Is it Worth Combating Insider Threats?
Insider threats are particularly pernicious because the attacker has legitimate access to the data and valid credentials. This makes insider threats extremely difficult to defend against.
Last year, Anton Chuvakin wrote “Insider Threat: Does It Matter Now? And How Much?” for his Gartner blog. In it, he quoted the Verizon Data Breach Investigations Report showing that “insiders were involved in 8% of data breaches.” Given that perceived risk of malicious insiders is so low, he asked, does it make sense for organizations to deploy resources against insider threats?
In my opinion, the answer is a resounding “yes.”
The 8% number does indeed seem low, in particular when compared to other recent surveys which attribute much higher numbers to the insider threat:
- CSO Online (2013) – 36%
- Ponemon Institute/Symantec (2012) – 39%
- Celent (2008) – 60%
- Online Trust Alliance (2015) – 29%
- Forrester (2012) – 39%
- Central European University's Center for Media, Data and Society (2014) – 57%
One reason for the discrepancy may be in how each study defines an “insider breach.” Forrester, for example, differentiates malicious insiders (12%) from inadvertent data leaks (27%). Verizon takes a literal approach, and considers only malicious acts.
This is understandable. Most people think of the insider threat as malicious employees, and perhaps expand it to include inadvertent data leaks. If one digs deeper into Verizon’s numbers, however, a third scenario is seen that is identical to the insider threat from a defender’s point of view; when an attacker steals legitimate credentials.
Verizon’s data show that across all breach categories, “Use of stolen credentials” is the number one attack vector (“Threat Action”, in Verizon’s terms). It is used 50% more frequently than phishing attacks, four times as frequently as SQL Injection, and over five times as frequently as Privilege Abuse.
Clearly, this is an issue that deserves our attention.
It also argues in favor of a defense against insider threats. From a defensive standpoint, it doesn’t matter if the data loss is perpetrated by an external adversary with stolen credentials or an employee ignoring corporate policy. In either case, we need to focus on protecting data directly and tracking its use, and blocking misuse, continuously. We can do so by separating device privileges from data privileges, so data is protected even when an adversary gains access to a device.
Consider the following – An organization believes its financial documents are sensitive and should not be copied to removable storage, attached to emails, or uploaded to cloud storage. Your defense for this scenario should alert on and block that activity, whether the “attacker” is malicious or a legitimate user acting in a careless manner.
Anton’s question was undoubtedly rhetorical; a single solution that can block 8% (or 12%, or 39%) of all attacks has value. The question I suspect he poses is what level of urgency should an organization apply to that issue. When one looks at this from a defender’s view, however, combatting the #1 attack vector should be your #1 priority. “Insider threat protection,” when taking a data centric approach, addresses far more threats than simply malicious insiders. The solution is to distinguish between legitimate from illegitimate use of the data by any user.