the insider threatcsmres.co.uk/cs.public.upd/article-downloads/wp_vormetric-insider... · witnessed...

White PaperThe Insider Threat

®TM

Page | 1

The Insider ThreatHow Privileged Users Put Critical Data at Risk


Vormetric, Inc.2545 N. 1st Street, San Jose, CA 95131

United States: 888.267.3732United Kingdom: +44.118.949.7711

South Korea: +82.2.2190.3830 [email protected] www.vormetric.com


®TM

Page | 2

Executive Overview

In July 2013, the final sentencing of an Army Private brought to a close an espionage trial involving the greatest leak of

sensitive information in US history The database breach in the WikiLeaks case led president Obama to sign an executive

order intended to address the insider threat. Among other things, it created an inter-agency task force and urged federal

employees to observe their coworkers and flag questionable behavior or circumstances.

Eight months into the program federal prosecutors indicted a system administrator—a former employee of a defense

contractor—on espionage charges for disclosing details of a top-secret NSA anti-terrorist surveillance program.

The implications of this incident go beyond the risks of trusted employees going rogue. It raises the question of how even

the formidable resources of the US government have not prevented insiders from accessing data that was never intended

for their use.

With insider-related fraud up 43% in 2012, clearly traditional security approaches are not working. Data loss prevention

(DLP) systems, Internet monitoring tools and other controls are failing to stop a growing number of data breaches

linked to insiders.

And the costs of these breaches can be staggering. They include everything from legal and remediation expenditures to soft

costs such as damage to agency reputation or corporate brand due to exposing customers, consumer or citizen confidential

information or private data. What’s more, every business is a target of some kind of threat. According to the Verizon 2013

Data Breach Investigations Report, espionage attacks in particular are no longer confined to government agencies, military

departments and defense contractors, but include manufacturing companies as well as IT and professional organizations.

Most of these attacks target intellectual property, trade secrets and technical resources with the goal of furthering the

attackers’ national and economic interests.

Part of the problem stems from the fact that privileged users, like Root and System Administrators, hold the keys to the

kingdom. In essence, with their passwords and other credentials comes unchecked access to all data in the environment.

And by no means does it require a privileged user with ill intent for a breach to occur. Security professionals have

witnessed an alarming rise in advanced persistent threats (APTs) and other malware that seek to gain access to sensitive

data by “becoming” the insider. According to the Verizon report, a remarkable 76% of network intrusions involved weak

or stolen credentials.

Additionally, many agencies in the public sector have focused on external threats (e.g., rogue states and criminal gangs)

while ignoring employees and contractors. Essentially, they don’t attempt to protect against the insider threat until they are

compromised, because they don’t believe insiders are the problem.

“If you don’t have vigorous security oversight, you tend to fall into the trap like a lot of organizations do, that we will not have a problem and everything will work out fine.”

— Robert Bigman, former CIA CISO


®TM

Page | 3

This white paper discusses the growing insider risks. It will also cover how organizations become breached—either by

internal users through malicious or benign actions or from external threats that acquire the credentials of trusted insiders.

It also touches on how organizations can limit privileged users’ access to data so that, in either case, sensitive information

does not leave your organization in an unencrypted state. Finally, it shows how organizations can implement technologies to

protect data by decrypting at the point of use, and setting rules on who can see unencrypted data.

When the Outsider Becomes the Insider

Not all insider threats come from inside the organization. Various security industry studies have reported what most IT

professionals are facing in the trenches every day—an alarming increase in both the number and sophistication of attacks.

Many of these, from APTs to a new breed of phishing schemes, look to steal data or compromise networks by pirating the

credentials of privileged insiders.

So-called Phishing 2.0, which some in the industry loosely refer to as spear phishing, is particularly insidious. Most IT

professionals have discounted the risks of phishing, assuming that their users—especially those with access to important

data—have enough awareness not to fall for cheap fakes of company emails and websites. However, well-financed and

highly motivated attackers now use techniques such as reconnaissance to target specific individuals or groups of individuals.

