Technology advances have made it easier to detect subtle, anomalous end-user behavior, such as installation of unusual apps on endpoint devices, or suspicious deviations from baseline activity. This roundtable discussion examines methods to build monitoring, control and context into enterprise insider threat protection efforts both when dealing with privileged users and regular employees.
Moderator: John Dix, Network World, Editor-in-ChiefParticipants:· Eric Ogren, Analyst, Ogren Group· Feris Rifai, CEO, Bay Dynamics· Ken Ammon, Chief Strategy Officer, Xceedium
Let's start by defining the insider threat problem. How big is it?
AMMON: For a long time now there has been this grass hut/steel door approach to security, with no real policy enforcement internally, and you've seen spear phishing and credential theft approaches yield access to the internal infrastructure with little ability to prevent escalation of privileges. And with third-party access and cloud computing, it's really expanding the risk plane of the insider threat, and as a result we've seen an explosion of interest in the core problem.
OGREN: When I think of insiders I think of privileged users and intruders masquerading as privileged users. And it's not so much the frequency of these attacks but the magnitude of what they can get once they get privileged access. Big breaches come from privileged users.
RIFAI: Insider identity credentials are certainly higher risk today than ever before. Employees that have privileged access to information, or even contractors and providers with access, are now primary targets for cyber criminals. Look at Target. Most agree that that involved insider credentials that were stolen or taken advantage of.
+ ALSO ON NETWORK WORLD Biggest insider threat? Sys admin gone rogue +Has the insider threat changed with time, or is it just that we're focusing more attention on because we have new tools to expose it?
AMMON: I think the access points mobile tools, BYOD, interconnected businesses -- significantly magnify the threat and have led to this evolution of sophisticated units that are using targeted methods to take advantage of legacy security weaknesses.
OGREN: In the old days everything had to be in the building, and the perimeter kind of worked. Nowadays, not so much -- with mobility and hosted apps and outsourced admin and data centers that may not even be on your own premise. So it's easier to have communications channels that bypass traditional security systems.
Have organizations shifted their resources enough to address these threats?
RIFAI: Surveys show people understand they have problems, but are preoccupied with defending the perimeter when they should be equally concerned about defending their interiors. Keep in mind that once an external attack breaches a network perimeter, it becomes an insider, so you really have to look at internal security as seriously as you do external security. And by definition an insider is a person, so you must pay attention to not only who is using your sensitive data today, but how they are using it.
That requires analytics. We need to be able to bring together data in a way that answers complex questions about the behavior of insiders, and look at meaningful deviations from the norm and then call that out and isolate it. And maybe sometimes out of thousands or millions of sessions, be able to look at it and say, 'This one is a threat'. So you need that analytics layer to give you visibility into what would otherwise be a ton of false positives, because most large organizations are contending with millions of incidents.
Do compliance requirements adequately address the threat?
OGREN: Compliance has been security's best friend for years, making it easy to say you just have to do this. But the down side of compliance is that it absolutely stifles innovation, because now it's harder to justify incremental security in this new world of mobility and virtualized data centers. I'd love to see compliance get a little more intelligent about involving new technologies and about new approaches to the problem. Because obviously it's not working today. People are getting breached all over the place and it's causing great damage to our economy.
Breached even when they are compliant, right?
OGREN: Absolutely. These companies are doing the best they can and they've got good people, they know the security issues and they're absolutely helpless, aren't they? So at some point we need to carve out space to find new things that move the state-of-the-art ahead. I think compliance has actually slowed down a bit that way.
AMMON: Never confuse compliance and security. They should be and to some degree are connected. But one doesn't necessarily equal the other, for sure.
Going back to the false positive question ... given that insiders are people, then false positives become really dangerous because you're fingering an employee. Has the industry done enough to limit false positives when it comes to insider threats?
RIFAI: Many companies are drowning in false positives. So it goes back to a need for analytics-based remediation to help you understand patterns, properly categorize incidents, diagnose the causes of these incidents, determine the right action, and in the process prevent a lot of these false positives from occurring.
