Rethinking the Insider Threat While Mining for Data Security Gold
By: Jeremy Wittkop
Many people believe that the vast majority of cyber threats involve the intentional theft of credit card numbers or Personally Identifiable Information (PII). That is not true.
Many people also believe that the most prevalent incidents involve malicious software and ransomware. That is also not true.
The news cycle drives these perceptions. Stories about malicious software, and ransomware in particular, are a media favorite. A ransomware attack is sensational. It features a villainous criminal demanding payment and a helpless victim pleading for his mercy. Even better for news outlets, this dramatic story requires little investigation or technical understanding to report it. But despite the media hype, this form of cybercrime represents less than 1% of actual attacks.
The truth is that the vast majority of stolen information is taken by someone who already has credentials. Sometimes people unknowingly share sensitive information through phishing or social engineering directed by an outside agent. But at other times, people act maliciously or in their own financial interests. Case in point is the story of American Semiconductor. An employee stole sensitive intellectual property and put it on a removable USB device in exchange for $2 million.
As one of the largest Managed Data Protection practices in the world, InteliSecure uniquely understands how people interact with sensitive information. We monitor the behavior of over 2 million users in over 140 countries around the world every day. As a result, we see both intentional and accidental data exposure, and we have amassed countless stories of how people really steal it. These days much of it winds up on the Dark Web. Details of these stories cannot be told due to client confidentiality, but we have built a library of anonymous examples to share, all of which came from our innovative Golden Nugget Program.
Origins of Golden Nuggets
Several years (and countless gray hairs) ago, I led InteliSecure’s Managed Security Services practice. A proponent of variable compensation, my CEO at the time decided that we needed to make changes in Operations. He thought our people needed additional motivation. While incentive compensation is relatively straightforward for sales and marketing, structuring it correctly for our Security Operations Center teams was a bit of a challenge. I told him I’d work on it.
My first step was to research what my peers were doing. After all, many good ideas were probably already in use. I discovered that majority of Managed Security Service providers used a variable compensation structure to incentivize behaviors that led to profitability. For instance, many firms referenced common call center metrics such as the volume of tickets or how fast, on average, agents closed them.
I knew these measures did not positively impact the client experience, and in many cases they had an adverse effect. I’m sure you’ve called customer service at a cable company at least once in your life. The representative probably asked your name, located your account, and immediately started pushing the ticket to a close, regardless of whether your problem was solved. Measuring employees based on productivity drives this type of behavior.
I wanted to do things differently. Rather than reduce costs, my goal was to reward the behaviors that helped us better acquire, satisfy, and keep clients. We had to focus on client value.
One day after skiing amazing powder at Breckenridge with an InteliSecure executive, a salesperson, and my friends on the Managed Security Services team, we had an idea. We were having a good time relaxing and watching a show called “Gold Rush” on the Discovery Channel. Gold Rush is about gold mining, a very slow, mundane and laborious process. But thanks to the magic of television, the Discovery Channel made it fascinating.
One of my colleagues remarked, “What we do is like gold mining. We create security policies to find rare security events, which is similar to a gold miner picking which plot of dirt to prospect. Obviously if there’s no gold in the dirt in the first place, you won’t be successful finding it in the end.”
He continued, “Our triage process is a lot like running dirt through a sluice box. If it’s done well, the miner maximizes his yield, but if it’s done poorly, the gold washes into the stream below. When our engineering team sets up the systems, we’re like the miners building the sluice box. If we don’t do a good job, the process fails. Our entire team must work together to find Golden Nuggets.”
At that very moment, our Golden Nugget program was born. It was simple. If our team found a valuable security incident for our clients, we would reward everyone who contributed to that discovery. We also didn’t want to decide the Nugget’s value in a vacuum. We asked our clients to participate in the process and rule whether the finding was significant. We continue to showcase Golden Nuggets today during business reviews with our clients.