For example, cyber criminals, nation states or hacktivists may gain information from company websites or social media to

custom-tailor the attacks with personalized information designed to elicit trust from the intended victim. They use other

advanced techniques as well. These include putting up and taking down phishing sites too quickly for detection, obfuscating

URLs, and creating slick, branded looks in emails and bogus websites that effectively masquerade as the genuine article.

The result? In 2012, six of 10 companies* fell victim to phishing attacks.

These and other types of targeted attacks are not limited to stealing data. Some intend to cause harm or achieve a military

advantage. According to a new Department of Homeland Security report, the energy sector is reporting a huge increase

in the number of attempted cyber attacks during 2013. The report mentions an “emerging cyber threat actor” involved in

intrusions into both energy and manufacturing sectors.

Since nation-states around the world have recognized the advantage of infiltrating the energy infrastructure of potential

adversaries, this represents an alarming risk of insider attack. If hackers could gain access to and compromise the

credentials of privileged insiders—and escalate those credentials—they could gain access to critical systems and disrupt

them or, in the extreme case, take down the entire grid.

One false click is all it takes for an unwitting user

to fall victim to today’s advanced phishing attacks.

With no ill intent, your users could compromise

their credentials or allow an APT onto your network.

He clicked on what?


®TM

Page | 4

Or, an attacker could leave behind an APT that would slowly and stealthily steal

information, or sleep and activate when needed. These advanced threats also

enable hackers to steal credentials of trusted insiders, enabling them access to

the network and systems. When you consider that, on average, advanced attacks

remain on the network for 243 days before being detected, the national security

threat becomes readily apparent.

For example, the authors of the most recent Mandiant report believe a unit of the People’s Liberation Army controls a major

APT. They not only track the cyber warriors to their base in China but also cite evidence that the APT is controlled by actual

people behind a keyboard and that it has systematically stolen hundreds of terabytes of data from at least 141 organizations

(http://intelreport.mandiant.com/?gclid=CLjsn9nryLgCFWyCQgodgF8AJA).

Clearly, for the type of confidential information that attackers such as these would want, stealing it and then attempting to

break strong encryption is not practical. They would prefer to get the credentials and passwords of insiders, thereby gaining

access to unencrypted data on backend systems or in transit.

It doesn’t require a malicious or complicit insider for these attacks to succeed. The

culprits can range from employees circumventing security policies to human error

(which includes taking the bait in a phishing scheme). Traditional network and end-

point security solutions typically fail to stop these new threats. For example, today’s

widely deployed signature-based endpoint security products typically do not stop zero

day threats—either because a signature is not yet available or has not been down-

loaded. In fact, research shows that 100% of organization suffering insider breaches

had up-to-date AV in place.

The Risk of Trusted Users Having Uncontrolled Access

Many businesses and government agencies have focused on external threats while ignoring employees and contractors.

However, in the public sector for example, according to recent data from Federal Computer Week (FCW), 37% of threats

come from employees or contractors of government agencies.

These organizations are often surprised to find that the fox was guarding the hen house. The majority of IP theft is

committed by current male employees averaging about 37 years of age who serve in trusted positions such as engineers

or scientists, managers and programmers. Privileged users—especially systems, domain or network administrators — are a

special concern because of the complete access to systems and their associated data typically associated with these roles.

Misuse of privileged access can cause serious security breaches through human error, malicious intent, or enabling an exter-

nal threat to access insider privileges. Losses can include classified information, user private data, and intellectual property.

243The number of days an advanced

attack goes unnoticed.

– Mandiant 2013 Threat Report

100%of breaches had perimeter security in place.

– Mandiant 2013 Threat Report

“I’ve been a systems engineer, systems administrator … When you’re in positions of privileged access like a systems administrator for the intelligence community, you’re exposed to a lot more information on a broader scale than the average employee”

— Edward Snowden, Former infrastructure analyst at the NSA – June 2013


®TM

Page | 5

Despite the many attempts to mitigate the impact of insider breaches, they have stubbornly refused to subside. Not surprisingly, according to the FCW research, concern about insider threats is widespread among agency executives.

The source of these worries runs the gamut from exposure of sensitive information to system sabotage to lack of forensics.

