All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
2. Register
Previous
Next
DARK DOMINION
Previous
Next
Previous
Next
Previous
Next
Download
Subscribe
Get The Credit IT Deserves
Apply now for the InformationWeek Elite 100, which recognizes
the most innovative users of technology to advance a company’s
business goals. Winners will be
recognized at the InformationWeek Conference, March 31 and
April 1 in Las Vegas.
Click Here
darkreading.com
If You See Something, Say Something
This special digital issue on enterprise
data leaks focuses on the technology of
detecting and stopping insider threats.
The technology element is critical to the
prevention of data dumps like those perpetrated by the likes of Edward Snowden, but
it’s also important to recognize that corporate culture plays a central role in stopping
a big breach.
A decade ago, a DuPont research scientist named Gary Min was offered a job by a
competitor in the chemical industry. Min decided that he might take a few DuPont files
with him to his new job: about $400 million
worth of trade secrets. He downloaded them
late at night from his office computer. He
carried out boxes and boxes of files from his
building. In the end, he had to rent a separate apartment because his own place didn’t
have room for all his stolen files.
How was Min caught? Through a routine IT
audit of file transfers. Someone in IT finally
noticed that Min had been downloading
tens of thousands of documents to his work
computer. Min, who had been with DuPont
for 10 years and seldom worked late, had
begun staying in his office all through the
night, downloading files and making copies.
Yet despite his unusual behavior, none of
Min’s co-workers spoke up. No one wanted
to get involved.
This is why corporate culture plays such an
important role in stopping insider threats. In
most companies, employees are told that if
they see something, they should say something. But not enough companies take this
advice seriously.
At most companies, employees want to
avoid “ratting” on a fellow employee, and
this is understandable. No one wants to be
responsible for getting another person in
trouble. And if Min had been stealing pencils
or watching porn on his computer late at
night, a look-the-other-way attitude would
be acceptable. We all sometimes look away
from what our fellow employees are doing,
mostly because we don’t want them ratting
on us for our occasional policy breaches.
TIM WILSON
@darkreadingtim
But what Min was doing was not just out
of bounds, it was out of character. He was
in the office late, something he had rarely
done in 10 years with the company. He was
carrying boxes of files out to his car, using
the copy machine at odd hours, downloading thousands of files from servers. It seems
likely that he was seen doing these things
— but never reported. And as a result, DuPont nearly lost $400 million of intellectual
property.
Stopping leaks like those created by Min
and Snowden will require tighter controls
and better technology. But in the end, it
also requires the vigilance of co-workers,
and the willingness to report behavior that
may threaten the safety of your enterprise
data. Would your employees have reported
Gary Min? The answer to that question
may be critical to your defense against insider threats.
Tim Wilson is editor of DarkReading.com. Write to him at
timothy.wilson@ubm.com.
December 2013 2
3. Register
Previous
COVER STORY
Next
Previous
Next
Previous
Next
Next
Previous
Download
STOP
Data Leaks
Subscribe
The NSA breach showed that one rogue insider can do massive damage.
Use these three steps to keep your information safe from internal threats.
By Robert Lemos
darkreading.com
@roblemos
A
s a contractor and low-level system
administrator, Edward Snowden
likely didn’t initially have access to the resources
he needed to leak National Security Agency documents to the public. Instead, one theory is that,
by convincing colleagues to give him their passwords — and by generating authentication keys
that gave him access to NSA computers and servers
— Snowden leveraged his relatively low status to
explore the data troves inside the NSA.
That’s the conclusion of researchers at certificate
management firm Venafi, which has been analyzing publicly released data about the NSA breach
since it happened earlier this year. Reuters last
month also reported that Snowden convinced colleagues to give him their logins and passwords by
saying he needed them for his admin work. Neither
the NSA nor Snowden has given details about how
the former contractor was able to steal the classified data, but Venafi’s theory is that he “hopped
December 2013 3
4. Register
Previous
Next
DATA LEAKS COVER STORY
Previous
Next
Previous
Next
Previous
Download
Subscribe
Get Smart
Our Threat Intelligence Tech
Center provides in-depth
information on collecting and
analyzing data on emerging
cybersecurity threats.
Click Here
darkreading.com
Next
from server to server using this technique,
identifying the data that he wanted to exfiltrate,” says Venafi CEO Jeff Hudson. “He then
moved the data from server to server, until he
got to a point from where he could exfiltrate
the information.”
