stop data leaks
DESCRIPTION
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.TRANSCRIPT
Next >>
darkreading.com
DECEMBER 2013
Data Leaks
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next
PLUS If you see something,say something >>
STOPThe NSA data breach showed that one rogue insider can do massive damage. Is your information safe from internal threats? >> By Robert Lemos
This special digital issue on enterprise data leaks focuses on the technology of detecting and stopping insider threats. The technology element is critical to the prevention of data dumps like those perpe-trated by the likes of Edward Snowden, but it’s also important to recognize that corpo-rate culture plays a central role in stopping a big breach.
A decade ago, a DuPont research scien-tist named Gary Min was offered a job by a competitor in the chemical industry. Min de-cided that he might take a few DuPont files with him to his new job: about $400 million worth of trade secrets. He downloaded them late at night from his office computer. He carried out boxes and boxes of files from his building. In the end, he had to rent a sepa-rate apartment because his own place didn’t have room for all his stolen files.
How was Min caught? Through a routine IT audit of file transfers. Someone in IT finally noticed that Min had been downloading tens of thousands of documents to his work
computer. Min, who had been with DuPont for 10 years and seldom worked late, had begun staying in his office all through the night, downloading files and making copies. Yet despite his unusual behavior, none of Min’s co-workers spoke up. No one wanted to get involved.
This is why corporate culture plays such an important role in stopping insider threats. In most companies, employees are told that if they see something, they should say some-thing. But not enough companies take this advice seriously.
At most companies, employees want to avoid “ratting” on a fellow employee, and this is understandable. No one wants to be responsible for getting another person in trouble. And if Min had been stealing pencils or watching porn on his computer late at night, a look-the-other-way attitude would be acceptable. We all sometimes look away from what our fellow employees are doing, mostly because we don’t want them ratting on us for our occasional policy breaches.
But what Min was doing was not just out of bounds, it was out of character. He was in the office late, something he had rarely done in 10 years with the company. He was carrying boxes of files out to his car, using the copy machine at odd hours, download-ing thousands of files from servers. It seems likely that he was seen doing these things — but never reported. And as a result, Du-Pont nearly lost $400 million of intellectual property.
Stopping leaks like those created by Min and Snowden will require tighter controls and better technology. But in the end, it also requires the vigilance of co-workers, and the willingness to report behavior that may threaten the safety of your enterprise data. Would your employees have reported Gary Min? The answer to that question may be critical to your defense against in-sider threats.
Tim Wilson is editor of DarkReading.com. Write to him at [email protected].
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next
December 2013 2darkreading.com
DARK DOMINION
If You See Something, Say Something T I M W I L S O N@darkreadingtim
Click HereClick Here
Get The Credit IT Deserves
Apply now for the Information-Week Elite 100, which recognizes the most innovative users of tech-nology to advance a company’s business goals. Winners will be recognized at the Information-Week Conference, March 31 and
April 1 in Las Vegas.
December 2013 3
A s a contractor and low-level system administrator, Edward Snowden
likely didn’t initially have access to the resources he needed to leak National Security Agency docu-ments to the public. Instead, one theory is that, by convincing colleagues to give him their pass-words — and by generating authentication keys that gave him access to NSA computers and servers — Snowden leveraged his relatively low status to explore the data troves inside the NSA.
That’s the conclusion of researchers at certificate management firm Venafi, which has been analyz-ing publicly released data about the NSA breach since it happened earlier this year. Reuters last month also reported that Snowden convinced col-leagues to give him their logins and passwords by saying he needed them for his admin work. Neither the NSA nor Snowden has given details about how the former contractor was able to steal the clas-sified data, but Venafi’s theory is that he “hopped
COVER STORY
@roblemos
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next
The NSA breach showed that one rogue insider can do massive damage. Use these three steps to keep your information safe from internal threats.
STOPData Leaks
darkreading.com
By Robert Lemos
December 2013 4
COVER STORYDATA LEAKS
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next
darkreading.com
from server to server using this technique, identifying the data that he wanted to exfil-trate,” says Venafi CEO Jeff Hudson. “He then moved the data from server to server, until he got to a point from where he could exfiltrate the information.”