24%

20%

40%

39%

Agree strongly Agree somewhat

We are deeply concerned that privileged user

access (Root, Sysadmin, etc.) presents a high risk target to

be compromised

Most of our internal IT security threats are innocent mistakes

without malicious intent

Exposure ofsensitive data

Theft of data orintellectual property

Trusted/Privilegeduser abuse

Advanced PersistentThreats (APT)

Introduction of malware

System sabotage

Lack of forensics

Compromised user accounts

66%

62%

61%

54%

54%

45%

43%

31%


®TM

Page | 6

Cloud and Virtualization Expand Insider Risks

Increasing use of virtualization environments as well as public, private and hybrid clouds also adds to insider risks. Beyond the potential insider threats already found in traditional enterprise data centers, now new roles for virtualization, cloud and storage administrators are added. Organizations are pursuing use of these environments because of the game changing flexibility, economic benefits and new business opportunities they enable, but each new solution adds to the number and type of privileged users and other insiders that may be able to access sensitive data. Even physical access to machines housing your critical data changes. Within a traditional data center, access is completely under your control, whereas with a cloud environment, you may not even be aware of the physical location of your data.

Big Data, Big Risk

The trend to larger data sets stems from the additional information that is now derivable from analysis of large sets of related data, as compared to traditional silo’ed smaller data sets. These correlations allow government agencies or businesses to spot trends that would not otherwise be apparent. While this analysis of so-called Big Data revolutionizes everything from spotting consumer trends to fighting crime, it also compounds the security risks and compliance challenges.

Imagine for example a thief who robs gas stations. For any gasoline station in particular, the risk is limited to losing the money in the cash register or on-premises safe. Now picture the risk involved in a single robbery of a bank vault where all the gasoline stands in a small city deposit their cash. Clearly Big Data makes a Big difference.

Also, in the first example it is the counterperson, a relatively low-level employee, who presents the most risk as an insider. At the bank, it might be a bank manager or regional manager who could cause the most damage. Conversely, in Big Data, it is not the C-level person but a relatively low-level employee—the system administra-tor—who has full access to the large data set, and yet does not have a good reason to use that data. In an era of large cloud-based applications and other Big Data trends using third parties, organizations need to consider how to protect against unrestricted access by Root and System Administrators.

Mitigating the Insider Threat — A real-world analogy

Now, let’s extrapolate the bank analogy to insider risks broadly in government agencies, public institutions and enterprises. For example, you need to store some valuables, so you decide to check out two banks in your neighborhood.

The first bank has a shiny vault with a big lock. When the manager opens the vault, you see valuables stuffed in the empty spaces where safe deposit boxes would normally be. There is a maintenance guy dusting off jewelry and other valuables. A surveillance camera—installed inside the vault—is not powered on. When a customer arrives, a bank employee puts the customer’s items in a basket, and then walks across the lobby with the basket’s contents in full view of the other customers.

You leave bank one, somewhat dumbfounded, and walk down the street to the second bank. It too has a shiny vault with a big lock. Inside the vault each customer has a safe deposit box. A video surveillance watches 24x7 both inside and outside the vault. There is a maintenance guy inside the vault changing a light, but he needed to pass a biometric scan. So even if someone had learned combination and dressed as a maintenance guy that person would have been denied access. When a customer comes to access a safe deposit box, a bank employee slides the box out still locked and carries it to a cubicle where the customer opens it in privacy using his/her own key.


®TM

Page | 7

At which bank would you feel comfortable leaving your valuables? For agencies and enterprises, becoming more like the second bank—i.e., mitigating the insider threat—requires a data centric approach to protecting sensitive information

Implement Data Centric Security – Firewall your data

The only way to effectively thwart the insider threat is by firewalling your data – encrypting data in storage, setting up rules that determine who and what can see the data, capturing for analysis all of the information about data access (and data access attempts) as well as integrating these capabilities with the rest of your security and IT infrastructure. This data-centric approach to security can enable privileged users to do their jobs—e.g., maintaining systems, adding accounts, performing backups, installing applications—without having access to any protected data.

