Next >>

darkreading.com

DECEMBER 2013

Data Leaks

Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next

PLUS If you see something,say something >>

STOPThe NSA data breach showed that one rogue insider can do massive damage. Is your information safe from internal threats? >> By Robert Lemos

This special digital issue on enterprise data leaks focuses on the technology of detecting and stopping insider threats. The technology element is critical to the prevention of data dumps like those perpe-trated by the likes of Edward Snowden, but it’s also important to recognize that corpo-rate culture plays a central role in stopping a big breach.

A decade ago, a DuPont research scien-tist named Gary Min was offered a job by a competitor in the chemical industry. Min de-cided that he might take a few DuPont files with him to his new job: about $400 million worth of trade secrets. He downloaded them late at night from his office computer. He carried out boxes and boxes of files from his building. In the end, he had to rent a sepa-rate apartment because his own place didn’t have room for all his stolen files.

How was Min caught? Through a routine IT audit of file transfers. Someone in IT finally noticed that Min had been downloading tens of thousands of documents to his work

computer. Min, who had been with DuPont for 10 years and seldom worked late, had begun staying in his office all through the night, downloading files and making copies. Yet despite his unusual behavior, none of Min’s co-workers spoke up. No one wanted to get involved.

This is why corporate culture plays such an important role in stopping insider threats. In most companies, employees are told that if they see something, they should say some-thing. But not enough companies take this advice seriously.

At most companies, employees want to avoid “ratting” on a fellow employee, and this is understandable. No one wants to be responsible for getting another person in trouble. And if Min had been stealing pencils or watching porn on his computer late at night, a look-the-other-way attitude would be acceptable. We all sometimes look away from what our fellow employees are doing, mostly because we don’t want them ratting on us for our occasional policy breaches.

But what Min was doing was not just out of bounds, it was out of character. He was in the office late, something he had rarely done in 10 years with the company. He was carrying boxes of files out to his car, using the copy machine at odd hours, download-ing thousands of files from servers. It seems likely that he was seen doing these things — but never reported. And as a result, Du-Pont nearly lost $400 million of intellectual property.

Stopping leaks like those created by Min and Snowden will require tighter controls and better technology. But in the end, it also requires the vigilance of co-workers, and the willingness to report behavior that may threaten the safety of your enterprise data. Would your employees have reported Gary Min? The answer to that question may be critical to your defense against in-sider threats.

Tim Wilson is editor of DarkReading.com. Write to him at timothy.wilson@ubm.com.

Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next

December 2013 2darkreading.com

DARK DOMINION

If You See Something, Say Something T I M W I L S O N@darkreadingtim

Click HereClick Here

Get The Credit IT Deserves

Apply now for the Information-Week Elite 100, which recognizes the most innovative users of tech-nology to advance a company’s business goals. Winners will be recognized at the Information-Week Conference, March 31 and

April 1 in Las Vegas.

December 2013 3

A s a contractor and low-level system administrator, Edward Snowden

likely didn’t initially have access to the resources he needed to leak National Security Agency docu-ments to the public. Instead, one theory is that, by convincing colleagues to give him their pass-words — and by generating authentication keys that gave him access to NSA computers and servers — Snowden leveraged his relatively low status to explore the data troves inside the NSA.

That’s the conclusion of researchers at certificate management firm Venafi, which has been analyz-ing publicly released data about the NSA breach since it happened earlier this year. Reuters last month also reported that Snowden convinced col-leagues to give him their logins and passwords by saying he needed them for his admin work. Neither the NSA nor Snowden has given details about how the former contractor was able to steal the clas-sified data, but Venafi’s theory is that he “hopped

COVER STORY

@roblemos

Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next

The NSA breach showed that one rogue insider can do massive damage. Use these three steps to keep your information safe from internal threats.

STOPData Leaks

darkreading.com

By Robert Lemos

December 2013 4

COVER STORYDATA LEAKS

Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next

darkreading.com

from server to server using this technique, identifying the data that he wanted to exfil-trate,” says Venafi CEO Jeff Hudson. “He then moved the data from server to server, until he got to a point from where he could exfiltrate the information.”

