2019 insider threat intelligence report - dtex systems · 2020. 11. 30. · j v lb t tbom r;u...
TRANSCRIPT
-
2019insider threatI N T E L L I G E N C E R E P O R T
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 3
in·sid·ernounany employee, contractor, vendor or partner that has access to
S U M M A R Y
A vast majority (93%) of CIOs are now spending up to half
challenges they’re facing —
geography, or industry — is the insider threat, which now cost businesses an average of
* SOURCE: Logicalis Global CIO Survey 2018-2019 | ** SOURCE: 2018 Cost of Insider Threats Report
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 4
NEGLIGENT COMPROMISED
SUMMARY
We categorize insider threats
MALICIOUS
23%
the enterprise, and are
64% 13%
a rapidly changing threat landscape — has created a reality that is anything but
* SOURCE: 2018 Cost of Insider Threats Report
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 5
SUMMARY
A C K N O W L E D G I N G T H E H U M A N E L E M E N T
L E V E R A G I N G T H E P O W E R O F E N T E R P R I S E U S E R I N T E L L I G E N C E
What exactly is responsible for the shades of grey? Most notably, it is the presence of the
of malicious or careless behavior, or an outsider compromising an insider, each and every insider threat faced has one thing in common: they are
intent or type, all of them increase enterprise
This overwhelming presence of the human element has also accelerated the need to acknowledge the fact that every human has
In the context of security, this means that what is deemed suspicious behavior for one person may not represent risky behavior for another
This is where we hope our data, and this annual
collected from risk assessments conducted across Dtex’s diverse customer base in 2018,
key trends in insider behavior and provide a
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 7
key
PUBLICLY EXPOSED DATA
PORTABLE APPS
RISK OF DATA LOSS AND PERSONAL EMAIL USAGEAll assessments found instances of high-risk data transfer via USB
98% of assessments found customer proprietary
accessible on the web —
H I G H L I G H T SKey takeaways from this year’s report include:
100%
98%
74%
97%FLIGHT RISK ACTIVITY
97% of assessments found instances of employees
behavior — a sharp increase 95% of assessments found
circumvent corporate security policies —
95%SECURITY BYPASS
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 8
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 9
U S E R S
PAGE PAGE high-risk
PAGE
PAGE
PAGE
PAGE high-risk data transfer
PAGE
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 10
USERS |
Security
95% This year, Dtex analysts noted a spike in security controls — using private and incognito web browsing modes, TOR browsers and non-
policy and is consistently used to engage in
behaviors include researching and downloading
of assessments detected
instances where
employees were using
anonymous and private
browsing to circumvent
security controls, a
notable jump from
60 percent last year.
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 11
USERS |
employees spread across the globe found that users were repeatedly able to visit high-risk websites that were supposedly being blocked
URLs, they were also not able to provide any data on how users were able to bypass them and
trail, it was discovered that the users were simply
didn’t have safeguards built in to deter such
a group of developers who were able to use heightened local privileges — innately given
by Dtex showed that these developers had
to bypass the network proxy and then enabled the script to consistently kill the endpoint agent
S P O T L I G H T O N T H E K I L L S W I T C H
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 12
USERS |
High-Risk
85% which include hacking tools, network tools, and other generally risky programs that are of the tools designed to be an asset to IT and security teams are now actually being used against them — enabling users to exploit gaps in
of assessments
saw insiders using
tools — up from 72
percent last year.
Most commonly used high-risk
nmap
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 13
USERS |
S P O T L I G H T O N P O R T A B L E A P P L I C A T I O N S
74 percent
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 14
USERS |
High-RiskData Transfer
100% Dtex analysts found instances of high-risk data personal webmail accounts or unencrypted
While all of these avenues represent a threat to data security, our data shows that most malicious data transfers are now happening
the fact that the cloud no longer represents a
of assessments found
data being transferred
unencrypted USBs.
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 15
USERS |
S P O T L I G H T O N T H E H E A D I N T H E C L O U D
Dtex assessment data shows most malicious data transfers happen via the Internet.
While cloud security is clearly and
avenues used for high-risk data transfer: removable storage devices and unencrypted
ubiquitous and widely used, security policies have largely failed to keep up and protect
these types of transfers from occurring,
They quickly discovered that a user had transferred nearly 50GB of data from a network
be taken in remedy, which included monitoring the user’s residence and forcibly retrieving the
In one all-too-common example seen by our analysts, a Dtex alert was
working on it were explicitly instructed not to move, copy, or share these
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 16
USERS |
In this year’s assessments, analysts noted
year-over-year spike — 59 percent — across all categories whether malicious, negligent, or
Dtex analysts being conducted on corporate endpoints include:
• Making edits to resumes and researching
• Researching ‘how to resign from job’ and
97%of assessments recorded
employees displaying
from 38 percent last year.