AMMON: I believe you have to separate authentication from authorization. This idea that you authenticate yourself via legacy mechanisms like VPN and then you're allowed to move about can no longer be tolerated. You should authenticate yourself and only then be provided the specific access you need. It makes it much easier to monitor. You get rid of a lot of the noise, particularly with privileged users.
And once you're containing and controlling and monitoring that access, you have to move to a level of in-line enforcement rather than post analysis. So you want to be able to enforce your policy in a more proactive way, and I think you want to provide tools that are more efficient. I know we have moved away from using the log data as the primary format to a full recording of the session. So if it looks like someone has attempted a violation you can replay exactly what they were doing on the screen and that greatly reduces the task of trying to stitch together the pieces.
Are some organizations out in front on this, doing it properly using all the latest tools?
AMMON: I was on a panel about a month ago, and one CSO gave a very thorough presentation about this issue and everything they were doing, and on the other side of the spectrum, the other CSO didn't have a clue there was even a focus in this area and technology available. So I think you've got real peaks and valleys.
RIFAI: I couldn't agree more with that. Some clients have their perimeter under control, their network under control, but they still have this deficiency understanding what's happening to their sensitive information, while others are aware and making the appropriate investments and even driving a lot of the requirements. That's not the majority right now, but it is certainly moving in that direction.
AMMON: When we get a new customer, we typically see they have been attempting to cobble together a solution made up of existing security investments. And inevitably they learn that building and maintaining that is a very expensive endeavor. And it never really satisfies the auditor because it is so distributed and never really worked in the first place. There are many security investments doing exactly what they were supposed to, but don't necessarily expand to some of these other use cases. So there is growing recognition the existing approach is probably never going to quite get you there and you need something new.
OGREN: I've seen some companies doing this, John. Like in industries such as finance, where they need to be able to monitor user behavior and report on that. A lot of that is driven by a sea change in the technology -- someone comes in with a tablet or a phone and bypasses the firewall and everything else and the old perimeter model is simply long gone.
Speaking of new technologies, how does adoption of cloud complicate this picture?
AMMON: I think there is a less than optimal understanding of how your risk plane increases with virtualization and cloud. Many buyers aren't aware of a number of the issues. For example, if you're using a virtualization platform, you now have access to every single host through the virtualization platform as well as through the front door of the application or the platform itself.
You have to protect these new access points, and you have to be able to create rules and contain and control that access. They're available via web consoles for self-service administration inside the cloud environment, and you also have management APIs where you have automated actions that have privilege. So now your privileged actors aren't just individuals, they're programs and with elastic computing, if that credential is compromised or it's not particularly well controlled, you can incur hard dollar losses. If somebody scales up 10,000 instances in Amazon by mistake, you're getting a bill. That's really elevating attention to this problem and requires that not only do you deal with it from a user perspective, but you also deal with a growing issue of application programming interfaces.
RIFAI: You can imagine a malicious insider potentially exploiting cloud-related vulnerabilities and stealing information from a cloud system, or someone who can use cloud systems to carry out an attack on an employer's local resources, etc. But it all adds up to additional access points that you didn't have before and greater opportunity for exploitation.
So are all the necessary tools to fight insider threats available now or are we still missing some pieces?
RIFAI: It's a people-centric problem and people are multidimensional, so you have to come at it with that mindset; you've got to have a multidisciplinary approach. And there are cutting edge solutions on the market today that can tell you what is normal versus unusual on a user-by-user case and do that at a really large scale. And certainly we have made progress, but it's not necessarily something that has been highly adopted by all companies out there. There are some at the forefront using these technologies, but not everybody in the market is aware.
AMMON: I divide the challenge into two different buckets. One is the insider threat as it relates to your standard user, and the other is the insider threat as it relates to privileged users. What we've found is the problem gets very big when you talk about trying to define what role a standard user has and how to limit their access within the enterprise. It is much easier to target and define the roles for privileged users because the audience is smaller.
But attacks require two steps: gaining access, which usually involves standard users, and then elevating rights. And it's that elevating rights step that's causing the vast majority of problems you're reading about right now. If there was no ability to elevate those rights then you couldn't access a service account to distribute malware. You couldn't hijack a system to start snooping a network interface.
