2019 insider threat intelligence report - dtex systems · 2020. 11. 30. · j v lb t tbom r;u...

2019insider threatI N T E L L I G E N C E R E P O R T

DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 3

in·sid·ernounany employee, contractor, vendor or partner that has access to

S U M M A R Y

A vast majority (93%) of CIOs are now spending up to half

challenges they’re facing —

geography, or industry — is the insider threat, which now cost businesses an average of

* SOURCE: Logicalis Global CIO Survey 2018-2019 | ** SOURCE: 2018 Cost of Insider Threats Report


NEGLIGENT COMPROMISED

SUMMARY

We categorize insider threats

MALICIOUS

23%

the enterprise, and are

64% 13%

a rapidly changing threat landscape — has created a reality that is anything but

* SOURCE: 2018 Cost of Insider Threats Report


SUMMARY

A C K N O W L E D G I N G T H E H U M A N E L E M E N T

L E V E R A G I N G T H E P O W E R O F E N T E R P R I S E U S E R I N T E L L I G E N C E

What exactly is responsible for the shades of grey? Most notably, it is the presence of the

of malicious or careless behavior, or an outsider compromising an insider, each and every insider threat faced has one thing in common: they are

intent or type, all of them increase enterprise

This overwhelming presence of the human element has also accelerated the need to acknowledge the fact that every human has

In the context of security, this means that what is deemed suspicious behavior for one person may not represent risky behavior for another

This is where we hope our data, and this annual

collected from risk assessments conducted across Dtex’s diverse customer base in 2018,

key trends in insider behavior and provide a


key

PUBLICLY EXPOSED DATA

PORTABLE APPS

RISK OF DATA LOSS AND PERSONAL EMAIL USAGEAll assessments found instances of high-risk data transfer via USB

98% of assessments found customer proprietary

accessible on the web —

H I G H L I G H T SKey takeaways from this year’s report include:

100%

98%

74%

97%FLIGHT RISK ACTIVITY

97% of assessments found instances of employees

behavior — a sharp increase 95% of assessments found

circumvent corporate security policies —

95%SECURITY BYPASS


U S E R S

PAGE PAGE high-risk

PAGE

PAGE

PAGE

PAGE high-risk data transfer

PAGE


USERS |

Security

95% This year, Dtex analysts noted a spike in security controls — using private and incognito web browsing modes, TOR browsers and non-

policy and is consistently used to engage in

behaviors include researching and downloading

of assessments detected

instances where

employees were using

anonymous and private

browsing to circumvent

security controls, a

notable jump from

60 percent last year.


USERS |

employees spread across the globe found that users were repeatedly able to visit high-risk websites that were supposedly being blocked

URLs, they were also not able to provide any data on how users were able to bypass them and

trail, it was discovered that the users were simply

didn’t have safeguards built in to deter such

a group of developers who were able to use heightened local privileges — innately given

by Dtex showed that these developers had

to bypass the network proxy and then enabled the script to consistently kill the endpoint agent

S P O T L I G H T O N T H E K I L L S W I T C H


USERS |

High-Risk

85% which include hacking tools, network tools, and other generally risky programs that are of the tools designed to be an asset to IT and security teams are now actually being used against them — enabling users to exploit gaps in

of assessments

saw insiders using

tools — up from 72

percent last year.

Most commonly used high-risk

nmap


USERS |

S P O T L I G H T O N P O R T A B L E A P P L I C A T I O N S

74 percent


USERS |

High-RiskData Transfer

100% Dtex analysts found instances of high-risk data personal webmail accounts or unencrypted

While all of these avenues represent a threat to data security, our data shows that most malicious data transfers are now happening

the fact that the cloud no longer represents a

of assessments found

data being transferred

unencrypted USBs.


USERS |

S P O T L I G H T O N T H E H E A D I N T H E C L O U D

Dtex assessment data shows most malicious data transfers happen via the Internet.

While cloud security is clearly and

avenues used for high-risk data transfer: removable storage devices and unencrypted

ubiquitous and widely used, security policies have largely failed to keep up and protect

these types of transfers from occurring,

They quickly discovered that a user had transferred nearly 50GB of data from a network

be taken in remedy, which included monitoring the user’s residence and forcibly retrieving the

In one all-too-common example seen by our analysts, a Dtex alert was

working on it were explicitly instructed not to move, copy, or share these


USERS |

In this year’s assessments, analysts noted

year-over-year spike — 59 percent — across all categories whether malicious, negligent, or

Dtex analysts being conducted on corporate endpoints include:

• Making edits to resumes and researching

• Researching ‘how to resign from job’ and

97%of assessments recorded

employees displaying

from 38 percent last year.