Debate all you want about whether the NSA should have been monitoring American citi-zens, but no one is arguing the significance of Snowden’s huge data leak. The fallout shows that what makes a breach significant to the victim is not the volume of data stolen, but the importance of the data. Chelsea (formerly Bradley) Manning’s theft and leak of US State Department memos — more than 250,000 — was much larger, but it was the impact of those memos that counted.

And the threat is not unique to government agencies. Large companies — in fact, any business that relies on its intellectual prop-erty or trade secrets — could be at risk for a major data leak.

One large financial firm, for example, dis-covered that an internal developer pur-posely created code to let a cyber-criminal group in South America steal financial and account data. The developer created a sub-routine that sent every new financial record to an email box disguised as a quality-con-trol measure that was accidentally left in the code, says Bryan Sartin, director of the Veri-zon RISK team.

“As the system was running and all this data that belonged to customers was siphoning through this database, it sent a copy of the information to him,” Sartin says. “It was in-credible. We had to re-create his tracks to find the email inbox and link him to the actual breach.”

Venafi’s Hudson says large companies have an average of 17,000 digital keys tied to au-thentication — from certificates to SSH en-cryption keys — and, in many cases, they have few ways to manage the chaos, making them

vulnerable to attack. “We want people to wake up and close these open doors,” Hudson says.

Insider-Outsider: Who Cares?Companies spend the majority of their se-

curity resources preparing for attacks from external actors: hacktivists, cyber-criminals, and, in some cases, nation-state spies. About seven out of every eight IT security dollars are spent on perimeter defenses, according to Hewlett-Packard. This approach makes sense on one level: 92% of breaches involve exter-nal attackers, while only 14% have an insider component, Verizon’s 2013 Data Breach Inves-tigations Report finds. (Some attacks involved insiders and outsiders, which is why the total figure is greater than 100%.) But three factors suggest companies should focus more on in-siders than they do.

First, companies may be underreporting insider attacks, since employees know how to game the network’s defenses to avoid detec-Click HereClick Here

Get Smart

Our Threat Intelligence Tech Center provides in-depth information on collecting and analyzing data on emerging cybersecurity threats.

December 2013 5

tion, or because malicious employee behavior may be hard to separate from regular be-havior. Theft by employees, contractors, and suppliers also often goes unreported, since companies prefer to handle it internally rather than publicize a breach.

Second, not only are insider attacks more common than the stats suggests, they’re also more damaging on average than external at-tacks. “Insiders know where the dead bodies

and crown jewels are,” says Craig Carpenter, senior VP of strategy for AccessData, a maker of e-discovery and computer forensics soft-ware. “And in most cases they have trusted access to what they are trying to get at.” And third, looking to stop insider threats is a good strategy for limiting the damage an outsider can do.

External attackers generally need time to hunt down critical information and determine

which data is most important. Once they have been in the network for extended periods of time, their behavior starts to look like a mali-cious insider. One sophisticated group of Chi-nese attackers resided in the average victim’s network for 356 days, nearly a year, before being detected, according to a study of more than 140 attacks attributed to a single group and published in February by incident re-sponse firm Mandiant.

To catch this type of insider attack, compa-nies need internal visibility and controls that give employees access to the data they need while preventing them from accessing sensi-tive data that isn’t necessary for their work. Companies that find the right balance have a good chance of detecting potentially mali-cious insider behavior and, as a bonus, will be more prepared to detect outside attackers because an outsider’s first action is to compro-mise an internal system and then compromise valid user credentials. Here are three steps to spot that kind malicious insider activity or out-siders attacking like rogue employees.

Step One: VisibilityCompanies obviously need to allow work-

ers data and app access to do their jobs, but to detect rogue behavior, they also need de-

COVER STORYDATA LEAKS

Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next

darkreading.com

External Internal Partner

Company Insiders Are Accounting For Fewer Breaches

Data: Verizon’s “2013 Data Breach Investigations Report”

78%39%

6%

72%48%

6%

86%12%

2%

98%4%

1%

92%14%

1%

In 2013, breaches connected with a person inside a company fell to 14% from a high of 48% in 2009.

