It's Time to Turn Security Inside Out
By Gilad Raz, CIO, Varonis
When 100,000 U.S. taxpayers were the victims of identity theft at the IRS earlier this year, it seemed like just the latest in a long line of cases that constantly remind us: everyone’s at risk. But there was something unique about this particular episode—it prompted business leaders to rethink their security priorities.
IRS Commissioner John Koskinen actually told The Wall Street Journal that what happened to them specifically was “not a hack or a data breach.” Why? Because the IRS security systems weren’t actually compromised. “These are imposters pretending to be someone,” he said.
This draws a startling parallel to Edward Snowden, the famous NSA contractor who leaked classified information in 2013. While Snowden had the authority and clearance to access all of the classified documents that he ended up exploiting (which was far more access than he needed to do his job), no one inside the NSA was tracking Snowden’s digital footsteps. No one was looking at what he was opening and exploring. How could the country’s leading surveillance organization not be tracking the activity of its own people surrounding these sensitive files?
Perhaps most surprising is the fact that this same pattern is not uncommon, and – despite all the hype around Snowden – it remains a massive issue in every industry.
Gartner refers to unstructured data (our emails, word documents, spreadsheets, presentations, etc.), as “dark data” because, let’s face it, when it comes to what’s going on with these files, most organizations are clueless. And so much of data contains sensitive information, like social security numbers, credit cards numbers, personal health information, financial records, or confidential forecasts and roadmaps. Unstructured data is the data we have the most of, and know the least about.
It would seem that protecting these assets where they live would be given. But unfortunately, our culture of convenience and rapid innovation has led us all down a path that has spurred the exponential creation, duplication and sharing of business data while leaving it virtually unmonitored and poorly secured. According to IDC, the world’s data is expected to grow by 50x over the next decade, and 90 percent of that new data will be unstructured business data. And, according to Forrester Research, many of the highest-profile breaches have involved compromised identities of individuals authorized to access some part of an organization’s computing environment.
One of our light-bulb moments happened when we were approached by a large military organization where a trusted insider stole and sold hundreds of thousands of files without anyone noticing. The organization had invested tens of millions of dollars in every security technology you can think of and had dozens of people managing access to data, but it wasn’t enough.
This employee had access to the same sensitive files as their supervisor, 90 percent of which were not relevant to their job. Even after the organization realized there was a breach, they couldn’t respond effectively because they didn’t know the scope of the damage. They couldn’t even figure out what files were taken after the fact.
If we had effective walls up to protect these files from getting stolen or leaving our networks, much of this wouldn’t matter. But let’s be honest: there is no security perimeter anymore. Cyber criminals are getting good, excellent even, at their jobs.
If a hacker or rogue employee wants something, they can get it. And exploit it. All they need is access to a few (maybe even one) employee accounts, and it’s entirely possible that no one will notice they are accessing, modifying or copying information once they are inside. And the wrong person merely seeing certain information they shouldn’t, can be a compromise. Nothing needs to be exfiltrated but one’s memory.
We need to turn security inside out. For years, the C-suite has been asking the security team to focus on sealing the borders and identifying the criminals. But why invest disproportionately in the perimeter when there’s no certainty that the threats are outside and the assets are inside at this point?
The reality of insider threats (malicious, unintended or caused by co-opted identities) is a major factor driving new approaches to user behavior analytics (UBA). Organizations can now use constantly collected metadata to monitor risky user behavior, unusual patterns of data access and other signs of risk from their employee populations as well as vendors, customers and other third parties with access to their networks. Alerts can be customized and automated. Turning security inside out means recognizing that users are often the weak link in the chain.
Juniper Research recently predicted that breaches will cost the US $2.1 trillion by 2019. When will this be a big enough business problem to convince enterprises to flip their perspective?