Technology advances have made it easier to detect subtle, anomalous end-user behavior, such as installation of unusual apps on endpoint devices, or suspicious deviations from baseline activity. This roundtable discussion examines methods to build monitoring, control and context into enterprise insider threat protection efforts – both when dealing with privileged users and regular employees.
Moderator: John Dix, Network World, Editor-in-Chief
· Eric Ogren, Analyst, Ogren Group
· Feris Rifai, CEO, Bay Dynamics
· Ken Ammon, Chief Strategy Officer, Xceedium
Let’s start by defining the insider threat problem. How big is it?
AMMON: For a long time now there has been this grass hut/steel door approach to security, with no real policy enforcement internally, and you’ve seen spear phishing and credential theft approaches yield access to the internal infrastructure with little ability to prevent escalation of privileges. And with third-party access and cloud computing, it’s really expanding the risk plane of the insider threat, and as a result we’ve seen an explosion of interest in the core problem.
OGREN: When I think of insiders I think of privileged users and intruders masquerading as privileged users. And it’s not so much the frequency of these attacks but the magnitude of what they can get once they get privileged access. Big breaches come from privileged users.
RIFAI: Insider identity credentials are certainly higher risk today than ever before. Employees that have privileged access to information, or even contractors and providers with access, are now primary targets for cyber criminals. Look at Target. Most agree that that involved insider credentials that were stolen or taken advantage of.
+ ALSO ON NETWORK WORLD Biggest insider threat? Sys admin gone rogue +
Has the insider threat changed with time, or is it just that we’re focusing more attention on because we have new tools to expose it?
AMMON: I think the access points – mobile tools, BYOD, interconnected businesses -- significantly magnify the threat and have led to this evolution of sophisticated units that are using targeted methods to take advantage of legacy security weaknesses.
OGREN: In the old days everything had to be in the building, and the perimeter kind of worked. Nowadays, not so much -- with mobility and hosted apps and outsourced admin and data centers that may not even be on your own premise. So it’s easier to have communications channels that bypass traditional security systems.
Have organizations shifted their resources enough to address these threats?
RIFAI: Surveys show people understand they have problems, but are preoccupied with defending the perimeter when they should be equally concerned about defending their interiors. Keep in mind that once an external attack breaches a network perimeter, it becomes an insider, so you really have to look at internal security as seriously as you do external security. And by definition an insider is a person, so you must pay attention to not only who is using your sensitive data today, but how they are using it.
That requires analytics. We need to be able to bring together data in a way that answers complex questions about the behavior of insiders, and look at meaningful deviations from the norm and then call that out and isolate it. And maybe sometimes out of thousands or millions of sessions, be able to look at it and say, 'This one is a threat'. So you need that analytics layer to give you visibility into what would otherwise be a ton of false positives, because most large organizations are contending with millions of incidents.
Do compliance requirements adequately address the threat?
OGREN: Compliance has been security’s best friend for years, making it easy to say you just have to do this. But the down side of compliance is that it absolutely stifles innovation, because now it’s harder to justify incremental security in this new world of mobility and virtualized data centers. I’d love to see compliance get a little more intelligent about involving new technologies and about new approaches to the problem. Because obviously it’s not working today. People are getting breached all over the place and it’s causing great damage to our economy.
Breached even when they are compliant, right?
OGREN: Absolutely. These companies are doing the best they can and they’ve got good people, they know the security issues and they’re absolutely helpless, aren’t they? So at some point we need to carve out space to find new things that move the state-of-the-art ahead. I think compliance has actually slowed down a bit that way.
AMMON: Never confuse compliance and security. They should be and to some degree are connected. But one doesn’t necessarily equal the other, for sure.
Going back to the false positive question … given that insiders are people, then false positives become really dangerous because you’re fingering an employee. Has the industry done enough to limit false positives when it comes to insider threats?
RIFAI: Many companies are drowning in false positives. So it goes back to a need for analytics-based remediation to help you understand patterns, properly categorize incidents, diagnose the causes of these incidents, determine the right action, and in the process prevent a lot of these false positives from occurring.
AMMON: I believe you have to separate authentication from authorization. This idea that you authenticate yourself via legacy mechanisms like VPN and then you’re allowed to move about can no longer be tolerated. You should authenticate yourself and only then be provided the specific access you need. It makes it much easier to monitor. You get rid of a lot of the noise, particularly with privileged users.
And once you’re containing and controlling and monitoring that access, you have to move to a level of in-line enforcement rather than post analysis. So you want to be able to enforce your policy in a more proactive way, and I think you want to provide tools that are more efficient. I know we have moved away from using the log data as the primary format to a full recording of the session. So if it looks like someone has attempted a violation you can replay exactly what they were doing on the screen and that greatly reduces the task of trying to stitch together the pieces.
Are some organizations out in front on this, doing it properly using all the latest tools?
