Blog

Tag: encrypt sensitive data

The Best Defense Against Insider ThreatsOne of the most critical skills information security groups have is the ability to proactively find threats in their environment – a process known as hunting.  Great hunting is the combination of deep knowledge about your environment with the ability to understand the details of changes that take place in real-time.  Knowledge is the greatest advantage information security professionals have when determining the best defense against an adversary.

Attackers must have extensive knowledge about your infrastructure to find weak spots to exploit.  You have an advantage by knowing what are normal patterns of behavior from your users and systems.

Look at the activity patterns in your typical office. People come into work about the same time every day and access the same resources. Deviations from these patterns do not always indicate malicious intent, but they are worth investigating.  For instance, if a contractor in Legal is opening a lot of sensitive documents on her laptop and and she typically only opens a few per day, someone should investigate further.  This is the crux of hunting.  Combining knowledge about your environment with observations of current activity to help determine when something is wrong.

Hunting is the process of sifting through these behaviors and identifying which ones are suspicious and which ones are malicious.  Let’s take the previous example and look into it further.  The contractor’s manager may have asked her to review a lot of sensitive documents for analysis because the company is involved in an acquisition.  A quick phone call to the Legal department may reveal this and you can conclude this activity is legitimate.  If no one is aware of this activity, you may have uncovered malicious activity.

Printing is another great example that many companies overlook.  Depending on the department, users may print a certain number of documents everyday.  If someone in Finance, for example, starts printing 5 times his normal volume, this is an anomaly worth investigating.  Again it may be legitimate, but it may be that someone is stealing a lot sensitive information.

A lot of things happen on your networks and you need to focus on what is important.  Users access a lot of sensitive data everyday to do their jobs.  This may include intellectual property, personally identifiable information (PII) and sensitive financial data.  Encrypting it and controlling access to this information is one way to protect it, but you also need to understand how they use it.  Since users need legitimate access to sensitive information, you must understand their normal usage patterns.  If you see anomalies, like access attempts from strange locations, maybe someone clicked on a link in a phishing email and some malicious person is exfiltrating a lot of sensitive information.  Once you identify suspicious behavior, you need to determine if it’s malicious or not.

Protect your most sensitive data and understand normal usage patterns so you can determine anomalies.  Once detected, you can take action to help stop an insider attack before it causes damage.

 

Photo credit Vince

Fasoo would have stopped the leak of CIA documentsWikiLeaks recently obtained and released thousands of sensitive documents showing the Central Intelligence Agency’s (CIA) arsenal of hacking tools, malware, viruses, trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation.

Unfortunately this is not a Shakespearean play, but a real life data breach that will have huge consequences for the security of the US government.  This information supposedly came from a secure location inside the CIA and raises a lot of questions about cybersecurity.  If an agency that should be focused on security can have this problem, what other problems may lurk in other parts of the government?

Like other major data breaches, this has raised familiar concerns about insider threats, the importance of a robust breach detection and response capability, and protecting the most sensitive information inside your organization.  I’m sure the CIA has implemented basic security hygiene, but clearly they didn’t protect the data itself from malicious or unintentional exposure.

How did someone gain access to a supposedly super-secure network deep inside the CIA’s Center for Cyber Intelligence facility?  I don’t believe it was an external hack, but more likely a trusted insider or at least the help of someone inside the CIA.

The issue is that many people have and need legitimate access to numerous enterprise systems and sensitive data to do their jobs.  Organizations need to know what sensitive data they have, where it is, who has access to it and how it’s used in their own environment and in external environments.  It’s also important to understand what are normal levels of data access, so you can identify anomalies.  If an analyst in the CIA normally views 10 sensitive documents a day, but all of sudden is viewing 100, there may be an issue.

The best way to protect sensitive documents is by encrypting them and providing a way to always monitor and control their access, regardless of their location.  If the CIA implemented a data-centric approach to protecting this sensitive information, they could limit file access to specific people and audit that access at all times.  If the documents were stolen or leaked, unauthorized people couldn’t access the information inside the files.  They would have a bunch of random bits that would be useless.  If an internal security person determined that privileged insiders shouldn’t have access to specific files, they could immediately remove their access, regardless of where the file is located.

Insider breaches highlight the constant struggle within enterprises to choose between security and productivity.  Implementing solutions to address both effectively is clearly the best approach.

Categories
Book a meeting