You couldn't destroy data. So there are broad access capabilities for privileged users. It's a definable and solvable issue today with today's technology.
I think the next frontier really is, "How do you deal with the standard user?" The difficulty there is identifying the rules and the rights around each user and then deploying an enterprise system, taking into consideration legacy and evolving cloud and virtualization platforms, and enforcing that.
OGREN: So much security investment has been focused on preventing and blocking and trying to understand malware, but it's kind of a Zeno's Paradox, just taking us part way each time and we never ever get to the end. Now we're in the process of shifting to a security model that is more about user authorization and data access and data traffic. So more of, what are people doing and what are they doing with the stuff they access and where are the assets of the company going? So it's a healthy change and we're starting to get more balance back into the security model. And yes, there are technologies out there that can help companies.
OK, any closing thoughts?
OGREN: We're still kind of hung up on being able to have open discussions on security, best practices and products. We have this irrational fear that, if we disclose what our security architecture or practices and procedures look like, attackers will just come flying through our organization. In fact they do that anyway. As a community we should do better with security. The culture of silence presents a lost opportunity - an open dialog and conversations with peers can effectively advance our best practices. Because we don't talk about security as an integral part of the business, we lose that opportunity to enlighten ourselves and say, 'Hey, if we change a few things here then that can reflect on the business and everybody comes out ahead.'
AMMON: In almost all cases the identity and access groups are two separate organizations. As we move towards identity as the new perimeter because of things like mobility and cloud, we, as a vendor, are challenged with bringing those two groups together. Because all of a sudden identity gets connected back to that processing of security data and active policy enforcement, and I think some of the delay in the marketplace has been trying to bring those worlds together. It's early stages of that, but it is starting to change.
That said, we're in a bit of a rut. We've been working harder and harder on treating symptoms, maybe because there was a sense that there wasn't a way to deal with the root cause. So I would hope maybe we're seeing a way forward, a way to deal with root causes because solutions are available to dramatically reduce your risk around those root causes. I think that will have a ripple effect throughout the rest of your security controls.
OGREN: As a security officer you're probably not going to rip out stuff that's already deployed. But as you start moving more into cloud-based services and tablet use from home, as you virtualize new applications and they move around the globe, use that as an opportunity to try out some new ways to analyze traffic, to look at privileged users and insider use and management. Just start with that. You can't do a big bang. But in some of the new projects you have going you can ask, "How are you going to manage insider users? How are you going to account for them? Is there a model that will scale?" And as the company gets good at it you can bring it to the rest of the organization as well. So start putting that stuff into your requests and start dovetailing it with some of the other technology initiatives.
+ ALSO ON NETWORK WORLD The worst data breaches of 2013 +
RIFAI: I think organizations are asking for finished intelligence at this point. They just want to know what the answer is. They have already made substantial investments and they want to be able to leverage those investments in a way that's meaningful. And I think there are technologies out there, specifically in the analytics layer, that allow you to do just that. You are just simply collecting the information today, but now you can turn it into something that answers fairly complex questions and enables you to make informed decisions.
About Bay Dynamics: Bay Dynamics delivers actionable information risk intelligence to the world's largest enterprises through user-centric monitoring and analysis, as well as context-aware information protection. Its core product, Risk Fabric, federates data from information security silos and IT repositories enterprise-wide to detect and expose deviations from normal employee behaviors and systems/data interaction, and then rates employee behavior and interactions with information and computer systems against other within their department, level and across the company.
About Xceedium: Xceedium provides privileged identity and access management solutions for hybrid-cloud enterprises. Large companies and global government agencies use Xceedium products to reduce the risks that privileged users and unprotected credentials pose to systems and data. The company's Xsuite platform enables customers to implement a zero trust security model. It vaults privileged account credentials, implements role-based access control and monitors and records privileged user sessions. With unified policy management, Xsuite enables the seamless administration of security controls across systems, whether systems reside in a traditional data center, a private cloud, on a public cloud infrastructure or a combination of environments.
Read more about wide area network in Network World's Wide Area Network section.