December 2013 6

tailed knowledge of what those employees are doing. “You have to monitor and sniff all traffic at all endpoints at all times, and you need to flag anomalous behavior and activity,” says AccessData’s Carpenter. “You don’t need to necessarily shut it down, but you need to have a policy that any activities outside these bounds are unacceptable.”

Yeah right, you might be thinking. Getting visibility into user activity across the network

in near real time is a massive project for large companies, and few small and midsize busi-nesses have the resources to tackle the prob-lem. But companies can start by tracking a few types of log data to get general visibility across the network. As they identify the most sensitive data, companies can expand their efforts to get focused intelligence on access to that most important information. “Start with more visibility, get eyes across the en-

vironment, and then focus on specific areas,” says Chris Petersen, chief technology officer for LogRhythm, a security information and event management provider. Understand-ing what provides the best insight will take time, “and you don’t want to be sitting on your hands while you are trying to do data discovery.”

Just monitoring network traffic isn’t enough; you also need to know what’s happening on specific devices, contends John Prisco, CEO of Triumfant, a maker of endpoint protection software. Unlike external attackers, internal attackers are most likely using a company-owned machine to conduct the attacks, so having data on what’s happening on those machines can be extremely helpful in detect-ing anomalous activity. Tracking endpoint use may let you model normal behavior and spot behavior outside the norm that could be malicious.

Protecting and monitoring endpoints be-comes more difficult with bring-your-own-device programs. Companies that allow employee-owned devices on the corporate network should limit the data that employ-ees can access on those personal devices, at least until appropriate data loss prevention technology has been deployed to monitor

COVER STORYDATA LEAKS

Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next

darkreading.com

Break The Insider’s Kill Chain

Traditionally, companies have de-signed their security to stop attack-ers at the perimeter. But security pros

have started analyzing threats based on the seven steps attackers need to take be-fore achieving their objective: the cyber- security “kill chain.”

This technique attempts to pinpoint what attackers might do at each step of an op-eration and suggests defenses. The seven steps are reconnaissance of the target; cre-ating, delivering, and executing the attack (three steps); establishing control over the compromised machine; communicating with the operator; and pursuing objectives.

Insiders have a distinct advantage in the kill chain. Reconnaissance is a low-risk en-deavor since the worker is already gather-ing intelligence during the workday. The three subsequent steps may not be neces-sary, as a malicious insider already has ac-cess to a machine in the network.

Using kill chain analysis to head off ma-licious insiders also lets you detect the signs that an authorized user may be doing something beyond his or her authorization. “Companies need to develop indicators of compromise to catch the insider in the kill chain as early as possible,” says Tim Keanini, CTO with Lancope. — Robert Lemos

their activity, says Steve Hunt, president of database protection firm DB Networks.

Step Two: Identify Key DataWhile visibility can help flag the bad actors, rogue

insiders can hide in the noise of day-to-day opera-tions unless a significant analytics software deploy-ment is brought to bear. A more cost-efficient ap-proach is to focus on protecting the data that’s most critical to the business.

If business executives and security managers can come up with a list of the 10 data sets that are most core to the business, the leak prevention ef-fort becomes much more manageable, says Eric Schou, director of product marketing for enter-prise security products at Hewlett-Packard. While some companies can easily identify their crown jewels — e.g., source code for software vendors, exploration data for oil and gas firms, or the se-cret recipe for Coke — other companies may have trouble.

In addition to protecting the data itself — the secret recipe — security teams also should focus on the information that an attacker would need to get access to sensitive data, such as credentials, au-thentication keys, and privileged accounts. Zeroing in on any activity related to those areas can help a company keep tabs on accounts with the most dan-gerous permissions. The keys that Snowden theoreti-

COVER STORYDATA LEAKS

Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next

darkreading.com

December 2013 8

cally used to jump from machine to machine are a perfect example of such information.

Step Three: ControlsMeasuring intent is difficult. Is an employee

being malicious, or breaking security policy inadvertently? Is the employee’s account be-ing used by an external attacker? Yet separate from intent, companies must decide what be-havior is risky to their business. The best ways to do that are to implement security controls that enforce policies, monitor critical data to detect anomalies, minimize the number of privileged employees, and remove unneces-sary rights for workers who don’t need to ac-cess sensitive data or applications.