Debate all you want about whether the NSA
should have been monitoring American citizens, but no one is arguing the significance of
Snowden’s huge data leak. The fallout shows
that what makes a breach significant to the
victim is not the volume of data stolen, but
the importance of the data. Chelsea (formerly
Bradley) Manning’s theft and leak of US State
Department memos — more than 250,000
— was much larger, but it was the impact of
those memos that counted.
And the threat is not unique to government
agencies. Large companies — in fact, any
business that relies on its intellectual property or trade secrets — could be at risk for a
major data leak.
One large financial firm, for example, discovered that an internal developer purposely created code to let a cyber-criminal
group in South America steal financial and
account data. The developer created a subroutine that sent every new financial record
to an email box disguised as a quality-control measure that was accidentally left in the
code, says Bryan Sartin, director of the Verizon RISK team.
“As the system was running and all this data
that belonged to customers was siphoning
through this database, it sent a copy of the
information to him,” Sartin says. “It was incredible. We had to re-create his tracks to find
the email inbox and link him to the actual
breach.”
Venafi’s Hudson says large companies have
an average of 17,000 digital keys tied to authentication — from certificates to SSH encryption keys — and, in many cases, they have
few ways to manage the chaos, making them
vulnerable to attack. “We want people to wake
up and close these open doors,” Hudson says.
Insider-Outsider: Who Cares?
Companies spend the majority of their security resources preparing for attacks from
external actors: hacktivists, cyber-criminals,
and, in some cases, nation-state spies. About
seven out of every eight IT security dollars are
spent on perimeter defenses, according to
Hewlett-Packard. This approach makes sense
on one level: 92% of breaches involve external attackers, while only 14% have an insider
component, Verizon’s 2013 Data Breach Investigations Report finds. (Some attacks involved
insiders and outsiders, which is why the total
figure is greater than 100%.) But three factors
suggest companies should focus more on insiders than they do.
First, companies may be underreporting
insider attacks, since employees know how to
game the network’s defenses to avoid detec-
December 2013 4
5. Register
Previous
Next
DATA LEAKS COVER STORY
Previous
Next
Previous
Next
Previous
Download
Next
tion, or because malicious employee behavior
may be hard to separate from regular behavior. Theft by employees, contractors, and
suppliers also often goes unreported, since
companies prefer to handle it internally rather
than publicize a breach.
Second, not only are insider attacks more
common than the stats suggests, they’re also
more damaging on average than external attacks. “Insiders know where the dead bodies
and crown jewels are,” says Craig Carpenter,
senior VP of strategy for AccessData, a maker
of e-discovery and computer forensics software. “And in most cases they have trusted
access to what they are trying to get at.” And
third, looking to stop insider threats is a
good strategy for limiting the damage an
outsider can do.
External attackers generally need time to
hunt down critical information and determine
Company Insiders Are Accounting For Fewer Breaches
In 2013, breaches connected with a person inside a company fell to 14% from a high of 48% in 2009.
Subscribe
External
Internal
Partner
6%
48%
6%
2%
1%
1%
12%
72%
86%
98%
4%
14%
Data: Verizon’s “2013 Data Breach Investigations Report”
darkreading.com
78%
39%
92%
which data is most important. Once they have
been in the network for extended periods of
time, their behavior starts to look like a malicious insider. One sophisticated group of Chinese attackers resided in the average victim’s
network for 356 days, nearly a year, before
being detected, according to a study of more
than 140 attacks attributed to a single group
and published in February by incident response firm Mandiant.
To catch this type of insider attack, companies need internal visibility and controls that
give employees access to the data they need
while preventing them from accessing sensitive data that isn’t necessary for their work.
Companies that find the right balance have
a good chance of detecting potentially malicious insider behavior and, as a bonus, will
be more prepared to detect outside attackers
because an outsider’s first action is to compromise an internal system and then compromise
valid user credentials. Here are three steps to
spot that kind malicious insider activity or outsiders attacking like rogue employees.
