Вы находитесь на странице: 1из 20

Defeating the Insider Threat and

Shoring up the Data Security Lifecycle


With Insights from LemonFish
Lead Authors and Contributors:
Evelyn deSouza
Hillary Baron
MaryBeth Borgwing

Contributors:
John Yeoh
Ekta Mishra

About Cloud Security Alliance


The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best
practices for providing security assurance within Cloud Computing, and to provide education on the uses
of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by
a broad coalition of industry practitioners, corporations, associations and other key stakeholders. For
further information, visit us at http://www.cloudsecurityalliance.org and follow us on Twitter @cloudsa.

About LemonFish
LemonFish provides proactive defense against data leakage, insider threats, and exposure of confidential
intellectual property. Its cybersecurity and data behavior analytics software scours the open, deep, and
dark web in real time to uncover sensitive data that has been leaked and allows for quick reduction of
risk, preservation of brand reputation, and protection of critical assets.

2016 Cloud Security Alliance - All Rights Reserved. 2


Table of Contents

Introduction ..................................................................................................... 04

Survey Questions ............................................................................................ 05

Methodology and Demographics ............................................................... 15

Special Insight from LemonFish .................................................................. 18

Conclusion ........................................................................................................ 20

2016 Cloud Security Alliance - All Rights Reserved. 3


Introduction

Everything we know about defeating the insider threat does not solve the issue itself. In fact, evidence
from the Deep and Open Web points to the issue worsening rather than getting better. Todays
employees work with a number of applications and with a series of clicks, information can be both
maliciously and accidentally leaked. The Cloud Security Alliance has been keen to uncover the extent of
the insider threat problem.

The Cloud Security Alliance has been keen to uncover the extent of the insider threat problem with its
overall mission of providing security assurance within Cloud Computing, and providing education to help
secure cloud computing.

As a follow up to the Top Threats in Cloud Computing and from the months of May to July 2016 we
surveyed approximately 100 professionals on the extent of the following:
Employees leaking critical information and tradecraft on illicit sites
Data types and formats being exfiltrated along with exfiltration mechanisms
Why so many data threats go undetected
What happens to the data after it has been exfiltrated
Tools to disrupt and prevent the data exfiltration cycle
Possibilities to expunge traces of data once exfiltrated

Difficult questions were asked, challenging the audience and leaving many hard pressed to answer. The
goal was to see the extent of security professionals knowledge and examine where the gaps lay. There is
often lots of talk about the threats to the cloud and challenges that organizations facing it take. And,
in the wake of emerging data privacy regulation, there considerable discussion about ensuring levels of
compliance. However, the results of this survey show there is a gap with dealing with both present and
future requirements for data erasure in the cloud. Additionally, despite the fact that accidental insider
threats or misuse of data is a common phenomenon, there is a distinct lack of procedure for dealing with
instances across cloud computing.

To provide insights on what happens to data after it has been exfiltrated, we partnered with LemonFish
to obtain their unique insights.

2016 Cloud Security Alliance - All Rights Reserved. 4


QUESTION 1
What agreements did you sign
when joining your organization?

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Non-disclosure 85.1

Authorization to conduct
a background check* 62.8

Proprietary Information
Agreement 46.8

Computer Monitoring
Agreementment 41.5

Non-compete 27.7

Outside Employment
Agreement 19.1

Post Employment
Monitoring 7.4

Other
(please specify) 4.3

*(criminal, financial, employment)

Over 80% of respondents recall signing non-disclosure


agreements, while 20 to 60% of respondents also recall
signing other types of agreements related to how they
handle company data. This could indicate that signing
agreements unless used in tandem with other strategies
might not be an effective deterrent for internal
confidential data leakage.

2016 Cloud Security Alliance - All Rights Reserved. 5


QUESTION 2
Which of the following policies are you aware
of that your company has in place?

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Information Security
policy 88.0

Code of Conduct 84.8

Data Security policy 80.4

Acceptable Use policy 78.3

Travel policy 78.3

Social Media Policy 68.5

Removal of Company
Information* 60.9

Bring Your Own Device


(BYOD) policy 59.8

Work Hours/Punctuality 52.2 59.8

Workplace Violence
52.2
policy

Outside Employment
40.2
policy

None/Dont Know/Other 0.0

* (client list, forms, emails, records, etc.)