“It’s critical that companies contain infor-mation to the smallest group possible,” Hunt says. “Make sure that you have an audit record as well. While that will not protect the data, it will tell you who is accessing it and where it may have gone.”

Minimizing the privileges assigned to a worker might have saved global financial conglomerate UBS billions of dollars. Between 2008 and 2011, Kweku Adoboli, a trader at the firm, bypassed controls intended to separate the trading and approval functions and lost more than $2.3 billion. The bank’s CEO, Os-

wald Grübel, resigned following the incident, and UK authorities fined the bank nearly $48 million for its lack of adequate controls to stop what amounted to a hack of the trading process.

“The same risk and the same level of scru-tiny is applicable, whether you are talking about business applications or business data,” warns Vick Viren Vaishnavi, CEO of Aveksa, a

maker of identity and access management tools that was recently acquired by security giant RSA.

Perhaps the most effective control, how-ever, is to encourage employees to police their colleagues. Co-workers are more likely than technical tools to notice strange behav-ior and catch actions that might not set off other alarms. In Verizon’s 2013 Data Breach

COVER STORYDATA LEAKS

Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next

darkreading.com

Insider Attacks Take Longer To Resolve Malicious insiders

Malicious code

Web-based attacks

Denial-of-service

Phishing and social engineering

Stolen devices

Malware

Viruses, worms, and Trojans

Botnets Average number of days to resolve attack

Data: Ponemon Institute’s “2013 Cost Of Cyber Crime Study: United States”

S6370113/3

65.5

49.8

45.1

19.9

14.3

10.2

6.7

3.0

2.9

$3,386,201

$5,154,447

$5,950,725

$8,933,510

December 2013 9

Investigations Report, employees reporting suspicious activities ranked as the No. 1 way that companies detected breaches internally.

Companies should educate employees on policies and highlight what suspicious activ-

ity looks like. For example, employees that report a phishing email campaign can help the IT group block the messages quickly be-fore less-savvy people click on attachments and allow leaks. In addition, a group outside

of the cadre of privileged users and system administrators should also audit those users’ activities. “If you look at some companies, you have the cops watching the cops,” says Ac-cessData’s Carpenter. “You need to be using people outside of IT.”

Companies that give employees more un-derstanding of malicious behavior, identify the most critical data, and implement controls to protect that data have a much better chance of discovering insider leaks before they do dam-age. Once companies detect insider activity, they’re much easier to investigate and stop. “When we do get an inside job, we always find out who it is,” says Verizon’s Sartin.

But companies frequently miss potential threats because they aren’t monitoring for changes in behavior. “It may be the same IP address or user account that goes from good actor to bad actor, and the question is, ‘When did that happen?’ ” says Tim Keanini, CTO for Lancope, a network security and application monitoring provider. If that change hap-pened on your network today, would you know? Too many companies can’t answer yes to that question.

Robert Lemos is a veteran technology journalist and former research engineer. Write to us at editors@darkreading.com.

COVER STORYDATA LEAKS

Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next

darkreading.com

What types of data were potentially compromised or breached in the past 12 months?

Sensitive Corporate Data Takes Hit In Breaches

Personally identifiable information (name, address, phone, Social Security number)

Intellectual property

Other personal data

Other sensitive corporate data

Authentication credentials (User IDs and passwords, other forms of credentials)

Website defacement

Corporate financial data

Account numbers

Payment/credit card data

Don’t know

Data: Forrester Research’s “Understand The State Of Data Security And Privacy: 2012 To 2013” report on 583 North American and European IT securitydecision-makers at companies that have had a breach in the past 12 months

S6370113/3

22%

19%

13%

12%

11%

10%

6%

5%

3%

8%

$3,386,201

$5,154,447

$5,950,725

$8,933,510

December 2013 10darkreading.com

Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next

Online, Newsletters, Events, ResearchREADER SERVICESDarkReading.com The destination for the latest news on IT security threats, technology, and best practices

Electronic Newsletters Subscribe to Dark Reading’s daily newsletter and other newsletters at darkreading.com/newsletters/subscribe

Events Get the latest on our live events and Net events at informationweek.com/events

Reports reports.informationweek.com for original research and strategic advice

How to Contact Us darkreading.com/aboutus/editorial

Editorial Calendar createyournextcustomer.techweb.com/2014-editorial-calendars

Back Issues E-mail: customerservice@informationweek.com Phone: 888-664-3332 (U.S.) 847-763-9588 (Outside U.S.)

