While everybody is reading the DBIR 2014, I wanted to re-read it with a particular lens – that on the insider threat. Specifically, I read it while pondering this question: do we [security community, industry, etc] pay too little or too much attention to insider threats [and since nothing is ever “just right” in infosec, this was not considered an option]? And how much attention should we pay?
Just like everybody else, I’ve written and presented on the topic of insiders in the past. Despite 20, 30, or even 50 (if not 5000?) years of discussions, insider threat mysteries keep fascinating people…
In essence, I see a few extreme views on this subject now in 2014:
- There are people who still blindly repeat that unsourced myth that 80% of attacks [variant: of loss amount] originate from insider threat – but does it mean that those same people spent 80% of their security budgets on primarily insider-focused [or at least: proven to work well vs insiders] controls?
- There are folks who are so focused on malware and …ahem… what they call “APT” that they forgot malicious insiders ever existed, “Snowden or no-den.”
- Finally, there is a compromise view that goes like this: since attackers can “get inside” without breaking the sweat and then take over local user accounts, the distinction between inside and outside threats is no longer useful. They are all inside – and they all have access (like that HVAC contractor)
But back to facts! The 2014 DBIR states that in 2011-2013 insiders were involved in 8% of data breaches [that’d be 8%, not 80%]. The scope here is data breaches, not all incidents – insider percentage is higher for all incidents types (18%, in fact – still not 80%). The DBIR team has access to many sources of incident/breach data, some of which seem to skew in favor of insiders (like USSS) and some in the opposite direction….
This presumably means that insider threat is not a big deal, and low spending / attention are fully justified. But is that really true? After all, DBIR does not compute the monetary loss amounts… At the same time, some people have hypothesized that Snowden / #NSAgate affair of 2013 will cause a dramatic increase of attention on insiders. At this point is safe to say that this has not happened.
So, let’s have a useful discussion here:
- How much insider threat matters today compared to all the other issues we face [yes, I know it depends on the industry and the company]?
- Do we pay as much attention to it as it deserves? More? Less?
- How much attention should we pay?
P.S. Please don’t give me the answer “it depends on your risks” – thanks, I know it does. I still think this discussion is useful overall.
P. P.S. This is a blog post, after all, so hopefully my readers will forgive me some gross oversimplifications here 🙂
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.
Comments are closed
13 Comments
So long as people can connect their corporate laptops to other networks and bring outside threats inside, “insider threats” ought to be taken much more seriously.
@jeff Exactly – that is true too. Benign but negligent insiders bring nasty outsiders in!
Yes insiders matter! Metrics can be very misleading. Although a huge fan of DBIR, we must also consider insider activities are some of the most difficult to identify and quantify loss. A single trusted insider can gut an organization of sensitive data, empty coffers, destroy trust of partners and customers, and undermine the foundations of continued operations. We have seen such activities across businesses and governments. The key missing metric is the ‘loss’. If/when we can get our minds around that aspect, then we can have a better discussion.
@Matt Thanks for the comment. Of course, massive underreporting of insider incidents is expected. And of course they *should* matter due to their sheer ability to incur massive loss.
However, do many orgs apart from the most enlightened ones (such as your employer…) actually pay enough attention to it?
It has been a little while since I was on the “inside” of some of these statistics, but both Insider threat and APT attacks share the commonality that the indicators are often hiding in traffic that has been deemed through risk assessment to be low-risk. I think that statistics aside, some of the risk management that has underpinned IT decision making needs a fresh look. In all my experience with Insider Threat, I haven’t heard any one that has experienced a loss call it an acceptable one.
Great post, though! I promise I was writing up my research on this before I read it!
Thanks for your nice blog posts Anton.
Without having extensive insight into statistics, I don’t think that Insider threats should be a major concern. They certainly have potential for the greatest damage as Matthew pointed out, but I suspect that most companies should focus on the usual, more common threats.
Having said that, I do think that there is a blurry line like you hinted at. With mediums like LinkedIn proliferating, performing targeted attacks at individuals is becoming quite easy (anybody with access to Twitter, LinkedIn & Facebook can learn just about anything about most individuals and get them to open an email or interact), and at that point any employee can be come a liability.
Physical security is often overlooked as well, and the story of the janitor in Vienna installing a wireless AP is something that can be probably still happen in most corporate networks.
So at the end of the day, you’ll probably need to look at security from a variety of angles, with a variety of tools & policies, to make sure you detect anomalies like APTs, curious or “compromised” employees etc.
@Grant
>both Insider threat and APT attacks share the commonality that the
>indicators are often hiding in traffic that has been deemed through
>risk assessment to be low-risk.
Thanks for this excellent point. Also, malicious insider and outsider-exploited benign insiders would in fact look even more similar in this regard.
>acceptable loss
Hmmm…. indeed, just because they don’t report it publicly or to LEO does not mean they accept it. Still…. $$$ spend on primarily outside focused controls seem to be >>> of that for insider focused ones.
Anton,
Interesting discussion around the Insider Threat. DBIR 2014 was a big topic at InfoSec Europe in London earlier this month (May). Yes, statistics can be misused, but just one single insider can do grievous harm. Macro statistics don’t help much if you are a victimized company.
Snowden went public almost immediately. Many insiders operate undetected over the long term. At DuPont, two 30+ year employees conspired over many years to steal technology to manufacture titanium dioxide; they were convicted in March of trade secret theft.
We make risk-based decisions every day — deciding, say, to jaywalk, invade Crimea or emulate Breaking Bad. Organizations need security measures commensurate with their own risk tolerance. Insider threat detection should form part of a multi-factor approach to security and should ideally involve parts of the organization, like HR, that are outside the traditional corporate security practice.
Inflexible policies and rules will not work. Key to stopping the insider threat is understanding visible precursor behaviors, both on and off the network, before insiders can act and sink a company’s reputation or worse.
Greg, thanks for the comment.
>Key to stopping the insider threat is understanding visible precursor
>behaviors
This sounds interesting – care to provide more details on how/where to look for such things?
In the age of total dependency on information and media small number of people, even one person can really make the difference. 16 terrorists change the history of the world and started the “Islamic revolution” by the 9/11 attack. The number of people who died was not the issue – the media impact was.
NSA will never look the same after Snowden. 2 HSBC workers who expose customers data changed the off shore banking. Again – media impact..
Insider threat is a strategic issue which can not be measured by statistics. Information, Cyber, Internet of things, financial transaction, media can serve as a multiple of power to the few or even one insider that can change a lot.
>Insider threat is a strategic issue which can not be measured by
>statistics.
I think this is an excellent point – malware happens 1000x/day, while Snowden happens 1/century.
BTW, Shabtai, I’d love to be briefed on your SDS technology; please use http://www.gartner.com/it/about/vbriefings_faq.jsp to schedule
I filled up the forms and will be more than happy to brief you at your convenience