Data-centric security also reduces your attack surface from both malicious insiders and compromised accounts. This involves implementing policy-based control of access to sensitive information—wherever it resides—to prevent access to data by unauthorized users and processes. In addition to reducing the attack surface by combining policy-based access controls with encryption, policies also need to map back to your existing identity management solutions (Active Directory, eDirectory, etc.), and works seamlessly with any additional multi-factor authentication solutions already in place. This capability will enable you to further reduce risk by isolating management of data security to specific groups, domains or tenants within your infrastructure. As a result, unauthorized users and processes will not be permitted to see the source data. An effective data-centric solution should also initiate alerts in the event of unauthorized attempts at access. And it should note and analyze access by authorized users, looking for patterns that may indicate an account has been compromised.

A data-centric solution further needs to put the controls and protections directly around the target – your data. This means putting protections around OS/file system data, data within databases and other repositories and data that resides in backups and disaster recovery locations as well. Wherever critical data lives is where you need the protection.

Ultimately, the goal of data-centric security is to reduce the risks from privileged users as well as to meet compliance and specific legal requirements for data protection. The tasks performed by privileged users to maintain, repair and initiate systems meet real enterprise needs. You cannot eliminate these functions or the roles that perform them. Instead, you need a method of enabling these users to perform their tasks, while at the same time removing their ability to view private and confidential data. Additionally, when a user or system has a legitimate need to access this sensitive data, you need make the information available while allowing identification of anomalous usage patterns, which may indicate that the account was compromised.

Data-centric security should also function in a transparent way that will not break your existing business and operational processes. This means enabling critical system processes to continue, without exposing data. For instance, at the file system and volume level, the meta-data and file system structure should be visible to administrators and backup programs. Where encryption with access control is part of the solution, data should never be decrypted for these accounts and processes. This allows their operation without risk to data. At the same time, processes and users that legitimately require access (such as a database process to a database table file) should have access to unencrypted data.

Performance is also critical. The performance of the solution should not result in noticeable degradation in response times and SLAs.


®TM

Page | 8

So how do you Firewall your Data?

Putting a firewall around your data requires high-performance encryption along with access controls and information about access to your protected data and to your security management environment. This requires:

Access Policies and Privileged User Control – Granular, policy-based access controls that restrict access to encrypted data—and is linked to identity and access management—ensures data is decrypted only for authorized users and processes

Encryption and Key Management – Lock down data using strong industry standard algorithms, centrally managed encryption and key management that enables compliance, is transparent to processes, applications and users as well as easy to manage and implement is the first requirement

Security Intelligence – Information about all access attempts to protected data, and your security management infrastructure, provide high-value security intelligence that can be used with a Security Information and Event Management (SIEM) solution to identify compromised accounts and malicious insiders

Automation – To rollout quickly and integrate with existing infrastructure, APIs and interfaces should provide for programmatic access for policy management, deployment and monitoring. Capabilities to dynamically adjust policy based on real-time threat analysis should also be present.

Multi-tenancy – For Managed Service Providers, Outsourcers, Cloud Providers and others that need to support external customers with their offerings, the capability to easily secure data, as well as to enable customers to control encryption keys and encryption policies within co-mingled multi-tenant environments is a basic requirement. Enterprises that require strong isolation between business units have the same needs.

Vormetric meets these needs

The data-centric Vormetric security solution provides all the capabilities and attributes required to protect against insider threats by firewalling your data. In addition to providing industry-leading key management and high-performance encryption, it is:

Transparent – No changes required to business processes, applications or user data access. Privileged users and those without data access rights never see protected information - Data is decrypted only for accounts and circumstances as defined by policy. This allows systems management and other tasks to continue without risk to data.

Strong – With policy driven enforcement of access to encrypted data, industry standard AES 256 encryption, the ability to prevent privileged users from seeing unencrypted data (while still being able to perform their jobs) and the intelligence to tell if privileged users are masquerading as a user that has permitted access, the solution provides the strength to protect file system and volume data in depth.

Efficient – Vormetric Encryption is a high performance, low overhead solution, leveraging the AES NI hardware encryption built into Intel x86 processors. The result is minimal changes to response times for operational processes.

Easy to Deploy – Deployments in days to weeks, not weeks to months, across physical systems, cloud, Big Data, and virtualized environments that are easy to manage, and easy to understand.


