[BreachExchange] Insider Security: Mission Impossible?

Audrey McNeil audrey at riskbasedsecurity.com
Thu Sep 28 20:05:30 EDT 2017


http://www.datacenterjournal.com/insider-security-mission-impossible/

“Your mission, Jim, should you decide to accept it, is…. As usual, should
you or any member of your I.M. Force be captured or killed, the secretary
will disavow any knowledge of your existence. This tape will self-destruct
in five seconds. Good luck, Jim.”

It may have seemed overly dramatic at the time, but those of us responsible
for protecting corporate data against outside and inside threats can well
relate to this tense opening scene from the original Mission Impossible
television series and popular movie sequels.

Our mission is less choreographed, and unfortunately, our sensitive data
doesn’t just vanish into smoke before it falls into the wrong hands.
Instead, we’re responsible and empowered to actively secure our information
assets.

We have evolved into a fast-paced, datacentric society where storage is
relatively inexpensive and data related to virtually every action is stored
and shared. We invest valuable resources and trillions of dollars to build
infrastructures and systems optimized to house our data. We construct
dashboards and reporting systems to comprehend the factors that drive our
business successes and failures, increase revenue, and boost margins and
quality. Myriads of modeling products and tools provide data analytics that
guide our critical business decisions. Comprehensive supply-chain data
delivers insight into vital customer information, advancing and solidifying
our partnerships.

The momentum and magnitude of data growth is exponential and promises
tremendous opportunity. Data intended to promote core business activities
and quality-improvement programs is now reusable and extendable into new,
innovative products and applications. Deep learning, machine learning and
natural-language processing all take advantage of these large data volumes,
structured and unstructured, to deliver value and facilitate automated
analytics and processes with consistent, reliable and high-quality results.

The benefits in the proliferation of data are obvious, but so are the
inherent risks. We are accumulating data at a rapid rate, quickly outpacing
our ability to effectively govern and protect it. Consequently, the misuse
of sensitive data continues to propagate almost unchecked, crossing all
geographic and industry boundaries.

Our commitment to safeguarding our corporate resources has led to a
billion-dollar cybersecurity industry, which until recently catered mainly
to outsider threats while often ignoring the equally significant peril of
insider threats. As the dangers of insider threats are amplified by
frequent data compromises, however, corporations are now converging their
focus on both.

What Are Insider Threats and Whose Problem Are They?

As defined by the Department of Homeland Security, “An insider threat can
be defined as the potential damage to the interests of an organization by a
person or persons regarded, inaccurately, as loyally working for or on
behalf of the organization, or who inadvertently commits security breaches.”

The primary classifications of persons who pose an insider threat are the
following:

- Insiders who may maliciously, for financial, political or other reasons,
misuse assets
- Insiders who inadvertently or negligently misuse assets
- Outsiders who mimic insider credentials to access and misuse assets

Insider threats aren’t exclusively a technology problem. They cross all
boundaries of an organization and require the engagement of all colleagues
to fully grasp their diverse nature and combat them effectively. Defending
against insider threats demands the following:

- Full senior-management engagement to escalate its priority and eliminate
roadblocks
- A skilled and focused insider-security team comprising business and
technology resources to coordinate execution
- A multifaceted plan to define the tasks necessary to identify and defend
each corporate asset

Equally critical is a protocol for ongoing compliance monitoring and
periodic review of your roadmap as the organization, information needs and
insider threats evolve.

Defending Against Insider Threats

No two firms handle their data in exactly the same way, and data policies
should be tailored to accommodate each one’s cultural and business needs.
Nevertheless, taking advantage of proven approaches and products to
integrate security into your daily practices can significantly reduce your
exposure. Examples of accepted risk mitigation strategies include the
following:

- State-of-the-art infrastructure security including intrusion detection,
data-loss prevention, advance-threat firewall and secure-email products,
many of which employ machine-learning and temporal-reasoning algorithms to
monitor for abnormal behavior
- Group policies that revoke and block access from malicious parties
Document-rights management to validate continued access to distributed
content, internally and externally
- Corporate best practices that reveal potentially malicious insiders
before they act, including pre-hire and periodic background checks
- Training to sensitize all colleagues to insider threats and educate them
to detect and appropriately report unusual behavior, phishing emails and
potentially infected emails

These strategies still only concentrate on part of the overall picture. We
must expand beyond restricting unauthorized access to include comprehensive
management of all data access. As noted in Forrester’s “Model for
Establishing an Insider Threat Team” (July 2016), “unintentional misuses of
data make up 56% of data breaches attributed to insiders.”

