2015 was a watershed year for cybercrime, and what startled many observers was that a large number of the publicly disclosed breaches included an element of insider threat. If we take a closer insider threat using Vormetric’s Insider Threat Report for 2015, as shown below, 55% of survey respondents believe that the biggest internal threat to corporate data is privileged users or users who have had open access for far too long.
FIGURE 1: Global position for Insiders who pose the largest risk to an organization. Source: Vormetric Insider Threat report 2015
Real-world privileged user threat stories
Between June 2011 and December 2014, a former Wall Street financial adviser, conducted nearly 6,000 unauthorized searches of confidential client information and then uploaded information of about 730,000 of those clients to a server at his home in New Jersey, according to court records. In January 2015, after his firm found that data of about some 900 of its clients had briefly been posted online, he was fired.
Although the financial services firm maintains that none of its clients have been impacted by fraud or have lost money because of the breach, court records indicate that a computer forensics investigation into the data theft confirmed that the financial adviser’s home network and server had been hacked in October 2014. Such exposure of sensitive customer data will most definitely have long-lasting effects since as rightly stated by Chris Pierson, chief security officer at Viewpost, “Technology and controls can do little when internal moral compasses go awry.”
A cavalcade of such high profile cyber-crimes has most definitely resulted in increased awareness, yet not all enterprises have deployed privileged access/identity management. The 2015 breach at Anthem, Inc., a healthcare powerhouse with over $2.6 billion revenue last year, has been classified as one of the largest breaches ever of customer information. By compromising a single privileged account, hackers were able to successfully introduce a security breach that affected 80 million customers. With privileged access, the hackers could breach personal data, complete unauthorized transactions cause denial-of-service attacks (DOS), alter audit trails etc.
Privileged user threat now under the microscope
Senior management now understand the damage that a rogue user with admin rights can do, and they are also aware that if such a rogue user is not contained, damage to the business can be pervasive.
Breaches result in significant damage to the enterprise’s reputation apart from exfiltration of data. Kaspersky labs report that for 57% of businesses attacked, significant additional costs had to be paid. Depending on the extent of the data breach, this could also end up being a huge step backwards in terms of maintaining a functioning business unit since most practices and processes are compromised and would need to be re-evaluated and improved upon. 60% of businesses that suffered a data breach found their ability to function afterwards severely reduced. Thus, it’s not surprising that in 2015, down-time following a breach cost enterprises, on average of $1.4m.
Rethinking privileged user threat detection
It’s time to take a stance and recalibrate the way enterprises think about their security intelligence. A first step to contain rogue users is to identify users who have excessive administration rights, either due to past requirements which are no longer required. There are also many instances where the system administrators are simply not aware of ways to provide required rights without opening up complete administrative privileges.
The second step as mentioned in my previous blog is to study user behavior or specific to this case – system administrator’s behavior. Behavior is not something that can be easily stolen. Stealing someone’s login credentials does not reveal the nature and frequency of how the victim typically uses a cloud service. Hence, if one proﬁles the typical usage patterns of a system admin, an identity thief or a masquerader has a relatively low probability of misusing the stolen quarry in a manner consistent with the victim’s behavior that will go unnoticed.
Stealing behavioral patterns harder than stealing credentials
Threats and anomalous use of cloud services can thus be detected both from the perspective of a compromised account and an insider. For example, modeling an admin’s search behavior may be one way of capturing his intent to seek information for malicious purposes, something that a masquerader, and possibly a traitor, is likely to do early in their attack behavior. Similarly, unnecessary access into certain HR systems by an organization’s IT personnel can easily raise a red flag, if alerted at the right time. It is this driving theme that Skyhigh’s Threat Protection solution leverages when flagging excessive administration.
Skyhigh’s Threat Protection solution offers a centralized dashboard to manage all cloud related threats. Skyhigh captures a comprehensive record of all user and administrator activity within cloud services. Activity-based data coupled with usage patterns across cloud services render an accurate and continuously updated representation of user or system administrator’s behavior. Dynamic higher-order analysis is then performed to identify the bounds of what should be regarded as acceptable usage of a cloud service. As a result, Skyhigh’s user specific models capture normality as a unique blend of geographic, temporal, and usage patterns across different cloud services.
As Skyhigh identifies threats and anomalies as deviations from composite and normalized user behavior, risk-mitigation actions are self-identified and become straight forward. Skyhigh’s built-in threat resolution workflow enables security teams to resolve incidents within the Skyhigh console. As threats are resolved, Skyhigh automatically incorporates this information into its models of behavior to improve detection accuracy for the future. Using these techniques IT Security can get a leg up on protecting against what may be their biggest vulnerability – privileged user threats.