Step One: Visibility
Companies obviously need to allow workers data and app access to do their jobs, but
to detect rogue behavior, they also need deDecember 2013 5
6. Register
Previous
Next
DATA LEAKS COVER STORY
Previous
Next
Previous
Next
Previous
Download
Next
tailed knowledge of what those employees
are doing. “You have to monitor and sniff all
traffic at all endpoints at all times, and you
need to flag anomalous behavior and activity,”
says AccessData’s Carpenter. “You don’t need
to necessarily shut it down, but you need to
have a policy that any activities outside these
bounds are unacceptable.”
Yeah right, you might be thinking. Getting
visibility into user activity across the network
in near real time is a massive project for large
companies, and few small and midsize businesses have the resources to tackle the problem. But companies can start by tracking a
few types of log data to get general visibility
across the network. As they identify the most
sensitive data, companies can expand their
efforts to get focused intelligence on access
to that most important information. “Start
with more visibility, get eyes across the en-
Break The Insider’s Kill Chain
Subscribe
darkreading.com
T
raditionally, companies have designed their security to stop attackers at the perimeter. But security pros
have started analyzing threats based on
the seven steps attackers need to take before achieving their objective: the cybersecurity “kill chain.”
This technique attempts to pinpoint what
attackers might do at each step of an operation and suggests defenses. The seven
steps are reconnaissance of the target; creating, delivering, and executing the attack
(three steps); establishing control over the
compromised machine; communicating
with the operator; and pursuing objectives.
Insiders have a distinct advantage in the
kill chain. Reconnaissance is a low-risk endeavor since the worker is already gathering intelligence during the workday. The
three subsequent steps may not be necessary, as a malicious insider already has access to a machine in the network.
Using kill chain analysis to head off malicious insiders also lets you detect the
signs that an authorized user may be doing
something beyond his or her authorization.
“Companies need to develop indicators of
compromise to catch the insider in the kill
chain as early as possible,” says Tim Keanini,
CTO with Lancope.
— Robert Lemos
vironment, and then focus on specific areas,”
says Chris Petersen, chief technology officer
for LogRhythm, a security information and
event management provider. Understanding what provides the best insight will take
time, “and you don’t want to be sitting on
your hands while you are trying to do data
discovery.”
Just monitoring network traffic isn’t enough;
you also need to know what’s happening on
specific devices, contends John Prisco, CEO
of Triumfant, a maker of endpoint protection
software. Unlike external attackers, internal
attackers are most likely using a companyowned machine to conduct the attacks, so
having data on what’s happening on those
machines can be extremely helpful in detecting anomalous activity. Tracking endpoint
use may let you model normal behavior and
spot behavior outside the norm that could be
malicious.
Protecting and monitoring endpoints becomes more difficult with bring-your-owndevice programs. Companies that allow
employee-owned devices on the corporate
network should limit the data that employees can access on those personal devices, at
least until appropriate data loss prevention
technology has been deployed to monitor
December 2013 6
7. Register
Previous
Next
DATA LEAKS COVER STORY
Previous
Next
Previous
Next
Previous
Download
Subscribe
darkreading.com
Next
their activity, says Steve Hunt, president of database
protection firm DB Networks.
Step Two: Identify Key Data
While visibility can help flag the bad actors, rogue
insiders can hide in the noise of day-to-day operations unless a significant analytics software deployment is brought to bear. A more cost-efficient approach is to focus on protecting the data that’s most
critical to the business.
If business executives and security managers
can come up with a list of the 10 data sets that are
most core to the business, the leak prevention effort becomes much more manageable, says Eric
Schou, director of product marketing for enterprise security products at Hewlett-Packard. While
some companies can easily identify their crown
jewels — e.g., source code for software vendors,
exploration data for oil and gas firms, or the secret recipe for Coke — other companies may have
trouble.
In addition to protecting the data itself — the
secret recipe — security teams also should focus
on the information that an attacker would need to
get access to sensitive data, such as credentials, authentication keys, and privileged accounts. Zeroing
in on any activity related to those areas can help a
company keep tabs on accounts with the most dangerous permissions. The keys that Snowden theoreti-
8. Register
Previous
Next
DATA LEAKS COVER STORY
Previous
Next
Previous
Next
Previous
Download
Subscribe
darkreading.com
Next
cally used to jump from machine to machine
are a perfect example of such information.