Debate all you want about whether the NSA should have been monitoring American citi-zens, but no one is arguing the significance of Snowden’s huge data leak. The fallout shows that what makes a breach significant to the victim is not the volume of data stolen, but the importance of the data. Chelsea (formerly Bradley) Manning’s theft and leak of US State Department memos — more than 250,000 — was much larger, but it was the impact of those memos that counted.
And the threat is not unique to government agencies. Large companies — in fact, any business that relies on its intellectual prop-erty or trade secrets — could be at risk for a major data leak.
One large financial firm, for example, dis-covered that an internal developer pur-posely created code to let a cyber-criminal group in South America steal financial and account data. The developer created a sub-routine that sent every new financial record to an email box disguised as a quality-con-trol measure that was accidentally left in the code, says Bryan Sartin, director of the Veri-zon RISK team.
“As the system was running and all this data that belonged to customers was siphoning through this database, it sent a copy of the information to him,” Sartin says. “It was in-credible. We had to re-create his tracks to find the email inbox and link him to the actual breach.”
Venafi’s Hudson says large companies have an average of 17,000 digital keys tied to au-thentication — from certificates to SSH en-cryption keys — and, in many cases, they have few ways to manage the chaos, making them
vulnerable to attack. “We want people to wake up and close these open doors,” Hudson says.
Insider-Outsider: Who Cares?Companies spend the majority of their se-
curity resources preparing for attacks from external actors: hacktivists, cyber-criminals, and, in some cases, nation-state spies. About seven out of every eight IT security dollars are spent on perimeter defenses, according to Hewlett-Packard. This approach makes sense on one level: 92% of breaches involve exter-nal attackers, while only 14% have an insider component, Verizon’s 2013 Data Breach Inves-tigations Report finds. (Some attacks involved insiders and outsiders, which is why the total figure is greater than 100%.) But three factors suggest companies should focus more on in-siders than they do.
First, companies may be underreporting insider attacks, since employees know how to game the network’s defenses to avoid detec-Click HereClick Here
Get Smart
Our Threat Intelligence Tech Center provides in-depth information on collecting and analyzing data on emerging cybersecurity threats.
December 2013 5
tion, or because malicious employee behavior may be hard to separate from regular be-havior. Theft by employees, contractors, and suppliers also often goes unreported, since companies prefer to handle it internally rather than publicize a breach.
Second, not only are insider attacks more common than the stats suggests, they’re also more damaging on average than external at-tacks. “Insiders know where the dead bodies
and crown jewels are,” says Craig Carpenter, senior VP of strategy for AccessData, a maker of e-discovery and computer forensics soft-ware. “And in most cases they have trusted access to what they are trying to get at.” And third, looking to stop insider threats is a good strategy for limiting the damage an outsider can do.
External attackers generally need time to hunt down critical information and determine
which data is most important. Once they have been in the network for extended periods of time, their behavior starts to look like a mali-cious insider. One sophisticated group of Chi-nese attackers resided in the average victim’s network for 356 days, nearly a year, before being detected, according to a study of more than 140 attacks attributed to a single group and published in February by incident re-sponse firm Mandiant.
To catch this type of insider attack, compa-nies need internal visibility and controls that give employees access to the data they need while preventing them from accessing sensi-tive data that isn’t necessary for their work. Companies that find the right balance have a good chance of detecting potentially mali-cious insider behavior and, as a bonus, will be more prepared to detect outside attackers because an outsider’s first action is to compro-mise an internal system and then compromise valid user credentials. Here are three steps to spot that kind malicious insider activity or out-siders attacking like rogue employees.
Step One: VisibilityCompanies obviously need to allow work-
ers data and app access to do their jobs, but to detect rogue behavior, they also need de-
COVER STORYDATA LEAKS
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next
darkreading.com
External Internal Partner
Company Insiders Are Accounting For Fewer Breaches
Data: Verizon’s “2013 Data Breach Investigations Report”
78%39%
6%
72%48%
6%
86%12%
2%
98%4%
1%
92%14%
1%
In 2013, breaches connected with a person inside a company fell to 14% from a high of 48% in 2009.
