (or feels they can’t) refuse, turning them to their side. Corporate spies don’t always have to be turned, mind you, they may also be planted in your organization early on by a competitor or a nation state to await further instruction. Fortunately, corporate espionage is not an ubiquitous threat to all organizations in all lines of business, but it’s always a possibility if your business revolves around intellectual property.
A project manager, working 100MPH, under huge pressure, trying to please everyone.
[Important point to note here] Caroline is definitely not a malicious actor. There is no motivation to steal, destroy, or otherwise harm her organization’s data.
Unfortunately, Careless Caroline is an all too common character in today’s organization. Whether it’s leaving a workstation unlocked, leaving passwords on sticky notes, allowing strangers to tailgate when she swipes into the office, or clicking on malicious links without first understanding who sent the link or why, Careless Carolines everywhere are letting the bad guys in regularly. Even if they don’t mean to.
Few technical controls can actually help stem this tide; if you want to help Careless Caroline be more careful in her day-to-day dealings, education – and monitoring - is key.
So…here’s your team. Your team is the best team in the world.
They’re all trustworthy and you have no need to doubt any of them.
Until they come to leave you to join your biggest competitor. Still feel so confident about their trustworthiness?
What projects have then been working on?
What data did they have access to?
Do you think that they could have stolen anything over the past few months?
How do you know?
We recently worked with a Formula 1 team who was concerned that key designs were at risk of theft from within. Now, Formula 1 is a sport where this is rife, as it’s such a technically driven, expensive, competitive sport. Needless to say, they were right to be concerned.
After working with them for a short period of time, we discovered that an employee who was preparing to leave, had managed to gain access to their design files on the team’s car. And guess what they did next?
They transferred the lot onto removable media. We find this same story replicated across just about every customer we work with – it’s time to rethink the perimeter.
Some recent analysis conducted last week, have a look at the names of the companies on the right hand side and these ‘new genre’ job titles. This is a growing job area and its fair to say very few of these titles didn’t exist a few years ago?
A bit like a ‘GDPR manager’ – there you go, had to get GDPR into the presentation at some point
Here we have further emphasis by recent publications and news articles that the old perimeter protection methodologies are dated.
Tesla particularly damaging and again, extremely public.
An “Oil and Gas customer” of ZoneFox’s - recently found 3D CAD designs going to Russia - they have no customers or partners in Russia. Industrial sabotage, caught in the act.
If there is a perimeter – it’s people, employees. It’s partners. It’s our supply chain. BA was only the other week, they discovered where their perimeter really is, it was the same as Ticketmaster’s - and they’re potentially facing a £500M class-action suit as a result.
These are not small names. So, is there really a perimeter? Thank you so much for listening, I hope this has provoked a thought or two and I look forward to speaking to you throughout today.