Recently, a smattering of news headlines seems to highlight a disturbing trend of employees spying on customer data, with more coming to light each week. From Twitter employees spying for the Saudi Arabian government to Snapchat employees abusing their access, the story basics are all the same: an employee at an organization used legitimate access in a completely inappropriate fashion. In our industry, we call this “insider threat”, and it’s a risk that every organization needs to acknowledge and deal with, rather than punting. As the old GI Joe cartoon used to say, “knowing is half the battle.”
Why Insider Threat Detection Is Important
Most organizations take a “bare minimum” or prudent approach to monitoring critical information access. After all, no organization wants to pay the high penalties that regulations dealing with personally identifiable information (PII) have, and no organization wants its intellectual property or strategies exposed.
Frighteningly, research continues to prove, time and again, that insider threats – whether malicious or not – remain an important threat vector for a majority of data incidents. Research published by McKinsey back in 2018 found that 50% of cyber breaches incorporated some element of insider threat. Was the root cause malicious? No, malicious intent only accounted for 38% of the root causes. On the more disturbing side of things, 44% of insider threats were linked to negligence and co-opting. Most insider data breach incidents were because people are careless or nosy.
Whether it’s in documents on a shared drive, data embedded in an encrypted application database, or data in a SaaS application, legitimate needs to access data still, and always will exist. A doctor needs to look at health records. An architect needs to work on the design proposal for a bid. Snapchat employees need to gather user data to respond to a legitimate law enforcement request. Accessing data is a business and job function need.
That ability, however, means addressing the very real risk that people will abuse the legitimate access you granted them. A doctor can look at records for someone who isn’t his patient, such as a neighbor. An architect might take designs or bid information from a proposal he’s working on and sell that information to a competing firm. As we’ve seen, a Snapchat employee can use the tools designed to gather customer data for law enforcement and use it for personal reasons.
If you’re only focusing on the outside villains, you’re missing a large piece of the risk pie.
Preventing Data Breaches Caused By Insider Threat
Although it may feel like you need a crystal ball to prevent these kinds of incidents, that’s not the case. With the right policies, procedures, and solutions, you can minimize the risks and manage the situation to keep your data safe.
Know Where Your Data Is
Even though this seems obvious, interconnected cloud ecosystems that connect with multiple applications, each of which has multiple modules, make it more difficult to know where you store information at all times. The ephemeral, dynamic nature of the cloud adds to the difficulty. Applications share information with one another rapidly and continuously. Inventorying what you have in place— whether it’s those shared files, data in applications, cloud databases, or any data stores— is the first and most critical step.
Analyze Your Risk
Of course, not all information is equally critical. If the ER doctor exposes the hospital’s marketing information, the hospital faces no real financial loss. If the ER doctor shares a celebrity’s home address or medical condition, the hospital faces fines and a potential lawsuit. To analyze risk, you want to review what data is personally identifiable information, intellectual property, or covered by a compliance requirement.
Clearly Communicate Your Policies
Data access policies should be specific, clear, and communicated regularly as part of an Information Security program. You need to define not only when and how employees should access information but also the consequences when they violate the policy. Of course, this also means you need to enforce these policies.
Automate Birthright Access
Limiting your policies to people already in your systems is only the first step. No matter what your business is, you’re going to bring on new employees or vendors. Each new user needs to have the same access entitlements as other similar users in your organization. As much as possible, you should automate birthright access and make sure that you base the entitlements upon roles and individual context.
Implement a Request/Approval Process
Once you have your policies implemented for current and new employees, you’re still not out of the woods. Employee access isn’t static, even if they remain in the same job. Employees need the means to request access to perform new job duties. You have to automate this process, giving employees the ability to find and request access, and ideally, proactively alert them if they are requesting access which is risky or might lead to a compliance violation. An approver needs to see the risk to any access request to avoid excess access, and perhaps to put in place mitigating controls.
Govern Your Data Access
Once the “what” is determined and the “who” is defined, you need to enforce your data access policies. Analyze of who has access to what part of the data, and if they need that access. Remove the access that is unnecessary.
