2. Insider Threat
§ The insider is anyone who has been authorized to access
internal systems. They originate on internal systems or are
permitted special access across the perimeter (i.e. remote
access)
§ The insider threat is not new, however technology can
allow greater access, at a distance, to sensitive data, with
potentially less effort and less accountability
§ The threat exists for insiders to exploit their authorized
access, attack or misuse information systems
3. Defining The Problem
§ Intentional: Economic or Malicious motivations
§ Hacking and Malware
§ Security Avoidance: Rules not aligned with
business objectives
§ Mistakes: Insiders try to follow rules
§ Ignorance: Insiders don’t know rules
4. Economic Factors
§ Economic factors may motivate individuals to do
things they otherwise wouldn’t do
§ The economy is just one example of external factors
that may drive up incidents
§ The economy may reduce security budgets, which
may lead to weakened security controls and
measures
§ Companies that empower their employees and keep
them informed may have fewer data breaches
5. Global, Legal & Cultural Factors
§ Many gaps in security practices are exposed when a
company expands into new markets/countries
§ Data must be managed according to laws in the
country in which it resides
§ Not all cultures have the same standards when
dealing with intellectual property
§ The reality of how data is treated in different countries
and by different cultures may necessitate new
controls and measures
6. Data Breaches
§ According to the Verizon 2009 Data Breach Investigations Report, 285
million records were compromised in 2008.
§ All industries suffer from data breaches, although threat vectors may
vary significantly
§ The growth of financial services companies, and advances in
technology put larger sets of personal data at risk
§ Historical data shows external hacking, malware or theft (i.e. data tape
or laptop) accounts for approximately 80% of data breaches, while the
insider threat remains around 20%
§ In 2008, nearly all records were compromised from online sources
§ Approximately 30% of data breaches implicated business partners
Source: Verizon 2009 Data Breach Investigations Report, http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf
7. Protecting The Data
§ Proactive vs. Reactive Responses
§ Learn from Past Incidents
§ Encryption
§ Access Controls & Monitoring
§ Segmentation
§ Education
8. Process Improvements
§ People
§ Pay attention to employee morale, work closely with HR
§ Provide security awareness & education that is targeted and
measured
§ Processes
§ Implement processes for managing employee privileges as
their role changes
§ Review rights quarterly or annually
§ Keep concise security policies updated and published for
easy access
9. Technology
§ You can’t eliminate all risk, so you need to identify
tools that will best address the insider threat based
on past incidents at your company
§ Risk management helps identify where security
dollars are best spent
§ Protecting data at rest and in motion is important, and
this works best if you can identify the data you want
to protect up front
§ Most tools exist to keep honest people honest
10. Survey of Tools
§ Data Loss Prevention
§ Identity Management
§ Centralized Security Logging/Reporting
§ Security Event Management
§ Web Authentication
§ Intrusion Detection/Prevention Systems
§ Network Access Controls
§ Encryption
11. The Security Budget
§ As the economy and other factors drive up the threat,
the security budget needs to be maintained
§ Security dollars should be spent where they can have
the greatest impact
§ Significant results can be had by starting with simple,
low cost solutions that target “low-hanging fruit”
§ Remember the principle of security in-depth
12. Measuring Success
§ Develop consistent and meaningful metrics for
measuring the efficacy of your security controls
§ Develop executive dashboards and favor tools that
provide real-time access to data and reporting
§ Review security processes periodically to ensure they
are achieving stated goals, as they legal, cultural and
corporate requirements may change
13. Conclusion
§ While the insider threat has always existed,
technology magnifies the problem
§ It is too late to react when a data breach makes your
company front page news, be proactive
§ Detecting insider attacks requires layered solutions
that leverage people, processes and tools
§ Don’t undervalue the impact of user education
§ The most expensive solution is not always the best
solution!