Step Three: Controls
Measuring intent is difficult. Is an employee
being malicious, or breaking security policy
inadvertently? Is the employee’s account being used by an external attacker? Yet separate
from intent, companies must decide what behavior is risky to their business. The best ways
to do that are to implement security controls
that enforce policies, monitor critical data to
detect anomalies, minimize the number of
privileged employees, and remove unnecessary rights for workers who don’t need to access sensitive data or applications.
“It’s critical that companies contain information to the smallest group possible,” Hunt
says. “Make sure that you have an audit record
as well. While that will not protect the data, it
will tell you who is accessing it and where it
may have gone.”
Minimizing the privileges assigned to a
worker might have saved global financial
conglomerate UBS billions of dollars. Between
2008 and 2011, Kweku Adoboli, a trader at the
firm, bypassed controls intended to separate
the trading and approval functions and lost
more than $2.3 billion. The bank’s CEO, Os-
wald Grübel, resigned following the incident,
and UK authorities fined the bank nearly $48
million for its lack of adequate controls to
stop what amounted to a hack of the trading
process.
“The same risk and the same level of scrutiny is applicable, whether you are talking
about business applications or business data,”
warns Vick Viren Vaishnavi, CEO of Aveksa, a
maker of identity and access management
tools that was recently acquired by security
giant RSA.
Perhaps the most effective control, however, is to encourage employees to police
their colleagues. Co-workers are more likely
than technical tools to notice strange behavior and catch actions that might not set off
other alarms. In Verizon’s 2013 Data Breach
Insider Attacks Take Longer To Resolve
Malicious insiders
65.5
Malicious code
49.8
Web-based attacks
45.1
Denial-of-service
19.9
Phishing and social engineering
14.3
Stolen devices
Malware
10.2
6.7
Viruses, worms, and Trojans
3.0
Botnets
2.9
Average number of days to resolve attack
Data: Ponemon Institute’s “2013 Cost Of Cyber Crime Study: United States”
December 2013 8
9. Register
Previous
Next
DATA LEAKS COVER STORY
Previous
Next
Previous
Next
Previous
Investigations Report, employees reporting
suspicious activities ranked as the No. 1 way
that companies detected breaches internally.
Companies should educate employees on
policies and highlight what suspicious activ-
ity looks like. For example, employees that
report a phishing email campaign can help
the IT group block the messages quickly before less-savvy people click on attachments
and allow leaks. In addition, a group outside
Next
Sensitive Corporate Data Takes Hit In Breaches
Download
What types of data were potentially compromised or breached in the past 12 months?
Personally identifiable information (name, address, phone, Social Security number)
Intellectual property
19%
Other personal data
Subscribe
22%
13%
Other sensitive corporate data
12%
Authentication credentials (User IDs and passwords, other forms of credentials)
11%
Website defacement
10%
Corporate financial data
Account numbers
6%
5%
Payment/credit card data
3%
Don’t know
8%
Data: Forrester Research’s “Understand The State Of Data Security And Privacy: 2012 To 2013” report on 583 North American and European IT security
decision-makers at companies that have had a breach in the past 12 months
darkreading.com
of the cadre of privileged users and system
administrators should also audit those users’
activities. “If you look at some companies, you
have the cops watching the cops,” says AccessData’s Carpenter. “You need to be using
people outside of IT.”
Companies that give employees more understanding of malicious behavior, identify the
most critical data, and implement controls to
protect that data have a much better chance of
discovering insider leaks before they do damage. Once companies detect insider activity,
they’re much easier to investigate and stop.
“When we do get an inside job, we always find
out who it is,” says Verizon’s Sartin.
But companies frequently miss potential
threats because they aren’t monitoring for
changes in behavior. “It may be the same IP
address or user account that goes from good
actor to bad actor, and the question is, ‘When
did that happen?’ ” says Tim Keanini, CTO for
Lancope, a network security and application
monitoring provider. If that change happened on your network today, would you
know? Too many companies can’t answer yes
to that question.
Robert Lemos is a veteran technology journalist and former
research engineer. Write to us at editors@darkreading.com.
