Contrary to common perception, the most significant security threats to an organization are so-called insider threats....
Research estimates find these threats responsible for at least 40% -- but potentially all the way up to 75% or more -- of all data breaches.
News coverage of insider threats is relatively limited because a story about a disgruntled employee is not as interesting as a story about a nation-state attacker or a criminal organization. Security professionals, however, need to take the threat of an insider data breach very seriously. Detection capabilities are limited, and the potential impact of an insider breach can be far-reaching.
Means, motive and opportunity
In order to be classified as an insider, an actor must already have some level of legitimate access to a target system and some knowledge about it.
The actor's motives can vary widely. An insider data breach or leak is not always intentional. A poorly designed system change could open the system up to an attack by accident. A user could also place data in a publicly accessible location without intending to.
There could, however, be some darker motives at play. A disgruntled employee or ex-employee could do a lot of damage to their employer with a data breach. Consider a salesperson leaving a business and taking the organization's customer database to their new employer.
In the case of corporate or state-level espionage, the attacker has far more resources available.
Instead of attempting to gain external access to a system, an insider could be placed or persuaded through extortion or a financial incentive to obtain information beneficial to the interested party or to open a backdoor into the system.
Why is this of particular concern with a cloud platform?
One of the main benefits of operating a service within a cloud platform is the virtually unlimited accessibility. Unless specific sources are whitelisted, the services are accessible from anywhere and by anyone with the appropriate credentials. This also exposes the company to an insider data breach.
For instance, an ex-employee whose accounts have not been properly disabled could still access these services through the internet. And what about that sales agent that left the business in order to work for a competitor, or an ex-systems administrator who has created a since-forgotten backdoor account? A stolen account could also be used by anyone, without the need for physical network access.
Account lifecycle management is critical for these online services. This is especially important because cloud services are often more business critical and hold much more data. After all, a significant reason to move services to the cloud is the increased availability it provides.
Cloud services often communicate with each other or with local services via an application program interface (API) key. This key is not only used to identify its user, but it is also often used to secure communications, similar to the use of a very complex password. This means API keys should be stored and communicated securely.
It is not always an easy process to change an API key. Quite often, this needs to be done simultaneously on all systems that are using the key in order to avoid temporary outages. This has led to unchanged API keys being used for extended periods of time, sometimes years. A systems administrator could have taken a copy of the key before leaving the business, providing them with full access to the service for as long as the key stays valid. As with password management, API key management is critical to prevent an insider data breach.
Insider threat detection is mostly based on abnormal user behavior. Many products are able to monitor and baseline normal user behavior and can alert the company when a user, for instance, downloads a lot of customer data from the company shares or accesses many different systems and databases within a short period of time.
Machine learning has enabled a lot of progress around these anomaly detection systems over the recent years. In fact, virtually unlimited amounts of user behavioral factors can be taken into account, such as whether the user is on holiday, logs in from an unusual location, has been online for more than 12 hours, etc. Some vendors, such as Darktrace and Rapid7, have built specialized products in this field, called user behavior analytics.
Another range of products for preventing inside attacks is the data loss protection and prevention category. Files transferred to and from USBs, shares, the internet and cloud services can be scanned for keywords, classification and contents. Based on configured policies, such a system could detect and, if placed inline, potentially even block data being exfiltrated from a protected system or network.
Preventing an insider data breach
As the saying goes, prevention is better than a cure. Prevention is not always easy because of the unpredictability of human behavior.
Regular account and permission reviews -- API keys -- training to prevent human errors, and tested methods, such as separation of duties and least privilege, should already be best practices in any secure environment. They are especially critical when dealing with insider threats.
Considering the statistics, insider threats need to be controlled with priority. The risk of not addressing this issue is simply too great.
Technology only has a limited reach at the moment. Detection systems exist, and some can even prevent a breach, but the main issue is that people with the right access can be very creative.
The user behavioral analytics field is making progress, though. Time will tell if new machine learning algorithms can outsmart the creativity and persistence of determined people.