Many companies establish policies then stumble when trying to enforce them. Using an identity and access governance solution that manages access entitlements gives you visibility into your access entitlements. An emergency room doctor only needs to access a patient record when taking care of the patient. Setting access controls that limit the ER doctor’s access and enforcing those controls is one way to prevent the data breach.
Continuously Monitor Controls
Even when you are carefully controlling access, you can’t guarantee that people are doing what they should. Using a continuous control monitoring tool can help, but it creates too much noise, making it difficult to see high-risk activities. You need to have a way to monitor that helps you see not just activity, but tie activity to the user identity to understand if it’s risk or not. When the ER doctor requests access to the marketing data, that’s not a high risk. If she requests access to additional patient records, that is a high risk. You want to make sure that you have a solution that applies risk to your data access governance so that you can spend time and attention on the highest risk requests.
…And That’s Still Not Enough
We started by looking at the recent surge in privilege misuse. Even with all of these controls, several of those data incidents were an abuse of legitimate access. In the Snapchat example, all of the users needed access to do their jobs, but then they used the legitimate access to snoop into private information. What can’t we see from all of the data access practices listed so far? Why someone would want to snoop.
Data access governance takes you only so far. You can’t see if the ER doctor is overwhelmed by debt and on the verge of bankruptcy. You can only see that she accessed information or that her access was risky. To truly protect yourself from an insider threat becoming a data incident, you want to incorporate user behavior analytics (UEBA). UEBA uses machine learning and behavioral analytics to correlate user activities across different factors. You can create baselines for “normal” activities which lets you surface “high risk” activities to detect advanced insider threats. However, UEBA alone can generate a lot of “noise” and become hard to sift through to find legitimate concerns. Using UEBA with your Identity Governance and Administration (IGA) solution can help uncover previously undetected user threats that can prevent a data incident.
Why Saviynt? Assured Access Governance
Saviynt offers the first cloud-native IGA solution that natively connects with UEBA platforms to help you keep insider threats just that – a threat, not an incident.
Our fine-grained entitlements give you greater control over who accesses what resources. Our platform’s ability to drill down into access goes beyond high-level roles and gets into the complex nuances of your critical applications, such as Tcodes in SAP or templates and sub-templates in Epic.
Our intelligent analytics help predict and surface risky access requests with peer- and usage-based data. This capability allows you to create and, more importantly, enforce your data access policies. When a user requests access, our platform analyzes the request and applies a risk evaluation based on your policies. “Low risk” requests are provisioned automatically, while “high-risk” requests can be routed through a workflow that you design. By only routing high-risk requests, Saviynt’s platform reduces noise, automatically prioritizing your reviews.
Saviynt provides visibility into and across applications to prevent privacy and compliance violations, such as segregation of duties (SOD). As your organization uses more interconnected applications, you lose visibility into who accesses what information. Saviynt brings together all accounts and correlates them to create a single user identity. From here, our algorithms and intelligent analytics alert you to suspicious access in peer groups and provide access based on fine-grained entitlement policies and context to create a holistic governance program across your ecosystem.
Saviynt’s platform uses the same intelligent analytics that streamline your request/review/approval process to engage in risk simulations. If you’re changing what access a role has, you can run an impact simulation against your ecosystem to see if that change will cause SOD violations for users in that role.
If you decide to accept a risky request, such as for firefighter access, you can create time-bound access requirements that automatically remove the risky access. This functionality allows you to grant the necessary access for the defined time period so that you don’t need to worry about forgetting to remove the access later.
The same analytics that streamline your request/review/approval process also make it easier to provide appropriate birthright entitlements. With Saviynt’s risk analysis, fine-grained entitlements, and intelligent analytics, you can control and monitor user access from day one without worrying about potential compliance or privacy violations.
UEBA Integration for Identity Analytics
Our ability to integrate with UEBA platforms gives you the extra intelligence you need to protect against insider threats and data incidents. Controlling access limits users to certain information within your systems, networks, and applications, but it doesn’t control what they do with that access. Combining access policies with UEBA gives you greater visibility into outlier user behaviors that may indicate data misuse.
Saviynt can help prevent insider threats from becoming data incidents. For more information contact us today or schedule a demo. Also, if you’re coming to Saviynt’s Converge ‘19, be sure to attend my panel on Insider Threat. I’d love to see you there.