USERS |

While much of this can be deemed ‘in poor taste’ versus ‘sinister,’ it is consistently shown

proof point can be taken from our previous

of their company’s high-value data (their ‘crown

discovered that the user had recently applied for

security risks associated with contracted or

contracted employees may be a necessary and

projects and high turnover rates mean that

consistent and comprehensive visibility into the

— even if they are granted privileged access,

S P O T L I G H T O N C O N T R A C T O R S

ACCORDING TO A RECENT NPR POLL:

1 in 5 jobs in the US is held by a


USERS |

DTEX INVESTIGATION REPORT:

For leading wealth management company and Dtex customer AMP, based in Australia and

played a key role in helping to detect illegal data

AMP contractor,

clear behavior audit trail was established and


USERS |

user behavior can neutralize insider threats and successfully stop malicious actors before it’s too

Zheng arrested


USERS |

All assessments conducted this year found

users leveraging admin privileges to bypass

programs, downloading pirated media, or

what’s equally concerning is the lack of visibility

over the privileged insiders with access to


USERS |

S P O T L I G H T O N T H E P R I V I L E G E D B L I N D S P O T

Despite being highly concerned, a large number of security and risk professionals don’t actually

Our own experience, along with industry data, tells us that this oversight is amplifying their insider

48% 43%BUT...of security professionals

expect privileged access

abuse to increase this year.

monitor users with privileged

* SOURCE: The 2018 Study on the State of Data Access Governance


USERS |

GUIDANCE:

Catching

Enterprise User Intelligence is the ability to

and stopping malicious user behavior, enabling

This is where the importance of understanding


USERS |

to catching a user in this stage is to keep an eye

When they’re ready to act, users aggregate the targeted data and will likely demonstrate unusual

where the user actually takes the data out of the

In our assessments conducted over the last year, Dtex analysts consistently found the most

cover their tracks, such as security bypass or

very common in malicious incidents and much easier to spot compared to other steps in the

Case in point: the majority of high-risk data

by our analysts were conducted via Internet

In summary? The key is knowing what to look for, and having the right tools in place to be able

I N S I D E R T H R E A T K I L L C H A I N

RECONNAISSANCE CIRCUMVENTION AGGREGATION OBFUSCATION EXFILTRATION


U S E R S

PAGE shades of grey

PAGE

PAGE

PAGE

PAGE PAGE

internet usage


USERS |

shades of grey

This very challenge is responsible for a large majority of the negligent user behavior that Dtex

is driven by the desire to cut corners or do

secure tools and resources needed to accomplish

starts out as carelessness or ignorance can

as users understand where boundaries can be

It’s important to acknowledge here that establishing intent is not black-or-white, as this is an area where the human element — and the associated shades of grey — certainly comes into

own unique needs, goals, and circumstances, it is nearly impossible to clearly label each and every

And while the behavior categories below are

always


USERS |

Dtex analysts see most instances of negligent behavior prompted by the goal of temporarily

This includes downloading what have been deemed

example looks something like this: an employee

Unlock PDF, allowing them to open the document

From there, they can download and use a PDF

report, nearly three in four assessments this year (74 percent) saw the use of these kinds of high-risk

But, the act of bypassing security and using high-

accessible and readily available, it has become easier

due to budget and resource constraints — actually

engage in risky security behavior and subsequently

48% vs. 15% 54%The number of employees that are

external USB use… and the number that actually ask for permission.

The number of employees

technologies were in place to prevent or detect the

data onto USB drives.


USERS |

Dtex analysts found corporate data exposed and publicly available on the internet in 98 percent — or nearly all — of assessments

type of data our analysts found online include:

•

•engine videos

•‘Client Only’

• Company banking spreadsheets,including expense reports

• Financial data related to expenses,pensions, and loan reimbursements

File-sharing services

most commonly found to

be

Dropbox

Google Drive

Sharepoint


USERS |

improperly such that it is exposed and easily

indicators include the unauthorized employee use of cloud services (or a failure to make

The blurred lines between the personal and the corporate has also made data leakage via

use enterprise cloud storage services for their

sync-and-share service like Dropbox or Box, or

an employee’s personal devices and personal

syncing with their work devices — is only

This is a 20% increase from last year.

96%Percentage of

using cloud to store at least some data

4.8Number of clouds an

on average

77%

98%

* SOURCE: The 2018 State of the Cloud Survey


USERS |

SPOTLIGHT ON

Industry reports show that nearly two-thirds of all data breaches (63 percent)


USERS |

these documents found themselves unaware that a third party — with whom they had no

underscores the cold reality that while it may be the third party who is directly responsible

Dtex’s widespread discovery of publicly accessible data also

tends to be hit hardest — with an average cost of an insider incident spiking

* SOURCE: The 2018 Cost of Insider Threats Survey


USERS |

important that personal email usage

of the dangers associated with users accessing personal email accounts on corporate endpoints, such as increased


USERS |

an employee accessing a personal Gmail account

versus a corporate Gmail account, it becomes nearly impossible to understand whether an

Dtex customers, however, are able to use

what accounts are being used for business

internal documents when using their secondary,

of assessments saw employees using personal, web-based email on company endpoints — up from 91 percent last year.100%