It was found that respondents largely recall the types


of policy agreements their company has in place. In
particular Information Security, Code of Conduct and
Data Security rank highest.

2016 Cloud Security Alliance - All Rights Reserved. 6


QUESTION 3
Do you know how much of your data is
being lost due to data exfiltration?

A little
11%
To a great extent
31%
Not at all

Over half of respondents think that very little data is 58%


being exfiltrated and close to a third of respondents
think that data exfiltration is not happening at all.

QUESTION 4
What data exfiltration mechanisms do you
believe to be the most common?

0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0

Email 3.68

Thumb drive, or
removable media 3.60

Unsecured file shares


and sites 3.43

Social media uploads 2.47

There is a strong perception that email and thumb drive are the prevalent means of data exfiltration,
while social media ranks low. However, research from Lemonfish shows that there is a perception issue as
their research paints a different picture. Corporate data is commonly available on the open or deep web
due to both inadvertent exposure, as well as malicious. Corporate data is also sold on dark web sites. The
primary motivation for stealing credit card data is making a profit by selling the data on dark web sites.

2016 Cloud Security Alliance - All Rights Reserved. 7


QUESTION 5
What format do you believe is most common
when exfiltrating data?

0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0

Pasting into email and


emailing out to self 3.86

Excel 3.38

Other 3.34

PPT 2.91

In keeping with the responses for Question 4. Email is the most widely acknowledged format for data
exfiltration. Many of todays data loss protection solutions focuses on email as the data loss vector,
however, with the advent of a hyper-connected era and blurred boundaries between personal and work,
perhaps we need to examine other formats more closely. Most companies closely watch email, and some
of the better-known file sharing sites, but proliferation of cloud storage and file sharing sites provide the
opportunity to move data out of the company in bulk.

2016 Cloud Security Alliance - All Rights Reserved. 8


QUESTION 6
What type of data do you believe most
commonly exfiltrated?

0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0

Marketing data 3.08

Engineering code or
pending patents 3.00

Sales records 2.99

Payment or Financial
2.95
transactions

Healthcare 2.33

Interestingly the type of data believed to be most exfiltrated was marketing followed by engineering
code, payment and financial transactions, with healthcare at the lowest. This contrasts starkly with other
types of survey responses and industry data from sources such as the Ponemon Institute. Again, there
appears to be a gap between perception and reality.

2016 Cloud Security Alliance - All Rights Reserved. 9


QUESTION 7
How often are theseverticals compromised?

0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0

Technology 2.81

Government 2.73

Financial 2.68

Healthcare 2.51

The vertical most compromised was perceived to be technology. There are growing indications that this
is indeed the case. This was followed by Government, Financial and Healthcare. Healthcare ranking as
the vertical perceived to be least compromised was surprising as research otherwise points to a growing
blackmarket in aggregated healthcare records.

QUESTION 8
Do you know what happens to your data
that has been exfiltrated?

Yes

No 29%

Over 70% of respondents did not know what happens


to data after it has been exfiltrated. We still cant be
certain of what has happened to data that was stolen
71%
in many data breaches. In some cases groups have
claimed they have it for sale. LemonFish notes, that
unless a group attempts to use the data, e.g., Wikileaks
or sell the data, e.g., Carders, it is hard to know. This
presents the opportunity for technology to evolve
around the traceabilty of data.

2016 Cloud Security Alliance - All Rights Reserved. 10


QUESTION 9
What happens to your data after exfiltration?

Sold
14%
Sold and I have an idea for how much

Open/Deep Web 33%

When presented with options over possibilities of


data exfiltration uses, not surprisingly 73 respondents 53%
skipped the question, while of the 23 who answered
it, there was a strong awareness of data being sold or
traded and one third of those who answered even had
an idea of how much it was sold for.

QUESTION 10
Is there a way to expunge information after it has
been leaked or placed on an illicit site?

Yes

No
19%
Unsure
44%
Of the 78 respondents who answered this question,
close to half were unsure of whether its possible to
37%
expunge data after it has been placed on an illicit site.
This demonstrates the need for much greater research
and as well the need for new data erasure techniques
given the ease with which digital data can be copied.

