The Inside Job: Preventing Cyber Security Threats from Inside the Enterprise

“Is our data secure? Where are we vulnerable? What are you doing to keep us OUT of the headlines?”

Every CIO is being asked these questions by their Board of Directors on a consistent basis, even more so in the last twenty four months. More often than not, the intent behind this question is simply, “Are we protected from hackers?” While a comforting answer might be to describe how high and wide the perimeter wall is around your enterprise castle, such a wall does not protect you from the dangers that lie within. Shockingly, internal dangers account for greater risk than outside hackers breaching the network.

Many of the headline-making breaches in recent history are the result of an “inside job.” Take Ashley Madison, for instance. Andrew McAfee recently reported evidence that their infamous breach was the direct result of a “lone female” inside the parent company¹, Avid Life Media. And they are not alone. Within the last year, both DuPont² and P&G³ have filed suits against former employees for theft of trade secrets. Collectively, these trade secrets are essential to sustain more than $25 Billion in annual sales within the related segments for the respective companies.

In a report released by the Identity Theft Resource Center (ITRC) on breach statistics⁴ in 2014, the research notes that of the 760 reported breaches in the year, 37% were the result of insider threats (defined as “Insider Theft,” “Employee Negligence,” and “Subcontractors”). A lesser, 30% of breaches were the result of outside hacking.

Insider threats can be broken down into 3 main areas:

• Malice.
  Like the cases of P&G and DuPont, this is when an insider knowingly misappropriates sensitive corporate information.
• Negligence.
  This is when a breach is the result of a mistake by an employee. For example, an employee accidently sends sensitive information to an unauthorized party, an assistant maintains a scratch pad of executive passwords, or an employee clicks on nefarious links on the internet.
• Ruse.
  Better known as social engineering or phishing, this is when employees are victims of intentional deception. Social engineering is a hacking technique that prays upon users sensibilities in order to gain credentials that give them access to a network. For example, an employee receives an e-mail from what looks like corporate IT asking to verify network credentials.

Preventing threats from within requires initiative across the spectrum of people, process and technology. Many firms rely heavily on policy as a primary measure of defense for insider threats. Policies are necessary, but they do not constitute adequate threat protection. Baseline measures to protect the enterprise include robust and persistent employee awareness programs, documented policies, virus and malware detection, and spam filters. However, these actions are merely proper hygiene. It is unfortunate to note that 34% of enterprises report that they have experienced an insider breach⁵ despite having good hygiene in place.

Insider threats are difficult to detect because doing so requires the ability to differentiate user behaviors. This challenge of detecting good and evil in this realm is quickly becoming the bastion of artificial intelligence (AI). AI is emerging as the technology with sufficient dynamics to counteract this equally dynamic threat.

Several new entrants with AI footing have entered the security space in the categories of data loss prevention and end-point protection. These firms are using patterns, analytics, and AI to identify and react to potential insider threats. A few interesting firms emerging in this space include:

• Cylance (www.cylance.com)
  Cylance applies artificial intelligence, algorithmic science, and machine learning to cybersecurity. Using a predictive analysis process, Cylance identifies what is safe and what is a threat, not just what is in a blacklist or whitelist.
• harvest.ai (www.harvest.ai)
  harvest.ai searches for changes in user behavior, key business systems, and applications caused by cyber-attacks. harvest.ai has applied AI-based algorithms to learn the business value of critical documents across an organization and can detect and stop data breaches from targeted attacks and insider threats before data is stolen.
• Bitglass (www.bitglass.com)
  Bitglass Breach Discovery analyzes outbound flows through firewalls to identify high-risk activities indicating breach or exfiltration, allowing you to remediate issues quickly before any real damage occurs.
• Exambeam (www.exabeam.com)
  Exabeam is a user behavior analytics solution that leverages existing log data to quickly detect advanced attacks and accelerate incident response. Exabeam automates the work of security analysts by resolving individual security events and behavior anomalies into a complete attack chain.

Insider threats can be detrimental to the success of your enterprise. Take action now. Protect your perimeter from the outside-in AND the inside-out. Below are three steps that should be essential to your cyber security protection roadmap.

• Exercise proper hygiene. Deploy up-to-date end-point management, user access management, OS patches, virus and malware detection, spam filtering, and critical data governance.
• Create security esprit de corps. This is a marketing challenge. Every employee should know the do’s and don’ts, and feel a sense of pride in protecting company information.
• Deploy behavior-based detection. Technologies utilizing AI and pattern matching to detect changes in user behaviors will help uncover and prevent threats from within.

The ‘inside job’ can come in many forms. What’s important is that your enterprise security program encompass good hygiene, good marketing, and new technologies to keep your critical data locked safe inside your high and wide perimeter. Keep the hackers OUT and contain the threats from within.

To learn more about Wavestone US’ services, visit https://www.wavestone.us/capabilities/.

⁴ Identity Theft Resource Center (ITRC), 2014. The ITRC defines a data breach as an incident in which an individual name plus a Social Security number, driver’s license number, medical record or financial record (credit/debit cards included) is potentially put at risk because of exposure. This exposure can occur either electronically or in paper format. The ITRC will capture breaches that do not, by the nature of the incident, trigger data breach notification laws. Generally, these breaches consist of the exposure of user names, emails and passwords without involving sensitive personal identifying information. These breach incidents will be included by name but without the total number of records exposed.