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 17
USERS |
While much of this can be deemed ‘in poor taste’ versus ‘sinister,’ it is consistently shown
proof point can be taken from our previous
of their company’s high-value data (their ‘crown
discovered that the user had recently applied for
security risks associated with contracted or
contracted employees may be a necessary and
projects and high turnover rates mean that
consistent and comprehensive visibility into the
— even if they are granted privileged access,
S P O T L I G H T O N C O N T R A C T O R S
ACCORDING TO A RECENT NPR POLL:
1 in 5 jobs in the US is held by a
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 18
USERS |
DTEX INVESTIGATION REPORT:
For leading wealth management company and Dtex customer AMP, based in Australia and
played a key role in helping to detect illegal data
AMP contractor,
clear behavior audit trail was established and
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 19
USERS |
user behavior can neutralize insider threats and successfully stop malicious actors before it’s too
Zheng arrested
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 20
USERS |
All assessments conducted this year found
users leveraging admin privileges to bypass
programs, downloading pirated media, or
what’s equally concerning is the lack of visibility
over the privileged insiders with access to
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 21
USERS |
S P O T L I G H T O N T H E P R I V I L E G E D B L I N D S P O T
Despite being highly concerned, a large number of security and risk professionals don’t actually
Our own experience, along with industry data, tells us that this oversight is amplifying their insider
48% 43%BUT...of security professionals
expect privileged access
abuse to increase this year.
monitor users with privileged
* SOURCE: The 2018 Study on the State of Data Access Governance
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 22
USERS |
GUIDANCE:
Catching
Enterprise User Intelligence is the ability to
and stopping malicious user behavior, enabling
This is where the importance of understanding
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 23
USERS |
to catching a user in this stage is to keep an eye
When they’re ready to act, users aggregate the targeted data and will likely demonstrate unusual
where the user actually takes the data out of the
In our assessments conducted over the last year, Dtex analysts consistently found the most
cover their tracks, such as security bypass or
very common in malicious incidents and much easier to spot compared to other steps in the
Case in point: the majority of high-risk data
by our analysts were conducted via Internet
In summary? The key is knowing what to look for, and having the right tools in place to be able
I N S I D E R T H R E A T K I L L C H A I N
RECONNAISSANCE CIRCUMVENTION AGGREGATION OBFUSCATION EXFILTRATION
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 24
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 25
U S E R S
PAGE shades of grey
PAGE
PAGE
PAGE
PAGE PAGE
internet usage
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 26
USERS |
shades of grey
This very challenge is responsible for a large majority of the negligent user behavior that Dtex
is driven by the desire to cut corners or do
secure tools and resources needed to accomplish
starts out as carelessness or ignorance can
as users understand where boundaries can be
It’s important to acknowledge here that establishing intent is not black-or-white, as this is an area where the human element — and the associated shades of grey — certainly comes into
own unique needs, goals, and circumstances, it is nearly impossible to clearly label each and every
And while the behavior categories below are
always
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 27
USERS |
Dtex analysts see most instances of negligent behavior prompted by the goal of temporarily
This includes downloading what have been deemed
example looks something like this: an employee
Unlock PDF, allowing them to open the document
From there, they can download and use a PDF
report, nearly three in four assessments this year (74 percent) saw the use of these kinds of high-risk
But, the act of bypassing security and using high-
accessible and readily available, it has become easier
due to budget and resource constraints — actually
engage in risky security behavior and subsequently
48% vs. 15% 54%The number of employees that are
external USB use… and the number that actually ask for permission.
The number of employees
technologies were in place to prevent or detect the
data onto USB drives.
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 28
USERS |
Dtex analysts found corporate data exposed and publicly available on the internet in 98 percent — or nearly all — of assessments
type of data our analysts found online include:
•
•engine videos
•‘Client Only’
• Company banking spreadsheets,including expense reports
• Financial data related to expenses,pensions, and loan reimbursements
File-sharing services
most commonly found to
be
Dropbox
Google Drive
Sharepoint
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 29
USERS |
improperly such that it is exposed and easily
indicators include the unauthorized employee use of cloud services (or a failure to make
The blurred lines between the personal and the corporate has also made data leakage via
use enterprise cloud storage services for their
sync-and-share service like Dropbox or Box, or
an employee’s personal devices and personal
syncing with their work devices — is only
This is a 20% increase from last year.
96%Percentage of
using cloud to store at least some data
4.8Number of clouds an
on average
77%
98%
* SOURCE: The 2018 State of the Cloud Survey
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 30
USERS |
SPOTLIGHT ON
Industry reports show that nearly two-thirds of all data breaches (63 percent)
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 31
USERS |
these documents found themselves unaware that a third party — with whom they had no
underscores the cold reality that while it may be the third party who is directly responsible
Dtex’s widespread discovery of publicly accessible data also
tends to be hit hardest — with an average cost of an insider incident spiking
* SOURCE: The 2018 Cost of Insider Threats Survey
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 32
USERS |
important that personal email usage
of the dangers associated with users accessing personal email accounts on corporate endpoints, such as increased
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 33
USERS |
an employee accessing a personal Gmail account
versus a corporate Gmail account, it becomes nearly impossible to understand whether an
Dtex customers, however, are able to use
what accounts are being used for business
internal documents when using their secondary,
of assessments saw employees using personal, web-based email on company endpoints — up from 91 percent last year.100%
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 34
USERS |
Dtex analysts found pirated media on cloud storage, removable storage, and local storage — and found that users were going to great lengths to transfer and obfuscate pirated media between
year, our assessments discovered users sharing and transferring pirated media with each other via USB drives
endpoints certainly puts an
to be harboring pirated media on the
governing bodies are paying much
understanding of how to spot piracy
European Commission even published
Watch List,’ with the goal of ‘naming and shaming’ any non-EU website
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 35
USERS |
81% of assessments this year found pirated
— up from 65 percent last year.