December 2013 9
10. Register
Previous
Next
Online, Newsletters, Events, Research
Next
Previous
Next
Previous
Previous
Download
Next
Tim Wilson Dark Reading Site Editor
timothy.wilson@ubm.com 703-262-0680
Kelly Jackson-Higgins Dark Reading Senior Editor
kelly.jackson.higgins@ubm.com 434-960-9899
Rob Preston VP and Editor In Chief
rob.preston@ubm.com 516-562-5692
Chris Murphy Editor
chris.murphy@ubm.com 414-906-5331
Lorna Garey Content Director, Reports
lorna.garey@ubm.com 978-694-1681
Jim Donahue Managing Editor
james.donahue@ubm.com 516-562-7980
Shane O’Neill Managing Editor
shane.oneill@ubm.com 617-202-3710
Mary Ellen Forte Senior Art Director
maryellen.forte@ubm.com
Subscribe
SALES CONTACTS—WEST
STRATEGIC ACCOUNTS
UBM TECH
Account Director, Jennifer Gambino
(516) 562-5651, jennifer.gambino@ubm.com
Paul Miller CEO
Strategic Account Director, Amanda Oliveri
(212) 600-3106, amanda.oliveri@ubm.com
Scott Mozarsky President, Media and Partner
Solutions
Account Director, Ashley Cohen
(415) 947-6349, ashley.i.cohen@ubm.com
Account Director, Vesna Beso
(415) 947-6104, vesna.beso@ubm.com
Account Director, Matthew Cohen-Meyer
(415) 947-6214, matthew.meyer@ubm.com
SALES CONTACTS—EAST
Events Get the latest on our live events and Net
events at informationweek.com/events
How to Contact Us
darkreading.com/aboutus/editorial
Western U.S. (Pacific and Mountain states)
District Sales Manager, Vanessa Tormey
(805) 284-6023, vanessa.tormey@ubm.com
Electronic Newsletters Subscribe to Dark
R
eading’s daily newsletter and other newsletters
at darkreading.com/newsletters/subscribe
Reports reports.informationweek.com
for original research and strategic advice
Business Contacts
VP National Co-Chair, Business Technology
Media Sales, Sandra Kupiec
(415) 947-6922, sandra.kupiec@ubm.com
READER SERVICES
DarkReading.com The destination for the
latest news on IT security threats, technology,
and best practices
SALES CONTACTS—MARKETING
AS A SERVICE
Director of Client Marketing Strategy,
Jonathan Vlock
(212) 600-3019, jonathan.vlock@ubm.com
SALES CONTACTS—EVENTS
Marco Pardi President, Events
Kelley Damore Chief Community Officer
David Michael CIO
Simon Carless Exec. VP, Game App Development
and Black Hat
Lenny Heymann Exec. VP, New Markets
Angela Scalpello Sr. VP, People Culture
Senior Director, InformationWeek Events,
Robyn Duda
(212) 600-3046, robyn.duda@ubm.com
Midwest, South, Northeast U.S. and Canada
MARKETING
VP National Co-Chair, Business Technology
Media Sales, Mary Hyland
(516) 562-5120, mary.hyland@ubm.com
VP, Marketing, Winnie Ng-Schuchman
(631) 406-6507, winnie.ng@ubm.com
Eastern Regional Sales Director, Michael Greenhut
(516) 562-5044, michael.greenhut@ubm.com
Director of Marketing, Monique Luttrell
(415) 947-6958, monique.luttrell@ubm.com
District Manager, Jenny Hanna
(516) 562-5116, jenny.hanna@ubm.com
Copyright 2013 UBM LLC. All rights reserved.
Editorial Calendar createyournextcustomer.
techweb.com/2014-editorial-calendars
Back Issues
E-mail: customerservice@informationweek.com
Phone: 888-664-3332 (U.S.)
847-763-9588 (Outside U.S.)
Reprints Wright’s Media, 1-877-652-5295
Web: wrightsmedia.com/reprints/?magid=2196
E-mail: ubmreprints@wrightsmedia.com
List Rentals Specialists Marketing Services Inc.
E-mail: PeterCan@SMS-Inc.com
Phone: (631) 787-3008 x30203
Media Kits and Advertising Contacts
createyournextcustomer.com/contact-us
Letters to the Editor E-mail
editors@darkreading.com. Include name, title,
c
ompany, city, and daytime phone number.
Marketing Assistant, Hilary Jansen
(415) 947-6205, hilary.jansen@ubm.com
Subscriptions
E-mail: customerservice@informationweek.com
Phone: 888-664-3332 (U.S.)
847-763-9588 (Outside U.S.)
District Manager, Cori Gordon
(516) 562-5181, cori.gordon@ubm.com
darkreading.com
December 2013 10