2016 Cloud Security Alliance - All Rights Reserved. 11


QUESTION 11
How many days does it take to recover or expunge
the exfiltrated information?

As an extension of Question 10, there is a distinct lack of


Answered question 11 knowledge and awareness here into data erasure possibilities.
Skipped question 83 Over 83 respondents skipped the question on how long it would
take to possibly expunge exfiltrated information.

QUESTION 12
In general, do the insiders within your organization
that exfiltration datahave malicious intent?

Yes

No
19%
Unsure
44%
The data from this question highlights that the bulk of
insider threats could be accidental and not maliciously
37%
motivated. We are starting to see signs of recognition
of that in the industry.

QUESTION 13
Do you believe that insiders within your organization
that exfiltration data take steps to cover their tracks?

The high numbers of respondents that skipped this question


Answered question 22 is alarming. It indicates that very little forensics takes places
Skipped question 72 on exfiltrated data. It has been uncovered by companies such
as Lemonfish Technologies that employees often will take
steps to cover their tracks when there is some investigation to
information that they have exfiltrated.

2016 Cloud Security Alliance - All Rights Reserved. 12


QUESTION 14
Why do you believe so many insider data exfiltration
efforts go undetected? (Select all that apply)

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Lack of training and


79.5
awareness

Lack of toolsets 75.6

Lack of staff 53.8

Other
(please specify) 15.4

The need for new toolsets to deal with the problem


of data exfiltration was quite evident based on
respondents answers to this question.

2016 Cloud Security Alliance - All Rights Reserved. 13


QUESTION 15
What preventative measures work best to disrupt the
insider threat cycle before mission-critical or sensitive
data is compromised or leaked?

0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0

Access Controls 4.08

Data Loss Prevention


(DLP) 3.92

Security Anomaly Detec-


tion (Logging, SIEM) 3.61

Behavioral monitoring
3.47
with Big Data Analytics

Threat vector analysis 3.17

It is clear that respondents believe it will be a mix of techniques,


both old and new that will have the highest success rate of
combating the emerging problem of data exfiltration in the cloud.

QUESTION 16
Given the big spending on data protection by IT, how
do you know if your toolsets are working?
Over 60 respondents skipped the question asking how they
Answered question 34 know their toolsets are working. This is frightening given the
huge investments that are made in toolsets as a panacea to
Skipped question 60 this problem, even when we know that policies and processes
are a big part of the picture as well.

2016 Cloud Security Alliance - All Rights Reserved. 14


Methodology and Demographics

The survey questions were developed by collaborators from the Cloud Security Alliance (CSA). Survey
questions were edited and vetted by industry experts before the survey was distributed. Data analysis
was conducted by CSA. The final report authored by the analysts associated with CSA and contains
special insights from analysts at LemonFish. Approximately 100 IT and IT security professionals
responded to the survey spanning across multiple countries and industry verticals and representing
multiple job levels and company sizes.

Which best describes the size of your company?

1 - 1,000

1,000 - 5,000

5,000 - 10,000
24%
10,000 - 30,000
32%
30,000 - 50,000

+50,000 employees
4%

14%
17%
9%

2016 Cloud Security Alliance - All Rights Reserved. 15


What is your organizations industry?

1%

1%
5% 8%
Business Services (8%)
4%
6%
Education (4%)

Entertainment (1%)

Financial Services (18%)

Government (13%) 18%


Healthcare (4%)

Manufacturing (6%) 33%


Technology (33%)

Telecommunication (6%) 13%


Transportation (1%)

Other (5%) 4%
6%

What best describes your level of responsibility?

18%

C-level / Executive 41%


Manager

Staff
41%

2016 Cloud Security Alliance - All Rights Reserved. 16


What region of the world do you reside in?