Not All Nuggets are Created Equal
When we first started the Golden Nugget program, we simply compensated people for any material security event they found. But for really big finds, we gave them extra special recognition. You can read more about one amazing story in my book, Building a Comprehensive IT Security Program (https://www.amazon.com/Building-Comprehensive-Security-Program-Guidelines-ebook/dp/B01JRFGQY2), but in summary, we caught a user stealing a substantial amount of intellectual property at one of our manufacturing accounts. This proprietary information cost $30 million to create, and it pertained to a product line expected to deliver $3 billion in revenue over the next 5 years. The perpetrator intended to leave the country and illegally mass produce a counterfeit version of the goods. When the individual went to trial, investigators discovered he had successfully made away with similar information from our clients’ two top competitors. He is currently serving 10 years in federal prison.
When our SOC team agent surfaced this gem, we realized that not all Nuggets are created equal. We needed to recognize the best of all Nuggets we found. Doing so motivated our Managed Services team to compete even more to find them. Thanks to the increased volume of great finds, we celebrate the very best of them during our quarterly awards.
There’s Gold in Your Hills
Since the Golden Nugget program’s inception in 2013, we’ve seen more than our share of valuable Nuggets. In the beginning, broken business processes accounted for most of them. Later, however, we saw a disturbing rise in the volume of incidents when users inappropriately shared intellectual property. Although much of it was accidental, a surprising percentage was intentional.
Why the change? My colleagues fault three factors. First, many of our clients have matured past their initial compliance requirements and have started to build policies protecting intellectual property. Second, spurred on by competition for Golden Nuggets, our analysts have become much better at finding the proverbial “needle in the haystack.” Third, the lines of acceptable behavior pertaining to sharing sensitive information has blurred significantly as the traditional security perimeter has eroded. Since it’s easier to share in today’s cloud-connected world, people now think it’s OK to share whatever they want.
I think these are valid explanations, but in my view they don’t tell the whole story. Here’s what I call the inconvenient truth:
More people than ever are stealing Intellectual Property and other sensitive data because the market for trafficking stolen information has matured. Theft has become for many a low-risk, high-reward occupation.
Most industry analysts agree that the success rate for data theft is around 95%. Surprisingly, only one criminal in twenty gets caught because most organizations do such a poor job of protecting their data. And of those detected, very few offenders will ever be prosecuted. They’re simply terminated and then go on to repeat the same behaviors elsewhere.
Protecting data is hard, and most organizations aren’t doing it well. Unfortunately companies place too much emphasis on perimeter security and not enough on protecting their most sensitive information.
The world has changed. To be successful, companies today must do more than retrofit their perimeter technologies—they must implement comprehensive approaches to protect all types of data, no matter where the intrusion occurs. Right now, it’s much easier for an insider to pilfer behind the walls than it is for an outsider to penetrate a firm’s thick perimeter defenses. Until this changes, criminals will continue to exploit this common vulnerability without fear of getting caught.
That is, unless they happen to work for an InteliSecure client.
Forget what you may have heard about data protection. Despite beliefs that DLP will only catch well-meaning insiders and broken business processes, we can tell you from our many years of experience that there’s significant risk in not doing DLP well. People who say data protection programs don’t work are among the 95% who are doing it wrong. Criminals are stealing your data, and technologies do exist to catch them. It’s time to make a change.
We can help. Our Golden Nugget program is just one example of the lengths we go to safeguard our clients’ most sensitive information. Put our expert teams in our Security Operations Center to work for you. We can find the nuggets that boost the value of your security program and deliver the level of protection you deserve.
The Dark Web is an emerging threat for everyone in IT security, but most people don’t know what it is. InteliSecure is planning a webinar with Emily Wilson from Terbium Labs, an expert who does a phenomenal job of explaining how it works. We will update this post with a webinar link when it’s scheduled, but you can always check the InteliSecure Bright TALK channel for more information: (https://www.brighttalk.com/channel/17408/intelisecure)