A large percentage of insider threats are attributable to inadvertent
misuse of assets, facilitated by flaws in corporate control. They can range
from a person accidentally emailing a sensitive document to the wrong party
to someone innocently viewing a data source with sensitive, personal
information. Yet both stem from the same cause: access to data, authorized
or unauthorized.

Where Does Data Management Fit In?

How can we strategically restrict misuse of data and prevent the numerous
insider data breaches? Herein lies the missing puzzle piece and,
potentially, our biggest challenge: the role of data management.

Data management, as defined by the DAMA Data Management Body of Knowledge,
“is the development, execution and supervision of plans, policies, programs
and practices that control, protect, deliver and enhance the value of data
and information assets.” Tightly coupled with data management is the
“principle of least privilege,” which prescribes that access to assets be
granted on the basis of job function and be limited to the minimum
information and timeframe necessary to perform that function.

Although it’s no magic bullet, merging data management and the principle of
least privilege gives us a powerful option for data control. The
fundamental task is being aware of the existence of your data, its sources,
security classification, function, and current and preferred format. This
information provides the foundation to create impregnable barriers by
correlating job function to data at a granular level and eliminating all
other data access.

Implementing data management and access control begins with a cohesive,
robust framework, designed by a cross-team of knowledgeable business and
technology resources and customized to consider the unique nuances of your
corporate assets. Below is the roadmap to initiate the iterative journey of
securing your content:

- Inventory your data across all databases and documents. What data do you
own? What format(s) do you use to store your data? Where do you house your
data? What data do you access from external sources?
- Explore your data and gain a complete understanding of its purpose and
potential. What’s the purpose(s) of the data, by context? What’s the
meaning(s) of the data, by context?
What business functions, systems and/or job functions create, update,
delete, view or share the data? What data is exchanged with external
parties?
- Determine the correct strategic format for your data, emphasizing the
reusability, extendibility and data granularity most conducive to the
administration of security policies (e.g., XML). Is the data in a format
conducive to reconciliation and consistency validation across disparate
sources? Is it in a viable format that portrays meaning, context and data
relationship? Evaluate detail data and summary data independently, as they
are not the same, regardless of whether they originate from a common source.
- Assess the best location for your data. Is your data stored in multiple
locations? Should it be? Is the data queried live from multiple federated
sources or is it centralized and harmonized in a data lake or data hub to
reduce your dependency on the source system?
- Classify your data by relevant risk factors including personal
information, intellectual property and client-sensitive data. Be as
explicit as possible. Data may be classified as sensitive owing its
inherent or contextual nature. Detail information may be more sensitive
than summary, and vice versa—for example, summary department salary
information versus individual salary information.
- Map your data classifications to job functions, including time span.
Assess and document all job functions. Prepare a data map correlating job
function to data attribute, including timeframe. Remember the basic
principle: access to data is a responsibility, not a privilege. Effective
training that conveys this message will encourage colleagues and third
parties to become active, vocal partners when granted access to data they
don’t need— and, therefore, don’t want.
- Stipulate and implement security and compliance best practices to
administer access to the data. Strive for simplicity. Complex access
policies are error prone and increase your risk. To streamline access
administration and minimize errors, assign job functions to data and
individuals to job functions.

Battling insider threats is an expanding corporate priority that must
encompass all aspects of an organization to be successful. Understanding,
classifying and administering your information resources are critical ways
to guard this valuable asset. Given the potential cost of getting it wrong,
don’t embark on this road alone. Engage experts familiar with data
management and insider security to guide you as you achieve effective data
management and strategically secure your data.

Challenging? Definitely. Mission Impossible? Definitely not.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170928/0154aa78/attachment.html>


More information about the BreachExchange mailing list