21%
Americas

APAC (Asian, Pacific Island) 47%


EMEA (Europe, Middle East, Africa)

32%
*Majority are from USA, India, and Canada

2016 Cloud Security Alliance - All Rights Reserved. 17


Special Insight from LemonFish

A CISOs nightmare:
Your engineering manager comes to you with a source code listing one of his engineers found on Git.
Its identical to your companys proprietary SCADA code your clients rely on to ensure infrastructure
availability, but missing the copyright statements you use as company policy. Later in the day, a technical
sales lead shows you a company presentation marked Proprietary & Confidential that he found posted
on a popular file-sharing site. Finally, the HR manager is very concerned because employees have been
increasingly reporting that they are receiving suspicious emails at their company address containing
details that should be private. More often than not, they point to the mesh of anonym zed networks and
protocols known as the Dark Web.

What is the Dark Web actually?


As with any controversial, frequently changing and non-standardized community, it is impossible to pin a
persistently accurate definition on an entity like the Dark Web. Some sufficient conditions seem to be:
A network in which providers and consumers can be more certain of anonymity than in the open
Internet
Resources which are not indexed by the major search engines
Lack of influence over the network by governments, standards bodies or corporate entities

This distinguishes Dark Web actors and resources from the Deep Web, which uses traditional open
Internet technologies to host content and provide resources to users, but puts that content behind pay
walls or some level of authentication, and out of reach of search engines.
These characteristics of the Dark Web make it an ideal place to initiate a data breachs public lifecycle.
There are two broad, non-mutually-exclusive categories behind most breaches: monetary gain and
notoriety. Both of these require the quality of not getting caught, which the Dark Web enables by its
very nature.

Despite these bad actors, there are many uses of the Dark Web that have no nefarious component
to them it is an important community resource for marginalized populations such as dissidents of
repressive governments. It is also a valuable platform for whistle-blowers to bring illegal activities to light
with less fear of reprisals.

Data on the Dark Web


So how do data thieves use these Dark technologies, and how can this knowledge be employed to reduce
the time to discovery of breaches? From detecting and observing examples of data breaches across
diverse industries, LemonFish has come to some conclusions:
The transactions that constitute the primary breach of data when it first exists the owners
control and is copied to another location are not typically on the Dark Web. The techniques used
to steal the data can be entirely non-network related such as walking out the door with a USB
stick or using simple file sharing techniques such as DropBox or a private FTP server.
The first indicator of breached datas existence is often braggadocio on Dark Web forums

2016 Cloud Security Alliance - All Rights Reserved. 18


frequented by hackers, data thieves, and assorted scum and villainy. At this time, the data is not
actually accessible in the Dark, Deep, or Open Internet, but the knowledge that it may have been
leaked has begun to appear.
Soon thereafter, multiple anonymous actors will begin advertising the datas availability for sale in
marketplaces such as AlphaBay or Agora. These marketplaces appear and disappear fairly rapidly
due to increased law enforcement activity. A high percentage of offers of the data are found to be
fraudulent, as scammers favorite targets are often other scammers.
Eventually, the data will be transported using a file sharing mechanism hiding behind
authentication or obfuscation. This is the first point in which comparisons of a breach victims data
to data in the wild can be made.
As data stales, and after it has been transferred to other actors, it becomes less advantageous for
the initial thief to hold onto it behind Dark Web protocols. Often, the data will begin to become
available on open Internet file sharing sites such as Pastebin or Scribd. At this point, many
organizations will learn of its presence, but the larger part of the damage has been done.

2016 Cloud Security Alliance - All Rights Reserved. 19


Conclusion

This survey challenged Information Security Professionals in ways that other surveys have not. In asking
questions that might have left our respondents hard pressed to answer we discovered where the gaps
really lay. The cyber security incident market in general in nascent, and toolsets that address the
emergence of new data security challenges are just beginning to emerge.

We encourage todays businesses to utilize a proactive data security solution that encrypts mission-
critical and sensitive data when it is created so that when it falls into the wrong hand it is not so readily
exposed. This also speaks to identity needing to be one of the key focal points for emerging data security
solutions. Secondly leverage behavioral analytics and big data threat intelligence: this helps identify
malicious activity, such as violations of enterprise security policy. At the very least, this helps keep the
honest employee honest. Thirdly, monitor the open, deep, and dark web for your sensitive data, so that
you can be informed as soon as possible and take appropriate mitigation steps

2016 Cloud Security Alliance - All Rights Reserved. 20

Вам также может понравиться