®TM

Page | 9

Summary/Recommendations

The success of IT professionals in protecting the perimeter has spawned a new generation of hackers—from organized gangs to nation states—that are out to get the credentials of your privileged users and to use the neglect of insiders to infiltrate your network with APTs and other malware.

In addition, recent high-profile incidents have emphasized the danger of relatively low-level employees and contractors going rogue and stealing critical data for financial gain, industrial espionage, or political motivations.

Traditional perimeter and endpoint defenses do not address this threat—you must make sure data within your network perimeter is secure. Insiders—or outsiders masquerading as insiders using stolen credentials—must not be able to access critical data in an unencrypted state either on systems or in transit. Insiders have required roles in maintaining and managing your infrastructure, they must be able to perform their jobs without risk to data. You must also closely monitor the actions of accounts and applications with legitimate data access needs – as unusual access patterns can indicate that these accounts and applications have been compromised. Consolidation of data in the cloud adds further complications –with expanded privileged user roles for cloud providers, and changes to physical access that can create additional risk if data access is not properly controlled and managed. Big Data scenarios add further to the potential risks, as the exponentially larger data sets can create a security and compliance nightmare without the right protections.

How do you provide this protection for your organization? It is critical to narrow the attack surface by taking a data centric approach to security - by firewalling your data. With a data firewall, even if insiders gain access to systems and networks, they cannot see the data in an unencrypted state, but can continue to do their jobs. Likewise, APTs and other threats that use trusted insiders’ credentials to gain privileged access are also thwarted from stealing sensitive information. With a data firewall, you’ll know quickly if an account is compromised as they attempt un-authorized access, or as their access patterns to protected information change. You’ll even be able to see if attacks against the security management infrastructure for your sensitive data – as it will be reported.

“With commercial tools, such as Vormetric, you can actually give certain people certain access without root-level privileges. You can encrypt your data in storage to set up roles of who actually gets to see the data. The admins can do their jobs, and they don’t get access to any data files.”

— Robert Bigman, former CIA CISO GovInfoSecurity – June 21, 2013

Approved Processes and Users

Allow/Block

Access A4empts

Data Firewall

Encrypt/Decrypt

SA

Database

Storage

Database

Applica3on

User

FS Agent Volume Agent

File Systems

Volume Managers

John Smith 401 Main Street Apt 2076

*&^$ !@#)( ~|” +_)? $%~:>>

Privileged Users

Root DB

Vormetric Data Security Management Environment

•  Access & Encryp?on Policies / Mgmt

LDAP Server

•  Management and Users linked to LDAP

•  Security Intelligence with access logs to SIEM systems

•  Automa?on for policy integra?on, deployment, management

Copyright 2013 Vormetric, Inc. – Proprietary and Confidential. All rights reserved. Slide No: 2


®TM

Page | 10

Considering the changes to the threat landscape, with attacks that can stay on your network for months, or even years, using compromised accounts to mine your most critical data assets, as well as the enlarged risks from your own privileged users to your key IP and legally protected information, the time to implement a data centric solution to protecting critical data assets is now. About Vormetric Vormetric (@Vormetric) is the industry leader in data security solutions that span physical, virtual and cloud environments. Data is the new currency and Vormetric helps over 1200 customers, including 17 of the Fortune 25 and many of the world’s most security conscious government organizations, to meet compliance requirements and protect what matters — their sensitive data — from both internal and external threats. The company’s scalable solution suite protects any file, any database and any application — anywhere it resides — with a high performance, market-leading data firewall that incorporates application transparent encryption, privileged user access controls, automation and security intelligence.

Copyright © 2013 Vormetric, Inc. All rights reserved. Vormetric is a registered trademark of Vormetric, Inc. All other trademarks are the property of their respective owners. No part of this publication may be reproduced, stored in a retrieval system or transmitted, in any form or by any means, photocopying, recording or otherwise, without prior written consent of Vormetric.


®TM

Page | 11


®TM

Page | 12


®TM

Page | 13

the insider threatcsmres.co.uk/cs.public.upd/article-downloads/wp_vormetric-insider... · witnessed...

Documents