While everybody is reading the DBIR 2014, I wanted to re-read it with a particular lens – that on the insider threat. Specifically, I read it while pondering this question: do we [security community, industry, etc] pay too little or too much attention to insider threats [and since nothing is ever “just right” in infosec, this was not considered an option]? And how much attention should we pay?
Just like everybody else, I’ve written and presented on the topic of insiders in the past. Despite 20, 30, or even 50 (if not 5000?) years of discussions, insider threat mysteries keep fascinating people…
In essence, I see a few extreme views on this subject now in 2014:
- There are people who still blindly repeat that unsourced myth that 80% of attacks [variant: of loss amount] originate from insider threat – but does it mean that those same people spent 80% of their security budgets on primarily insider-focused [or at least: proven to work well vs insiders] controls?
- There are folks who are so focused on malware and …ahem… what they call “APT” that they forgot malicious insiders ever existed, “Snowden or no-den.”
- Finally, there is a compromise view that goes like this: since attackers can “get inside” without breaking the sweat and then take over local user accounts, the distinction between inside and outside threats is no longer useful. They are all inside – and they all have access (like that HVAC contractor)
But back to facts! The 2014 DBIR states that in 2011-2013 insiders were involved in 8% of data breaches [that’d be 8%, not 80%]. The scope here is data breaches, not all incidents – insider percentage is higher for all incidents types (18%, in fact – still not 80%). The DBIR team has access to many sources of incident/breach data, some of which seem to skew in favor of insiders (like USSS) and some in the opposite direction….
This presumably means that insider threat is not a big deal, and low spending / attention are fully justified. But is that really true? After all, DBIR does not compute the monetary loss amounts… At the same time, some people have hypothesized that Snowden / #NSAgate affair of 2013 will cause a dramatic increase of attention on insiders. At this point is safe to say that this has not happened.
So, let’s have a useful discussion here:
- How much insider threat matters today compared to all the other issues we face [yes, I know it depends on the industry and the company]?
- Do we pay as much attention to it as it deserves? More? Less?
- How much attention should we pay?
P.S. Please don’t give me the answer “it depends on your risks” – thanks, I know it does. I still think this discussion is useful overall.
P. P.S. This is a blog post, after all, so hopefully my readers will forgive me some gross oversimplifications here