AMMON: I was on a panel about a month ago, and one CSO gave a very thorough presentation about this issue and everything they were doing, and on the other side of the spectrum, the other CSO didn’t have a clue there was even a focus in this area and technology available. So I think you’ve got real peaks and valleys.
RIFAI: I couldn’t agree more with that. Some clients have their perimeter under control, their network under control, but they still have this deficiency understanding what’s happening to their sensitive information, while others are aware and making the appropriate investments and even driving a lot of the requirements. That’s not the majority right now, but it is certainly moving in that direction.
AMMON: When we get a new customer, we typically see they have been attempting to cobble together a solution made up of existing security investments. And inevitably they learn that building and maintaining that is a very expensive endeavor. And it never really satisfies the auditor because it is so distributed and never really worked in the first place. There are many security investments doing exactly what they were supposed to, but don’t necessarily expand to some of these other use cases. So there is growing recognition the existing approach is probably never going to quite get you there and you need something new.
OGREN: I’ve seen some companies doing this, John. Like in industries such as finance, where they need to be able to monitor user behavior and report on that. A lot of that is driven by a sea change in the technology -- someone comes in with a tablet or a phone and bypasses the firewall and everything else – and the old perimeter model is simply long gone.
Speaking of new technologies, how does adoption of cloud complicate this picture?
AMMON: I think there is a less than optimal understanding of how your risk plane increases with virtualization and cloud. Many buyers aren’t aware of a number of the issues. For example, if you’re using a virtualization platform, you now have access to every single host through the virtualization platform as well as through the front door of the application or the platform itself.
You have to protect these new access points, and you have to be able to create rules and contain and control that access. They’re available via web consoles for self-service administration inside the cloud environment, and you also have management APIs where you have automated actions that have privilege. So now your privileged actors aren’t just individuals, they’re programs – and with elastic computing, if that credential is compromised or it’s not particularly well controlled, you can incur hard dollar losses. If somebody scales up 10,000 instances in Amazon by mistake, you’re getting a bill. That’s really elevating attention to this problem and requires that not only do you deal with it from a user perspective, but you also deal with a growing issue of application programming interfaces.
RIFAI: You can imagine a malicious insider potentially exploiting cloud-related vulnerabilities and stealing information from a cloud system, or someone who can use cloud systems to carry out an attack on an employer’s local resources, etc. But it all adds up to additional access points that you didn’t have before and greater opportunity for exploitation.
So are all the necessary tools to fight insider threats available now or are we still missing some pieces?
RIFAI: It’s a people-centric problem and people are multidimensional, so you have to come at it with that mindset; you’ve got to have a multidisciplinary approach. And there are cutting edge solutions on the market today that can tell you what is normal versus unusual on a user-by-user case and do that at a really large scale. And certainly we have made progress, but it’s not necessarily something that has been highly adopted by all companies out there. There are some at the forefront using these technologies, but not everybody in the market is aware.
AMMON: I divide the challenge into two different buckets. One is the insider threat as it relates to your standard user, and the other is the insider threat as it relates to privileged users. What we’ve found is the problem gets very big when you talk about trying to define what role a standard user has and how to limit their access within the enterprise. It is much easier to target and define the roles for privileged users because the audience is smaller.
But attacks require two steps: gaining access, which usually involves standard users, and then elevating rights. And it’s that elevating rights step that’s causing the vast majority of problems you’re reading about right now. If there was no ability to elevate those rights then you couldn’t access a service account to distribute malware. You couldn’t hijack a system to start snooping a network interface.
You couldn’t destroy data. So there are broad access capabilities for privileged users. It’s a definable and solvable issue today with today’s technology.
I think the next frontier really is, “How do you deal with the standard user?” The difficulty there is identifying the rules and the rights around each user and then deploying an enterprise system, taking into consideration legacy and evolving cloud and virtualization platforms, and enforcing that.
OGREN: So much security investment has been focused on preventing and blocking and trying to understand malware, but it’s kind of a Zeno’s Paradox, just taking us part way each time and we never ever get to the end. Now we’re in the process of shifting to a security model that is more about user authorization and data access and data traffic. So more of, what are people doing and what are they doing with the stuff they access and where are the assets of the company going? So it’s a healthy change and we’re starting to get more balance back into the security model. And yes, there are technologies out there that can help companies.
OK, any closing thoughts?
OGREN: We’re still kind of hung up on being able to have open discussions on security, best practices and products. We have this irrational fear that, if we disclose what our security architecture or practices and procedures look like, attackers will just come flying through our organization. In fact they do that anyway. As a community we should do better with security. The culture of silence presents a lost opportunity - an open dialog and conversations with peers can effectively advance our best practices. Because we don’t talk about security as an integral part of the business, we lose that opportunity to enlighten ourselves and say, 'Hey, if we change a few things here then that can reflect on the business and everybody comes out ahead.'