Insider Threats and Ransomware: What are they and how do I protect myself from them?
July 5, 2017 | Deepak Balakrishna
Enterprise IT security is a huge market. The amount of money spent by enterprises to protect themselves from digital threats is the size of some small nation economies – and the market’s not slowing down anytime soon.
Gartner estimates that worldwide information security spending was a $81.6 billion business in 2016, an increase of 7.9% over 2015.
Over the past few decades, a large proportion of that budget has been spent on perimeter defenses – like firewalls, IDS/IPS, VPNs, etc – to prevent unauthorized access and external attackers from getting into the network.
However now there is a growing realization that the real threat to enterprises is already inside.
“Assume you are already hacked” – is the new mantra.
With this insight, security budgets are changing to address these “insider threats”. According to Gartner, “the shift to detection and response approaches … will drive a majority of security market growth over the next five years”. These new approaches will be focused on addressing insider threats and ransomware.
But what exactly are “insider threats” and how does that relate to ransomware?
What are “Insider Threats” ?
At a high level, insider threats refers to either malicious, careless or compromised employees, contractors and consultants already within your network.
A malicious insider is one who knowingly decides to spite their employers (like in the case of the IT admin in San Francisco who locked out his employer from all accounts) or copy a lot of documents before decamping to a competitor ( Uber/Waymo is a case in point)
A non-malicious / careless insider threat is one who inadvertently causes a large mishap – like accidentally revealing thousands of sensitive documents or who loses a USB key in a Starbucks containing sensitive salary information.
The most pernicious insider threat is the threat from a compromised insider. This is a user whose credentials are stolen by an external attacker. For example, if the insider falls prey to a spear phishing attack, then malware unknowingly gets installed onto the victim’s machine and takes on the guise of the insider to corrupt or steal data and/or affect other users and machines.
This is how ransomware like WannaCry, CryptoLocker, etc typically affect companies. Even more dangerous than ransomware is malware that hides undetected, stealing information for several weeks, months or even years. Unlike ransomware, they don’t announce themselves.
In all these cases, what an enterprise needs is the ability to know at all times
- where their sensitive data is,
- who has access to it and who has been accessing it and
- detecting and alerting in case of potential threats to it.
Insider Threats Solutions Landscape
A google search of “insider threats solutions” yields many different products purporting to help enterprises with this insider threat problem. Most of them are DLP, IAM, UEBA or SIEM solutions.
1. Data Loss Prevention (DLP)
DLP solutions are focused on classifying your data to report on what data is sensitive, protect it on the network if someone tries to exfiltrate it (by emailing it to their personal email, for example) and protecting the endpoint (for example, by locking down USB ports).
DLP solutions claim to solve insider threats by classifying sensitive data and not allowing the data to be exfiltrated either on the network or by an endpoint.
However, DLP solutions are rules based and do not have any context on who in the organization is allowed to access a resource and who has been accessing it.
In addition, they do not have the ability to baseline users and resource and detect deviations from the baseline which could detect malware and ransomware. If John is a model employee on one day but acts maliciously the next, DLP solutions cannot detect it. These are necessary attributes of any data security solution that truly needs to protect the data.
2. Identity and Access Management (IAM)
IAM solutions control access rights for users to a set of applications.
For example, when a user joins the sales organization, he is given access to the set of apps (Salesforce, Concur, etc) that a salesperson needs to do his or her job. This authorization is only revoked if they change roles or leave the company.
By being the central arbiter of access to enterprise applications, IAM solutions claim to solve insider threats by granting access only when and to whom it is needed.
But IAM solutions typically have a set of problems when it comes to unstructured data – the critical documents, spreadsheets, etc – lying around on file shares in your company and increasingly in the cloud as well. Access to these files and folders is controlled at the OS level with NTFS/Share permissions and with AD users and groups.
In this case, IAM solutions have no “application” to control entitlements to, do not classify documents to determine if they are sensitive or not , nor do they detect privileged users who have been compromised or turn malicious.
Once again, IAM does not truly protect enterprises from insider threats
3. User and Entity Behaviour Solutions (UEBA)
UEBA solutions aggregate user information from multiple sources, create baselines of normal activity and look for anomalies from that baseline.
This helps them detect malicious activity that goes against the norm – like a user accessing a lot of data, stale data or ransomware activity.
In the case of unstructured data, native auditing needs to be switched on at the file servers for most UEBA solutions to get to the data access events. This adds an undue burden on the file servers. UEBA solutions also do not have a role to play in data classification nor do they set and monitor access privileges.
So which solution do you need?
Believe it or not, a little bit of each!
You need a solution to classify your data to understand what is sensitive, set the right access controls around it so only people who absolutely need access to it have it and alert in case of threats to it.
As seen above, it means tying together in some way multiple products to achieve your end goal.
If fact, I met with a CISO of a relative large financial firm with over 5000 employees and he was doing exactly that. He had a DLP solution to classify his data, an IAM solution to set the right controls, an UEBA solution for detecting threats and a SIEM solution to collate the outputs of other tools to analyze them. And he had a team of people to care and feed this customized solution.
So large enterprises with the time, the money, the budget and the expertise to do so can roll their own like the CISO mentioned above.
But what about others? What about the SMEs who need similar solutions but don’t have the time, the money, the budget nor the security expertise to do this? Can’t security solutions be simpler? We believe it can be.
Data Security and Adya
At Adya, we believe that security of your unstructured data starts with focusing on the data itself (but of course …). The relevant set of use cases from DLP, IAM and UEBA solutions are needed while still addressing the need to protect data from insider threats and from ransomware.
Adya is a mid-market focused SaaS data security platform that helps enterprises:
- Detect where sensitive data is – whether on-premises (for example, Windows File Servers) or in the cloud (example, Google Drive)
- Reduce overexposure by setting the right access controls so the right people have access to the right data
- Detect and alert in case of malicious behavior or ransomware
We aim to make it very simple and affordable for companies to get the data visibility and protection that they need. For more information, go to https://www.adya.io/
Insider threats and ransomware are in the news constantly. Companies are asking themselves if they have the adequate protections in place for these new age threats. Existing solutions are point products, expensive, complex and cater to large enterprises. We believe security products should be simpler and more affordable. To see how, sign up for a free trial at https://www.adya.io/