December 2013 6
tailed knowledge of what those employees are doing. “You have to monitor and sniff all traffic at all endpoints at all times, and you need to flag anomalous behavior and activity,” says AccessData’s Carpenter. “You don’t need to necessarily shut it down, but you need to have a policy that any activities outside these bounds are unacceptable.”
Yeah right, you might be thinking. Getting visibility into user activity across the network
in near real time is a massive project for large companies, and few small and midsize busi-nesses have the resources to tackle the prob-lem. But companies can start by tracking a few types of log data to get general visibility across the network. As they identify the most sensitive data, companies can expand their efforts to get focused intelligence on access to that most important information. “Start with more visibility, get eyes across the en-
vironment, and then focus on specific areas,” says Chris Petersen, chief technology officer for LogRhythm, a security information and event management provider. Understand-ing what provides the best insight will take time, “and you don’t want to be sitting on your hands while you are trying to do data discovery.”
Just monitoring network traffic isn’t enough; you also need to know what’s happening on specific devices, contends John Prisco, CEO of Triumfant, a maker of endpoint protection software. Unlike external attackers, internal attackers are most likely using a company-owned machine to conduct the attacks, so having data on what’s happening on those machines can be extremely helpful in detect-ing anomalous activity. Tracking endpoint use may let you model normal behavior and spot behavior outside the norm that could be malicious.
Protecting and monitoring endpoints be-comes more difficult with bring-your-own-device programs. Companies that allow employee-owned devices on the corporate network should limit the data that employ-ees can access on those personal devices, at least until appropriate data loss prevention technology has been deployed to monitor
COVER STORYDATA LEAKS
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next
darkreading.com
Break The Insider’s Kill Chain
Traditionally, companies have de-signed their security to stop attack-ers at the perimeter. But security pros
have started analyzing threats based on the seven steps attackers need to take be-fore achieving their objective: the cyber- security “kill chain.”
This technique attempts to pinpoint what attackers might do at each step of an op-eration and suggests defenses. The seven steps are reconnaissance of the target; cre-ating, delivering, and executing the attack (three steps); establishing control over the compromised machine; communicating with the operator; and pursuing objectives.
Insiders have a distinct advantage in the kill chain. Reconnaissance is a low-risk en-deavor since the worker is already gather-ing intelligence during the workday. The three subsequent steps may not be neces-sary, as a malicious insider already has ac-cess to a machine in the network.
Using kill chain analysis to head off ma-licious insiders also lets you detect the signs that an authorized user may be doing something beyond his or her authorization. “Companies need to develop indicators of compromise to catch the insider in the kill chain as early as possible,” says Tim Keanini, CTO with Lancope. — Robert Lemos
their activity, says Steve Hunt, president of database protection firm DB Networks.
Step Two: Identify Key DataWhile visibility can help flag the bad actors, rogue
insiders can hide in the noise of day-to-day opera-tions unless a significant analytics software deploy-ment is brought to bear. A more cost-efficient ap-proach is to focus on protecting the data that’s most critical to the business.
If business executives and security managers can come up with a list of the 10 data sets that are most core to the business, the leak prevention ef-fort becomes much more manageable, says Eric Schou, director of product marketing for enter-prise security products at Hewlett-Packard. While some companies can easily identify their crown jewels — e.g., source code for software vendors, exploration data for oil and gas firms, or the se-cret recipe for Coke — other companies may have trouble.
In addition to protecting the data itself — the secret recipe — security teams also should focus on the information that an attacker would need to get access to sensitive data, such as credentials, au-thentication keys, and privileged accounts. Zeroing in on any activity related to those areas can help a company keep tabs on accounts with the most dan-gerous permissions. The keys that Snowden theoreti-
COVER STORYDATA LEAKS
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next
darkreading.com
December 2013 8
cally used to jump from machine to machine are a perfect example of such information.
