Last year, Anton Chuvakin wrote “Insider Threat: Does It Matter Now? And How Much?” for his Gartner blog. In it, he quoted the Verizon Data Breach Investigations Report showing that “insiders were involved in 8% of data breaches.” Given that perceived risk of malicious insiders is so low, he asked, does it make sense for organizations to deploy resources against insider threats?
In my opinion, the answer is a resounding “yes.”
The 8% number does indeed seem low, in particular when compared to other recent surveys which attribute much higher numbers to the insider threat:
- CSO Online (2013) – 36%
- Ponemon Institute/Symantec (2012) – 39%
- Celent (2008) – 60%
- Online Trust Alliance (2015) – 29%
- Forrester (2012) – 39%
- Central European University's Center for Media, Data and Society (2014) – 57%
One reason for the discrepancy may be in how each study defines an “insider breach.” Forrester, for example, differentiates malicious insiders (12%) from inadvertent data leaks (27%). Verizon takes a literal approach, and considers only malicious acts.
This is understandable. Most people think of the insider threat as malicious employees, and perhaps expand it to include inadvertent data leaks. If one digs deeper into Verizon’s numbers, however, a third scenario is seen that is identical to the insider threat from a defender’s point of view; when an attacker steals legitimate credentials.
Verizon’s data show that across all breach categories, “Use of stolen credentials” is the number one attack vector (“Threat Action”, in Verizon’s terms). It is used 50% more frequently than phishing attacks, four times as frequently as SQL Injection, and over five times as frequently as Privilege Abuse.
Clearly, this is an issue that deserves our attention.
It also argues in favor of a defense against insider threats. From a defensive standpoint, it doesn’t matter if the data loss is perpetrated by an external adversary with stolen credentials or an employee ignoring corporate policy. In either case, we need to focus on protecting data directly and tracking its use, and blocking misuse, continuously. We can do so by separating device privileges from data privileges, so data is protected even when an adversary gains access to a device.
Consider the following – An organization believes its financial documents are sensitive and should not be copied to removable storage, attached to emails, or uploaded to cloud storage. Your defense for this scenario should alert on and block that activity, whether the “attacker” is malicious or a legitimate user acting in a careless manner.
Anton’s question was undoubtedly rhetorical; a single solution that can block 8% (or 12%, or 39%) of all attacks has value. The question I suspect he poses is what level of urgency should an organization apply to that issue. When one looks at this from a defender’s view, however, combatting the #1 attack vector should be your #1 priority. “Insider threat protection,” when taking a data centric approach, addresses far more threats than simply malicious insiders. The solution is to distinguish between legitimate from illegitimate use of the data by any user.
Dan Geer on How to Mitigate the Risk of Insider Threats
Dan Geer explains how to apply the reference monitor concept to mitigate the risks presented by insiders.
Related ArticlesLess Than Zero (Trust): Learning the Lessons of OPM and WADA
A House Oversight Report Suggests the Zero Trust Model for Government Networks. What does that mean? And will it work?What Does an Insider Threat Analyst Do?
Learn about what an insider threat analyst does, along with how they affect existing procedures, policies, and protection layers in organizations in Data Protection 101, our series on the fundamentals of information security.5 Steps to Deterring Insider Data Theft
The insider threat is something that every company must deal with, but effectively mitigating the risk of insider data theft can be difficult. Follow these 5 steps to drastically reduce the chances of insider theft at your company.