Gaby Friedlander, Chief Technology Officer and Co-founder of ObserveIT, discussed lessons learned from 10 years in insider threat management.
Gaby Friedlander began his thought leadership presentation at the 2016 Chief Information Security Officer Leadership Forum held on June 22 in Chicago by pointing out that the user is the major link and the greatest threat in data breaches. “In research published in 2015, Verizon found that people are responsible for 90% of security breaches,” said Friedlander. “I found information that said one out of five people will sell their password for less than a thousand dollars.” For these reasons, insider threats should be regarded as more of a concern these days than hackers.
“One out of five people will sell their password for less than a thousand dollars.”
“Very few companies have insider threat programs in place,” said Friedlander. “Most investment is going to stop outside hackers. We’re not investing in the real source of the problem,” he observed.
Insider threats aren’t isolated and rare events. “The dark web is a marketplace for recruiting insiders,” said Friedlander. “People are being recruited from outside a particular company and are given assistance to get into that company so they can do dirty work on behalf of the recruiters. Prime targets are low-level people, like call-center employees, because they have access to company information. These recruiters are willing to pay three thousand dollars to an insider,” said Friedlander.
“The dark web is a marketplace for recruiting insiders. Prime targets are low-level people, like call-center employees, because they have access to company information.”
“Ten years ago, companies were securing from the outside. They trusted any connection that went from the inside to the outside. Their focus was protecting data from hackers. In 2016, it’s a whole different story,” observed Friedlander. “Employees bring in their own applications. They care about productivity more than they care about security. They’ll go around security controls if it helps them to be productive.”
Friedlander asked, “Who are these inside threats? They’re not only employees but business partners, contractors, and everyday users. For the most part, these aren’t people with bad intentions. They’re simply negligent.”
The true bad actors are those who want to harm the company. These represent about 9% of people who are a threat to security, said Friedlander. However, most security incidents are the result of activity by what are called “second streamers.” These are individuals who want additional income. Their main purpose isn’t to harm the company but to benefit themselves. These people are involved in activities such as advising a vendor on how to win a contract, etc. The second streamers make up about 62% of inside breaches. The third segment of people involved in security incidents, said Friedlander, are career launchers—people who are moving on and want to bring information gleaned from the company to their next job.
“Security-threat solutions today aren’t good enough because they were developed with the hacker in mind, not trusted company employees. The attack chain for a hacker is very different from that of an insider threat. There are many steps hackers have to take before they even get keyboard access,” observed Friedlander. “Privileged users already have access.”
“Security-threat solutions today aren’t good enough because they were developed with the hacker in mind, not trusted company employees. The attack chain for a hacker is very different from that of an insider threat.”
For the most part, companies simply need to change the behavior of employees involved in security breaches, advised Friedlander. “We have to educate employees about why they need to adhere to company policy. We need to educate them in real time about policy, not just once a year. If a number of people complain that a policy doesn’t work for them, consider changing the policy to enhance compliance and therefore security.”
Friedlander summed up by saying, “Deterrence and education about policy go a long way to enhancing security, especially in instances where detection may not be possible or timely. If people know they’re being watched when they get into sensitive systems, they’re less likely to engage in that behavior.”