Step Three: ControlsMeasuring intent is difficult. Is an employee
being malicious, or breaking security policy inadvertently? Is the employee’s account be-ing used by an external attacker? Yet separate from intent, companies must decide what be-havior is risky to their business. The best ways to do that are to implement security controls that enforce policies, monitor critical data to detect anomalies, minimize the number of privileged employees, and remove unneces-sary rights for workers who don’t need to ac-cess sensitive data or applications.
“It’s critical that companies contain infor-mation to the smallest group possible,” Hunt says. “Make sure that you have an audit record as well. While that will not protect the data, it will tell you who is accessing it and where it may have gone.”
Minimizing the privileges assigned to a worker might have saved global financial conglomerate UBS billions of dollars. Between 2008 and 2011, Kweku Adoboli, a trader at the firm, bypassed controls intended to separate the trading and approval functions and lost more than $2.3 billion. The bank’s CEO, Os-
wald Grübel, resigned following the incident, and UK authorities fined the bank nearly $48 million for its lack of adequate controls to stop what amounted to a hack of the trading process.
“The same risk and the same level of scru-tiny is applicable, whether you are talking about business applications or business data,” warns Vick Viren Vaishnavi, CEO of Aveksa, a
maker of identity and access management tools that was recently acquired by security giant RSA.
Perhaps the most effective control, how-ever, is to encourage employees to police their colleagues. Co-workers are more likely than technical tools to notice strange behav-ior and catch actions that might not set off other alarms. In Verizon’s 2013 Data Breach
COVER STORYDATA LEAKS
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next
darkreading.com
Insider Attacks Take Longer To Resolve Malicious insiders
Malicious code
Web-based attacks
Denial-of-service
Phishing and social engineering
Stolen devices
Malware
Viruses, worms, and Trojans
Botnets Average number of days to resolve attack
Data: Ponemon Institute’s “2013 Cost Of Cyber Crime Study: United States”
S6370113/3
65.5
49.8
45.1
19.9
14.3
10.2
6.7
3.0
2.9
$3,386,201
$5,154,447
$5,950,725
$8,933,510
December 2013 9
Investigations Report, employees reporting suspicious activities ranked as the No. 1 way that companies detected breaches internally.
Companies should educate employees on policies and highlight what suspicious activ-
ity looks like. For example, employees that report a phishing email campaign can help the IT group block the messages quickly be-fore less-savvy people click on attachments and allow leaks. In addition, a group outside
of the cadre of privileged users and system administrators should also audit those users’ activities. “If you look at some companies, you have the cops watching the cops,” says Ac-cessData’s Carpenter. “You need to be using people outside of IT.”
Companies that give employees more un-derstanding of malicious behavior, identify the most critical data, and implement controls to protect that data have a much better chance of discovering insider leaks before they do dam-age. Once companies detect insider activity, they’re much easier to investigate and stop. “When we do get an inside job, we always find out who it is,” says Verizon’s Sartin.
But companies frequently miss potential threats because they aren’t monitoring for changes in behavior. “It may be the same IP address or user account that goes from good actor to bad actor, and the question is, ‘When did that happen?’ ” says Tim Keanini, CTO for Lancope, a network security and application monitoring provider. If that change hap-pened on your network today, would you know? Too many companies can’t answer yes to that question.
Robert Lemos is a veteran technology journalist and former research engineer. Write to us at [email protected].
COVER STORYDATA LEAKS
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next
darkreading.com
What types of data were potentially compromised or breached in the past 12 months?