by more than 83 percent year over year — with the
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 36
USERS |
internet usageInappropriate Internet usage on corporate devices and endpoints
rather than outright malicious behavior, we’ve consistently seen
goes undetected — and without consequence — can escalate to other
employees to websites that are likely to expose them, and their corporate
website then led to malicious content being downloaded without the consent
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 37
USERS |
of assessments saw inappropriate Internet usage — such as pornography, gaming, and gambling.
This year, analysts noted an upward trend in online gaming, with users increasingly storing games on corporate devices — whether in
The dangers of online gaming made headlines
supported release from a prominent game
commands to install, uninstall, or change the
these games… including corporate laptops
76%
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 38
USERS |
Technology can help
behavior, but it is
company culture, processes, and people
GUIDANCE:
At Dtex, we’ve said it once and will say it many
truth is that the user is likely not thinking about
insiders’ assistance and empower them with the
‘building trusted insiders.’
For one, there needs to be a mechanism in place that enables the ability to see, detect and
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 39
USERS |
make it possible to not only understand when an employee makes a mistake, but also educate
This is where the power of teachable moments
into user behavior, it becomes possible to
available or reminders to stay within security
it occurs not only minimizes insider-related incidents and associated costs, but also prevents
It is by teaching — rather than just punishing or blocking — that it becomes possible to truly
trusted insiders.
70%
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 40
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 41
C R E D E N T I A L S
PAGE PAGE
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 42
S P O T L I G H T O N P E R S O N A L A C C O U N T A C C E S S
S P O T L I G H T O N P R I V I L E G E D C R E D E N T I A L T H E F T
Accessing personal accounts on corporate
percent of this year’s assessments found users
While phishing emails can — and do — make it
they have successfully compromised that user
control over the corporate device being used to
under the radar and hide their tracks as they
industry, this year’s assessments
security professionals try to protect and keep
are going to end up compromised and on the
increasingly stored in the cloud, this area of risk
responsible for more than $68 million
new malware strains, but also taking advantage
And when mistakes do happen, they can
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 43
Email is the common
vector used in phishing or
—2018 Data Breach
ONLY
35%OF ORGANIZATIONS HAVE
COMPLETE VISIBILITY INTO WHICHINSIDERS HAVE BEEN GRANTED
PRIVILEGED ACCESS.
ANDONLY
37%OF ORGANIZATIONS HAVE
COMPLETE VISIBILITY INTO USERACTIVITY TIED TO PRIVILEGED
USER ACCOUNTS.
2018 Privileged Access Threat Report
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 44
any hope of catching them requires a comprehensive
understanding at represents normal behavior for
Here are a few indicators that Dtex analysts use
When a user is
example, in the middle of the night — that’s a
of their chosen accounts, in order to increase
“lives” on the network and then download and
Unusual use of hacking or lateral movement
want to move laterally throughout the network,
will do this by using hacking or lateral movement
GUIDANCE:
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 45
73It takes an average of
to contain an insider-
related incident.
SOURCE: 2018 Cost of Insider Threats Report
DAYS
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 46
landscape of insider threat vendors to navigate, many that are fraught false
comprehensive insider threat defense — one that is just as advanced as the
-
DTEX SYSTEMS 2019 insider threat INTELLIGENCE REPORT 47
TECHNOLOGIES
the presence of the human element … and the most
need not only for technologies that deliver visibility
As this report has shown, threats can come
know how systems are being accessed, how data is
has to be driven by technologies that understand behavioral context, know when events are normal
Insights needs to be available
quickly re-tuned without going through a laborious,
It’s no longer enough to only protect a
quickly deployed and managed, scale across vast
Security doesn’t need to come at the
threats can be detected without exposing users’
that allow collected data to be anonymized and
APPROACH
threats requires that we acknowledge that every
understanding users as individuals with unique
trend that Dtex analysts saw echoed throughout
As we’ve shown, the greatest security risks are
shortcuts, or simply trying to do their jobs more
to come at the expense of users or the rest of the
majority of American employees will support and accept monitoring that is conducted for security
approaches, and making the right tools and resources
while enabling their greatest assets — their users — to
-
The 2019 Insider Threat Intelligence Report data was drawn from the User Threat Assessments
spanned a wide variety of countries and industries, and ranged in size from midsize businesses to
-
Get your User Threat Assessment
Phone: +1 (408) 418–3786
20% 60%EMEA
35%
15% 10% LEGAL
10%
SERVICES
15%
15%
1–100:
20%101–500:
25%501–1000:
5%1001–5000:
10%5001–10,000:
20%10,001+:
20%
20% APAC