A recent study by Juniper Research suggests that with such rapid digitization of consumers’ lives and enterprise records, cost of data breaches is expected reach $2.1 trillion globally by 2019, almost four times the estimated cost of breaches in 2015. Nearly 60% of anticipated data breaches worldwide in 2015 will occur in North America, but this proportion will decrease over time as other countries adopt digital technologies. The new environments and trends such as cloud, mobile, social, and IoT open new vulnerabilities for the enterprise, and they require new technology including analytics to make them more secure.
Based on usage data from 23 million users, Skyhigh’s latest Cloud Adoption and Risk Report found that 89.6% of enterprises experience at least one insider threat each month, such as a disgruntled employee taking sales contacts when leaving to join a competitor. Organizations experience 9.3 such threats each month, on average. While many organizations worry about the security of their data in the event their cloud provider is breached in a cyber attack, insider threats are a growing concern as user activity in cloud applications can be a blind spot for IT security.
A rogue user with admin privileges can cause widespread damage within a few seconds. The story of Edward Snowden, a former CIA employee, who leaked classified information from the United States National Security Agency is widely known. However, most insider threats are less visible than an employee leaking sensitive documents to the media. They can occur when a malicious user attempts to steal corporate data when leaving the company or access sensitive documents in order to commit insider trading. Well intentioned users can also, through negligence, expose the organization to risk when they upload files to an unapproved but convenient cloud app, for instance.
Another common threat to corporate data is third-party account compromise, considering that 92% of companies have compromised cloud credentials for sale on the Darknet and the average company experiences 5.1 incidents each month in which an unauthorized third party gains access to corporate data in the cloud using a stolen or guessed password. In the case case of the Sony security breach, cyber criminals stole credentials of system administrators and orchestrated a high-profile data breach. And sadly, before Sony’s IT could pull the plug, the malware had spread to machines, buildings and across continents, wiping out half of Sony’s global network.
Sony attackers erased everything stored on 3,262 of the company’s 6,797 personal computers and 837 of its 1,555 servers. To make matters worse, the attackers had even added a little extra poison: a special deleting algorithm that overwrote the data in seven different ways. When that was done, the code zapped each computer’s startup software, rendering the machines brain-dead. Hence the opportunity to gain free access to key information repositories or deploy malware is truly spine-chilling and not surprisingly 2015 DBIR reports that 55% of insider misuse is due to privilege abuse.
The effect of insider threats and the continuing legacy of targeted breaches at Home Depot, JP Morgan, Target, Vodafone, Sony, and many others determine that fixing the problem has moved beyond the sole responsibility of IT. While ramifications at Target continue to this day, investigations at Home Depot into its more recent payment systems breach are ongoing. The impact on brand, reputation and associated legal ramifications for all of these high-profile organizations are likely to be so damaging that senior management and board-level executives will be obliged to take responsibility. While in the case of Sony the company reached a settlement with employees whose personal information was stolen, the fallout from the Target breach led to the company’s CIO and CEO resigning.
A foolproof way to recognize insider threats is to study user behavior. Behavior is not something that can be easily stolen. Stealing someone’s login credentials does not reveal the nature and frequency of how the victim typically uses a cloud service. Hence, if one proﬁles the typical usage patterns of a user, an identity thief or a masquerader, has a relatively low probability of misusing the stolen quarry in a manner consistent with the victim’s behavior that will go unnoticed. Threats and anomalous use of cloud services can thus be detected both from the perspective of a compromised account and an insider.
It may not be enough to know of a malicious act merely from knowing that a user has issued an abnormal command sequence unless that sequence could violate a security policy. For example, modeling a user’s search behavior may be one way of capturing a user’s intent to seek information for malicious purposes, something that a masquerader, and possibly a traitor, is likely to do early in their attack behavior. Too much searching, or searching in abnormal directories or locations, seems more than odd, it may seem sinister in intent. It is this driving theme that Skyhigh’s Threat Protection solution leverages when flagging anomalies or policy violations.
Skyhigh’s Threat Protection solution offers a centralized dashboard to manage all cloud related threats. Skyhigh captures a comprehensive record of all user and administrator activity within cloud services. Activity-based data coupled with usage patterns across cloud services render an accurate and continuously updated representation of user behavior. Dynamic higher-order analysis is then performed to identify the bounds of what should be regarded as acceptable usage of a cloud service.
As a result, Skyhigh’s user specific models capture normality as a unique blend of geographic, temporal and usage patterns across different cloud services. As Skyhigh identifies threats and anomalies as deviations from composite and normalized user behavior, risk-mitigation actions are self-identified and become straightforward. For example, Skyhigh can immediately terminate account access for user accounts that exhibit insider threat behavior, or force multi-factor authentication if an account appears to be compromised. Skyhigh’s built-in threat resolution workflow enables security teams to resolve incidents within the Skyhigh console. As threats are resolved, Skyhigh automatically incorporates this information into its models of behavior to improve detection accuracy for the future.