Sensitive Corporate Data Takes Hit In Breaches
Personally identifiable information (name, address, phone, Social Security number)
Intellectual property
Other personal data
Other sensitive corporate data
Authentication credentials (User IDs and passwords, other forms of credentials)
Website defacement
Corporate financial data
Account numbers
Payment/credit card data
Don’t know
Data: Forrester Research’s “Understand The State Of Data Security And Privacy: 2012 To 2013” report on 583 North American and European IT securitydecision-makers at companies that have had a breach in the past 12 months
S6370113/3
22%
19%
13%
12%
11%
10%
6%
5%
3%
8%
$3,386,201
$5,154,447
$5,950,725
$8,933,510
December 2013 10darkreading.com
Previous Next
Previous Next
DownloadDownload
RegisterRegister
SubscribeSubscribe
Previous Next
Previous Next
Online, Newsletters, Events, ResearchREADER SERVICESDarkReading.com The destination for the latest news on IT security threats, technology, and best practices
Electronic Newsletters Subscribe to Dark Reading’s daily newsletter and other newsletters at darkreading.com/newsletters/subscribe
Events Get the latest on our live events and Net events at informationweek.com/events
Reports reports.informationweek.com for original research and strategic advice
How to Contact Us darkreading.com/aboutus/editorial
Editorial Calendar createyournextcustomer.techweb.com/2014-editorial-calendars
Back Issues E-mail: [email protected] Phone: 888-664-3332 (U.S.) 847-763-9588 (Outside U.S.)
Reprints Wright’s Media, 1-877-652-5295 Web: wrightsmedia.com/reprints/?magid=2196 E-mail: [email protected]
List Rentals Specialists Marketing Services Inc. E-mail: [email protected] Phone: (631) 787-3008 x30203
Media Kits and Advertising Contacts createyournextcustomer.com/contact-us
Letters to the Editor E-mail [email protected]. Include name, title, company, city, and daytime phone number.
Subscriptions E-mail: [email protected] Phone: 888-664-3332 (U.S.) 847-763-9588 (Outside U.S.)
Tim Wilson Dark Reading Site Editor [email protected] 703-262-0680
Kelly Jackson-Higgins Dark Reading Senior Editor [email protected] 434-960-9899
SALES CONTACTS—WEST Western U.S. (Pacific and Mountain states)
VP & National Co-Chair, Business Technology Media Sales, Sandra Kupiec (415) 947-6922, [email protected]
District Sales Manager, Vanessa Tormey
Account Director, Ashley Cohen (415) 947-6349, [email protected]
Account Director, Vesna Beso (415) 947-6104, [email protected]
Account Director, Matthew Cohen-Meyer (415) 947-6214, [email protected]
SALES CONTACTS—EAST Midwest, South, Northeast U.S. and Canada
VP & National Co-Chair, Business Technology Media Sales, Mary Hyland (516) 562-5120, [email protected]
Eastern Regional Sales Director, Michael Greenhut (516) 562-5044, [email protected]
District Manager, Jenny Hanna (516) 562-5116, [email protected]
District Manager, Cori Gordon (516) 562-5181, [email protected]
STRATEGIC ACCOUNTS Account Director, Jennifer Gambino (516) 562-5651, [email protected]
Strategic Account Director, Amanda Oliveri (212) 600-3106, [email protected]
SALES CONTACTS—MARKETING AS A SERVICE Director of Client Marketing Strategy, Jonathan Vlock (212) 600-3019, [email protected]
SALES CONTACTS—EVENTS Senior Director, InformationWeek Events, Robyn Duda (212) 600-3046, [email protected]
MARKETING VP, Marketing, Winnie Ng-Schuchman (631) 406-6507, [email protected]
Director of Marketing, Monique Luttrell (415) 947-6958, [email protected]
Marketing Assistant, Hilary Jansen (415) 947-6205, [email protected]
UBM TECH Paul Miller CEO
Marco Pardi President, Events
Scott Mozarsky President, Media and Partner Solutions
Kelley Damore Chief Community Officer
David Michael CIO
Simon Carless Exec. VP, Game & App Development and Black Hat
Lenny Heymann Exec. VP, New Markets
Angela Scalpello Sr. VP, People & Culture
Copyright 2013 UBM LLC. All rights reserved.
Rob Preston VP and Editor In Chief [email protected] 516-562-5692
Jim Donahue Managing Editor [email protected] 516-562-7980
Chris Murphy Editor [email protected] 414-906-5331
Shane O’Neill Managing Editor [email protected] 617-202-3710
Lorna Garey Content Director, Reports [email protected] 978-694-1681
Mary Ellen Forte Senior Art Director [email protected]
Business Contacts
(805) 284-6023, [email protected]