If recent data breaches have taught us anything, it’s that no two are exactly alike. In each instance, we discover different types of data that was compromised; different attacks employed; different detection periods, response times and of course, financial costs. The list of factors is exhaustive – and it’s exhausting for those organizations attempting to stay one step ahead of a data breach.
But when it comes to IT security, there is one factor that remains constant: the types of users responsible for the breach. Whether the incident involved stolen credit card information, healthcare records or even patented source code, the culprits can always be narrowed down to one of four basic user personas. As a result, organizations in all industries have begun to shift their IT security focus away from systems (the target of a breach) to instead concentrate on the user (the source of the breach). The last point bears repeating: Every data breach is the result of a person!
Guest article by Paul Brady, CEO of ObserveIT
As we’ll see, by understanding that all security threats result from the specific actions of specific individuals, companies can begin to demystify the question of who did what and when. With that in mind, here are the four types of users every company should be monitoring.
The Outsider Threat
Simply stated, the outsider threat is a person (or group of people) attempting to gain unauthorized access to your systems and data. Their level of access is that of a normal website visitor; nothing confidential has been shared with them intentionally. This type of user is responsible for some of the largest security breaches in history, having compromised billions of files from some of the world’s most prominent brands – including AOL, eBay and Adobe in the past year alone. They operate from all corners of the globe and employ whatever means necessary to accomplish their goals, which are usually financially motivated.
As such, the anonymous outsider is currently the most feared of all the user types. This is true from the CEO down to the rank-and-file IT security professional, the latter of which has devoted the bulk of their efforts towards keeping outsiders, well, outside the proverbial gates. They do so through a number of commonly known tools and software – everything from firewalls and passwords, to anti-virus software and encryption keys – yet the outsiders still manage to illegally access sensitive data. How? Most often by “impersonating” one of the remaining three types of users. More on this in a moment.
The Remote Vendor Threat
Remote vendors can be classified as any contractor, offshore support team or outsourcing supplier who is granted at least some level of “privileged access” to one’s corporate network. They could be a managed service provider, a part-time accountant or a reseller partner. For the sake of this discussion, they can also be classified as working off-site. Depending on the size of your organization, you could have hundreds or thousands of remote vendors operating within your system at any given moment, which in and of itself warrants a security concern on the part of organizations.
Of course, the security threat posed by this group is not new to organizations; it’s one of the main reasons why VPNs were created. However, as we saw with the infamous Target breach of 2013 – where the credentials of remote vendors were used to illegally obtain the credit card numbers of millions of consumers – it is not yet a neutralized threat.
And with that, we come back to the outsider threat. The vast majority of remote vendors are of course trustworthy, but when their credentials are being used by outsiders, they become virtually indistinguishable. As such, they too should be monitored as part of your IT security strategy – whether they cause a breach by accident or by malice, which leads us to our next two user types.
The Malicious Insider Threat
Although comparatively infrequent, an increasing number of security incidents are now being attributed to internal employees. Like their remote vendor counterparts, almost every company employee will at some point be granted access to sensitive data – and some will invariably choose to act maliciously with their credentials. As we’ve seen, this often takes the form of leaked company emails, illegally selling company data like healthcare records, credit card information, usernames, passwords and other sorts of files.
In non-IT industries, monitoring employee activity is the rule, not the exception. For store clerks, bankers, blackjack dealers, teachers, police and countless others, it’s all part of the job. But in the corporate world, employee monitoring is surprisingly lax. With enough sleuth work, many companies could eventually figure out which employees took what action at a specific time. But as we’ve learned, response time is arguably the most important factor when it comes to minimizing the impact of a breach. Without actively monitoring the digital activity of internal users, this type of malicious behavior could go undetected for an unnecessarily long period of time.
But should all employees be monitored because of a few bad apples? The answer, as you might have expected, is a resounding yes.
The Oblivious Insider Threat
Picture this scenario: A store clerk forgets to lock the front door when closing up shop. A criminal then enters the store after-hours, raids the cash register and makes off with thousands of dollars in stolen merchandise without picking a lock or smashing a window. In this instance, there was certainly malice involved, but it couldn’t have happened without the careless mistake on the part of the employee.
The same is true in the world of IT security, where the mistakes of honest people are exploited (back to those pesky outsiders) for illegitimate gains. As we have seen with an increasing number of data breaches, well-meaning employees are rarely responsible, but almost always play a part – whether it’s in the form of a lost or stolen company device, a weak password, or attaching highly sensitive files to a personal email.
It’s important to note that not every action of an employ need be monitored. Most companies would hardly consider their time on Facebook or YouTube worthy of review. Instead, they should be monitored when performing certain actions (i.e downloads, file transfers, etc.) that could jeopardize sensitive data.
Each of these user personas has one thing in common: They hold the keys to the proverbial data kingdom. They may have obtained these keys legally or illegally; and they may cause a breach by accident or by design, but they have access to sensitive data – and with the exception of the outsider, they need this access. Your business processes rely on it.
In response to the growing threat of user-based attacks, the natural reaction for many businesses would be to tighten their grip on data access, but this is counterproductive. The amount of data being generated is greater than ever before, and it must be accessed by all sorts of parties if an organization wishes to remain productive and competitive. Instead, companies would be wiser to trust but verify – or in this case, trust but monitor.
For more on the topic of IT security, read the Aberdeen report Insider Threat: Three Activities to Worry About, Five Ways They’re Allowed to Happen – and What Enterprises Can Do About It
Paul Brady is CEO of ObserveIT. Mr. Brady brings more than 20 years of experience in business management and strategic development of high-growth, high-tech companies. Most recently, he served as senior vice president and general manager of Riverbed’s Performance Management Business Unit, where he grew revenue from $12M to $250M, and built an industry leading performance management business. Prior to Riverbed, which Mr. Brady joined following the acquisition of Mazu Networks where he was president and CEO, he served as president of Guardent, a network security company. Earlier in his career, he served as a senior vice president at Exodus Communications which he joined through the acquisition of Cohesive Technology Solutions where he was president. In 1992, he founded Business Technologies and served as CEO until the company merged with Cohesive, in early 1998. Mr. Brady holds a bachelor’s degree from Hofstra University and an MBA from Sloan Business School at MIT.