member sign-in
Forgot password? Create new account Close

The Threat is Already Within

Database Activity Monitoring / Database Firewall 2016 November 30 0 comments

In recent years, we have witnessed a growing number of enterprises and government agencies suffer data breaches. At the same time, we have witnessed significant growth in information security budgets. While organizations are buffing up their security layers—which is important—most of the focus is on preventing direct threats that come from outside, while detecting threats from within is neglected.

We find this troubling, since our research indicates many significant data breaches are ultimately an “inside job.” Insiders – be they employees, contractors, business associates or partners – pose the biggest risk to enterprise data since they are by definition granted trusted access to sensitive data. In conjunction with several Imperva customers we analyzed live production data that logged how users interacted with and accessed data stored in enterprise databases and file shares.

We detected insider data threat events within every single design partner we worked with, confirming suspicions that ongoing insider abuse of data goes undetected.

Based upon this analysis, we classify the “threats from within” into one of three categories —malice, negligence, and compromise.

• Malicious insiders – trusted insiders that intentionally steal data for their own purpose – are the obvious nightmare scenario. Edward Snowden1 and Chelsea Manning2  (born Bradley Manning) are the highest profile recent examples.

• Careless and negligent insiders are the second insider threat. These are people within or directly associated with the organization that do not have malicious intent. Yet they expose sensitive enterprise data due to careless behavior— usually by trying to cut corners or simplifying their daily chores.

• Compromised insiders allow “external” threats (e.g., cybercriminals or nation-states) to act with the same level of freedom as the trusted insider itself. This is because once an insider is successfully compromised – usually via credential compromise or malware – it is in fact the insider that is directly accessing sensitive data. The Sony breach3 is a classic example of a breach resulting from insider compromise.  

The investigation and analysis we conducted with our design partners detected instances of all three insider threat categories. Our approach focused on early detection of the breach of the data itself, rather than preventing initial external attacks. We believe this approach proved effective for two reasons. First, it identifies both malicious and negligent breaches, which by definition will not have any associated external attack. Second, focusing on the data itself – which is the ultimate end goal of any breach – eliminates the need for attack prevention to be 100% effective (which it never is). 

You have to login or register in order to post a question.