Salted Hash is in Louisville, Kentucky for DerbyCon 5.0. All weekend long, in-between talks and training, this blog will be updated with various items of note from the show or thoughts form those attending.
Today's starter topic is insider threats.
This topic isn't new, but it hasn't really gone away either. A friend shared some data from a company called Bay Dynamics. They do predictive analytics, so insider threats is a subject they're rather interested in following.
One stat from the company says that in 90 percent of the cases (that they have knowledge of) where employees leak sensitive data outside of an organization, most of the leaks are the result of legitimate users doing honest work.
Think about that for a second.
The insider threat is just someone looking to get work done; so they send a document to their personal email account, or upload it to Box, and go on about their day. But that's a problem, because most organizations frown upon that, and thus it's a policy violation.
The topic of insider threat is often pitched as an end of the world situation, when in reality it's nothing like that at all. The problem is users who might not even know they're breaking the rules or exposing the company to risk in the first place. Those aren't threats. Those are humans.
Again, Bay Dynamics has stats on this. The company says, going back to the previously mentioned cases, that the remaining 10 percent of employees are users who are taking shortcuts.
They know they're not supposed to do it, but sending documents to Gmail or Box is just easier, so they do it anyway. Maybe, in one percent of cases, the documents were leaked by someone who was malicious.
To be fair, I don't know how many cases Bay Dynamics is talking about; it could be a single case representing 100 users, but the point remains the same:
It isn't that we have malicious staffers, we have staffers – some clueless – who use technology as a means to an end, and they either don't know about or care about policies when there is a deadline to meet or a sale to close.
Ryan Stolte, Founder and CTO at Bay Dynamics, said that by identifying the staffers who are inadvertently leaking data, the organization has a chance to coach them and offer some awareness training. This could help slow, if not stop, most of the accidental leaks.
After that, the organization can focus on repeat offenders and anyone else who is working outside of normal parameters.
Again, most staff are just trying to complete an honest day's work. To them, technology is just a tool. They don't know about policies, or perhaps the policy is too restrictive.
There will be times when the data leaving the company is the result of a malicious actor, but just because someone is showing risky behavior doesn't instantly mean they're a nation-state actor looking to share files with the PLA.
That's the problem with just watching users, you forget about the little things such as compromised accounts and malware.
There will be thousands of people at DerbyCon this weekend, and all of them have a clueless user story to share. If I'm wrong, I'm sure to hear about it, but I don't think we have an insider threat problem in InfoSec.
I used to, but my opinion has shifted some over the last few months.
Instead, I think we have a communication and policy problem in InfoSec. We have users who are just as familiar with technology as IT is, and they know how to use it to their advantage. If there is an app or a service that they can use to make their life easier at work, they're going to use it.
Instead of saying no, blocking all the things, and treating everyone as a criminal because they uploaded something - educate them and make them part of security solution. It isn't an easy task, and it's something that has to be continuous, but it's worth it in my opinion.