Reprints Wright’s Media, 1-877-652-5295 Web: wrightsmedia.com/reprints/?magid=2196 E-mail: ubmreprints@wrightsmedia.com

List Rentals Specialists Marketing Services Inc. E-mail: PeterCan@SMS-Inc.com Phone: (631) 787-3008 x30203

Media Kits and Advertising Contacts createyournextcustomer.com/contact-us

Letters to the Editor E-mail editors@darkreading.com. Include name, title, company, city, and daytime phone number.

Subscriptions E-mail: customerservice@informationweek.com Phone: 888-664-3332 (U.S.) 847-763-9588 (Outside U.S.)

Tim Wilson Dark Reading Site Editor timothy.wilson@ubm.com 703-262-0680

Kelly Jackson-Higgins Dark Reading Senior Editor kelly.jackson.higgins@ubm.com 434-960-9899

SALES CONTACTS—WEST Western U.S. (Pacific and Mountain states)

VP & National Co-Chair, Business Technology Media Sales, Sandra Kupiec (415) 947-6922, sandra.kupiec@ubm.com

District Sales Manager, Vanessa Tormey

Account Director, Ashley Cohen (415) 947-6349, ashley.i.cohen@ubm.com

Account Director, Vesna Beso (415) 947-6104, vesna.beso@ubm.com

Account Director, Matthew Cohen-Meyer (415) 947-6214, matthew.meyer@ubm.com

SALES CONTACTS—EAST Midwest, South, Northeast U.S. and Canada

VP & National Co-Chair, Business Technology Media Sales, Mary Hyland (516) 562-5120, mary.hyland@ubm.com

Eastern Regional Sales Director, Michael Greenhut (516) 562-5044, michael.greenhut@ubm.com

District Manager, Jenny Hanna (516) 562-5116, jenny.hanna@ubm.com

District Manager, Cori Gordon (516) 562-5181, cori.gordon@ubm.com

STRATEGIC ACCOUNTS Account Director, Jennifer Gambino (516) 562-5651, jennifer.gambino@ubm.com

Strategic Account Director, Amanda Oliveri (212) 600-3106, amanda.oliveri@ubm.com

SALES CONTACTS—MARKETING AS A SERVICE Director of Client Marketing Strategy, Jonathan Vlock (212) 600-3019, jonathan.vlock@ubm.com

SALES CONTACTS—EVENTS Senior Director, InformationWeek Events, Robyn Duda (212) 600-3046, robyn.duda@ubm.com

MARKETING VP, Marketing, Winnie Ng-Schuchman (631) 406-6507, winnie.ng@ubm.com

Director of Marketing, Monique Luttrell (415) 947-6958, monique.luttrell@ubm.com

Marketing Assistant, Hilary Jansen (415) 947-6205, hilary.jansen@ubm.com

UBM TECH Paul Miller CEO

Marco Pardi President, Events

Scott Mozarsky President, Media and Partner Solutions

Kelley Damore Chief Community Officer

David Michael CIO

Simon Carless Exec. VP, Game & App Development and Black Hat

Lenny Heymann Exec. VP, New Markets

Angela Scalpello Sr. VP, People & Culture

Copyright 2013 UBM LLC. All rights reserved.

Rob Preston VP and Editor In Chief rob.preston@ubm.com 516-562-5692

Jim Donahue Managing Editor james.donahue@ubm.com 516-562-7980

Chris Murphy Editor chris.murphy@ubm.com 414-906-5331

Shane O’Neill Managing Editor shane.oneill@ubm.com 617-202-3710

Lorna Garey Content Director, Reports lorna.garey@ubm.com 978-694-1681

Mary Ellen Forte Senior Art Director maryellen.forte@ubm.com

Business Contacts

(805) 284-6023, vanessa.tormey@ubm.com