USERS |

Dtex analysts found pirated media on cloud storage, removable storage, and local storage — and found that users were going to great lengths to transfer and obfuscate pirated media between

year, our assessments discovered users sharing and transferring pirated media with each other via USB drives

endpoints certainly puts an

to be harboring pirated media on the

governing bodies are paying much

understanding of how to spot piracy

European Commission even published

Watch List,’ with the goal of ‘naming and shaming’ any non-EU website


USERS |

81% of assessments this year found pirated

— up from 65 percent last year.

by more than 83 percent year over year — with the


USERS |

internet usageInappropriate Internet usage on corporate devices and endpoints

rather than outright malicious behavior, we’ve consistently seen

goes undetected — and without consequence — can escalate to other

employees to websites that are likely to expose them, and their corporate

website then led to malicious content being downloaded without the consent


USERS |

of assessments saw inappropriate Internet usage — such as pornography, gaming, and gambling.

This year, analysts noted an upward trend in online gaming, with users increasingly storing games on corporate devices — whether in

The dangers of online gaming made headlines

supported release from a prominent game

commands to install, uninstall, or change the

these games… including corporate laptops

76%


USERS |

Technology can help

behavior, but it is

company culture, processes, and people

GUIDANCE:

At Dtex, we’ve said it once and will say it many

truth is that the user is likely not thinking about

insiders’ assistance and empower them with the

‘building trusted insiders.’

For one, there needs to be a mechanism in place that enables the ability to see, detect and


USERS |

make it possible to not only understand when an employee makes a mistake, but also educate

This is where the power of teachable moments

into user behavior, it becomes possible to

available or reminders to stay within security

it occurs not only minimizes insider-related incidents and associated costs, but also prevents

It is by teaching — rather than just punishing or blocking — that it becomes possible to truly

trusted insiders.

70%


C R E D E N T I A L S

PAGE PAGE


S P O T L I G H T O N P E R S O N A L A C C O U N T A C C E S S

S P O T L I G H T O N P R I V I L E G E D C R E D E N T I A L T H E F T

Accessing personal accounts on corporate

percent of this year’s assessments found users

While phishing emails can — and do — make it

they have successfully compromised that user

control over the corporate device being used to

under the radar and hide their tracks as they

industry, this year’s assessments

security professionals try to protect and keep

are going to end up compromised and on the

increasingly stored in the cloud, this area of risk

responsible for more than $68 million

new malware strains, but also taking advantage

And when mistakes do happen, they can


Email is the common

vector used in phishing or

—2018 Data Breach

ONLY

35%OF ORGANIZATIONS HAVE

COMPLETE VISIBILITY INTO WHICHINSIDERS HAVE BEEN GRANTED

PRIVILEGED ACCESS.

ANDONLY

37%OF ORGANIZATIONS HAVE

COMPLETE VISIBILITY INTO USERACTIVITY TIED TO PRIVILEGED

USER ACCOUNTS.

2018 Privileged Access Threat Report


any hope of catching them requires a comprehensive

understanding at represents normal behavior for

Here are a few indicators that Dtex analysts use

When a user is

example, in the middle of the night — that’s a

of their chosen accounts, in order to increase

“lives” on the network and then download and

Unusual use of hacking or lateral movement

want to move laterally throughout the network,

will do this by using hacking or lateral movement

GUIDANCE:


73It takes an average of

to contain an insider-

related incident.

SOURCE: 2018 Cost of Insider Threats Report

DAYS


landscape of insider threat vendors to navigate, many that are fraught false

comprehensive insider threat defense — one that is just as advanced as the


TECHNOLOGIES

the presence of the human element … and the most

need not only for technologies that deliver visibility

As this report has shown, threats can come

know how systems are being accessed, how data is

has to be driven by technologies that understand behavioral context, know when events are normal

Insights needs to be available

quickly re-tuned without going through a laborious,

It’s no longer enough to only protect a

quickly deployed and managed, scale across vast

Security doesn’t need to come at the

threats can be detected without exposing users’

that allow collected data to be anonymized and

APPROACH

threats requires that we acknowledge that every

understanding users as individuals with unique

trend that Dtex analysts saw echoed throughout

As we’ve shown, the greatest security risks are

shortcuts, or simply trying to do their jobs more

to come at the expense of users or the rest of the

majority of American employees will support and accept monitoring that is conducted for security

approaches, and making the right tools and resources

while enabling their greatest assets — their users — to

The 2019 Insider Threat Intelligence Report data was drawn from the User Threat Assessments

spanned a wide variety of countries and industries, and ranged in size from midsize businesses to

-

Get your User Threat Assessment

Phone: +1 (408) 418–3786

20% 60%EMEA

35%

15% 10% LEGAL

10%

SERVICES

15%

15%

1–100:

20%101–500:

25%501–1000:

5%1001–5000:

10%5001–10,000:

20%10,001+:

20%

20% APAC

2019 insider threat intelligence report - dtex systems · 2020. 11. 30. · j v lb t tbom r;u...

Documents