By Tony Pepper, CEO & co-founder, Egress
Earlier this summer, I read a fascinating story about McAfee launching a lawsuit against three former employees. The lawsuit alleged that these employees conspired to steal trade secrets on behalf of their new employer, accusing them of moving to a competitor and exfiltrating business-sensitive documents to their personal email accounts.
The scenario in the McAfee suite is a classic case of insider risk in action: privileged users accessing sensitive internal data and intentionally leaking it to personal email addresses or file-sharing sites. These edge cases are quite difficult for traditional data loss prevention (DLP) controls to mitigate, as they operate based on pre-defined static rules. One major issue is that traditional DLP doesn’t take a proactive stance with the user because its simplistic alerts and reminders tend to be written off as “nagging.” This is why new proactive and intelligent machine learning-based approaches provoke a strong reaction from leading firms as they modernize their email security strategies. By detecting gray areas of human risk, engaging users, and providing corrective guidance, insider problems can be significantly mitigated.
The McAfee incident underscores a widespread issue continuing to face businesses in all industries. Insider threats are a major concern for IT leaders, so why hasn’t the problem been dealt with? Why do scenarios like McAfee’s remain all too common? Unfortunately, the reason the issue has been unaddressed for so long is that most solutions are not effective at analyzing email and file content, validating recipient identity, or, at a more fundamental level, understanding the difference between good behavior and bad.
Each and every leakage vector outlined in the McAfee case is detectable and preventable by systems that can learn what the normal pattern of behavior is and contrast it to potentially risky or even malicious behavior. When intelligent, pattern-based approaches are used in conjunction with powerful, user-facing DLP, it’s a potent combination. The result is a new preventative and active approach to real-time insider detection and mitigation.
And while the McAfee case is a great example of what can happen when insiders decide to intentionally leak information for personal gain, the reality is that the most insider threats are not malicious at all, but accidental. Earlier this year, Verizon’s annual Data Breach Investigations Report revealed that more than 50 percent of data breaches are caused by phishing attacks or the use of stolen credentials. While privilege abuse and data mishandling of the type that affected McAfee remain prominent within the ‘misuse’ category of attacks, accidental breaches caused by employees failing to identify and avoid phishing scams and other, similar social engineering attacks are much more common. It’s worth remembering that the person responsible for a breach isn’t always an obvious, mustache-twirling villain. Sometimes it’s just a well-meaning employee unsure which warning signs to look out for.
Fortunately, the same pattern-based approaches that have proven effective at identifying malicious behavior are also highly capable of detecting careless behavior. In this way, the system doesn’t even need to determine “good” behavior from “bad” behavior: it only needs to identify behavior outside the norm. Look at it this way: how many times have you accidentally sent an email to the wrong person? Now extrapolate that number out to an entire organization. Misdirected emails happen, but the trick is to identify those emails—especially those containing sensitive information—before they can be sent.
When this strategy is taken to the next level and feedback is provided directly to end-users as well as InfoSec ops, it’s a powerful educational, awareness, and risk prevention approach. An employee who is about to do something risky can be warned automatically, avoiding the embarrassment and cost of an investigation—not to mention the fact that the business itself will avoid a costly breach.
Traditional DLP methods have focused on post-incident monitoring and remediation; however, legal recourse (as in the McAfee case) is a substantially costlier approach to insider breaches. It can also be unpleasant for businesses to deal with post-breach fallout, fines, and negative media coverage. Adopting a prevention-focused approach to insider threats can help not only stop many breaches from occurring in the first place, but bring a greater understanding of the dangers of both malicious and accidental threats to the workforce.
Co-founder of Egress, Tony currently serves as CEO, overseeing all aspects of business growth and innovation. Prior to Egress, Tony held executive management positions at Reflex Magnetics, Pointsec Mobile Technologies, and Check Point Software Technologies.
A frequent technology and industry speaker, Tony holds a Bachelor of Politics degree, a Software Engineering Master’s and is a certified BCS Fellow. Tony sits on industry committees including Intellect’s Government Management and Defence & Security Groups.
CISO MAG did not evaluate the advertised/mentioned product, service, or company, nor does it endorse any of the claims made by the advertisement/writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.
