You are on page 1of 27

The Insider Threat Benchmark Report

Strategies for Data Protection

January 2006
The Insider Threat Benchmark Report

Compliments of

Apani Networks is the leading enterprise network security software provider focused on
securing inside the network perimeter. EpiForce, the company’s flagship product, pro-
vides a transparent security layer for networked applications by encrypting data in mo-
tion, enforcing machine-level access control and centrally managing security policy rela-
tionships. Apani enables IT managers to quickly, automatically, and cost effectively lock
down their networks, while providing the security and audit trail necessary to demon-
strate security compliance with the wide range of regulations that affect enterprises to-
day.

All print and electronic rights are the property of AberdeenGroup © 2006.
AberdeenGroup • i
The Insider Threat Benchmark Report

Executive Summary

O
rganizations have traditionally implemented security technology and processes
with the primary goal of addressing vulnerability to an external attack. The in-
formation security market has grown and matured due, in large part, to the em-
phasis private and public sector organizations place on protecting themselves
from viruses, worms, Trojan horses, and other external exploits. However, organizations
are beginning to recognize that they are also at risk of having company employees, con-
sultants, partners, or suppliers seek illicit economic gain or commit vengeful acts. This,
coupled with an increase in regulatory requirements such as Sarbanes-Oxley, the Gramm
Leach Bliley Act, The Health Insurance Portability and Accountability Act (HIPAA),
California Senate Bill (SB) 1386, and other mandates increases the need and visibility for
physical controls and software access controls to secure confidential client and company
information.
To understand this issue better, AberdeenGroup surveyed 88 companies to determine the
degree to which best-in-class organizations are using security solutions to address the
risk of the insider threat. The results revealed most organizations prioritize issues of inte-
gration, cost, audit and assurance mandates over the number of vulnerabilities a particular
security solution can detect. We also found that some organizations use the term “data
leakage,” or “data loss prevention,” to describe the actual insider risks they face.

Key Business Value Findings


Our research uncovered that the majority of respondents have yet to implement technol-
ogy to address insider threats ─ only 41% have done so. When organizations did use
technical solutions specifically to address insider threats, the primary challenges respon-
dents cited were limited IT resources and software complexity. This finding parallels the
priorities of integration and cost, and points to these facts: Security is no longer a particu-
lar area within an organization and spans across multiple departments. Hence the ability
to address insider threats requires an intersection between IT and operations.
Best in Class companies are more likely to use strong passwords, access control lists, and
single sign-on. Additionally, these leading organizations are more likely to create a busi-
ness case prior to deployment and roll out a solution incrementally, slowly expanding it
to user populations. These findings reflect the fact that most organizations need to deter-
mine the ROI before allocating budget to address insider threats.

Implications & Analysis


With a market in the early stages of adoption, the question is how to measure it as well as
the performance of early-adopter companies. We gated the performance of best-in-class,
industry norm, and laggard firms against their ability to decrease security events, vulner-
abilities, and code defects. The best in class reported a 13% average decrease in security
events, vulnerabilities, and code defects. In comparison, the industry norm and laggard
companies use insufficient technologies and processes. Industry norm organizations saw
an average 12% increase in security events, vulnerabilities and code defects; laggards
experienced a 35% increase.

All print and electronic rights are the property of AberdeenGroup © 2006.
ii • AberdeenGroup
The Insider Threat Benchmark Report

We also focused on the key performance metrics organizations use. All of the best in
class use risk mitigation to measure the performance of solutions in addressing insider
threats, and 50% measure improvements to overall business operations. Our survey data
also shows that all of the best in class value a product’s flexibility to integrate with a
partner’s products or existing infrastructure the most. After that, 75% of best in class cite
the cost of the solution or service as their key criterion. Hence, there is a strong correla-
tion between the ability to demonstrate value through metrics or a business case and the
preference to leverage existing infrastructure and select easy-to-integrate products.
The current and planned use of access control lists, data classification, and federated
identity are signs that companies are using technologies associated with identity man-
agement. Leaders are responding to this opportunity by sourcing solutions from large IT
vendors and best-of-breed independent software vendors. Not surprisingly, most respon-
dents cite that an integrated solution is only somewhat important. Such factors lead Ab-
erdeen to conclude that the market to address insider threats is most definitely in a state
of early adoption.
AberdeenGroup believes organizations will continue to expand their use of select tech-
nologies and processes to address the risk of insider threats. This will be a catalyst for the
growth of expertise in operations and audit to address the inadvertent and intentional
leakage of company information. From a technical perspective, this will also bridge net-
work engineering with application development as organizations focus on the “de-
perimeterization” of security to address insider threats.

Recommendations for Action


Although best-in-class companies are likely to select solutions that integrate easily with a
partner’s products or existing infrastructure, we believe a first step for success is to un-
derstand the interactions between operations, audit, networking, and application devel-
opment. The next step is to establish a plan to respond to insider threat security incidents.
Organizations can learn from the actions of best-in-class enterprises, and companies
should also evaluate their processes to ensure the following:
• Use of access control lists to monitor the applications and resources employees
utilize;
• Movement from ad hoc audits to automated audits of who is accessing confiden-
tial information on a quarterly and, if possible, monthly basis;
• Understanding the differences and distinctions between the tools and processes to
protect data in motion and data at rest. Remember that “one size does not fit all”
and IT vendors may not support the same protocols and standards. This needs to
be factored into the evaluation of solutions to address insider threats.
• Balancing of quantitative and qualitative measurements;
• Balancing the cost of implementing technology with reduction in risks; and
• Development of a contingency plan in the advent of an insider attack.

All print and electronic rights are the property of AberdeenGroup © 2006.
AberdeenGroup • iii
The Insider Threat Benchmark Report

Table of Contents

Compliments of ..................................................................................................... i

Executive Summary ............................................................................................. ii


Key Business Value Findings..........................................................................ii
Implications & Analysis ...................................................................................ii
Recommendations for Action.........................................................................iii

Chapter One: Issue at Hand.................................................................................1


A Market Emerges: Addressing the Insider Threat......................................... 1
Using Technology to Reduce Business Risk.................................................. 2
Defining Processes and Performance Metrics............................................... 3

Chapter Two: Key Business Value Findings .........................................................5


Priorities......................................................................................................... 5
Actions........................................................................................................... 6
Extending Secure Authentication and Access ......................................... 6
Use of Analytic Tools for Identification, Remediation, and Analysis ......... 6
Use of Data Classification to Assign Levels of Sensitivity ....................... 6
Focus on De-Perimeterization................................................................. 6
Challenges..................................................................................................... 7
Enablers ........................................................................................................ 7

Chapter Three: Implications & Analysis...............................................................8


Capabilities and Processes ........................................................................... 9
Technology Use ........................................................................................... 10

Chapter Four: Recommendations for Action ...................................................... 11


One Size Does Not Fit All...................................................................... 11
Link Operations and Audit ..................................................................... 11
Protect against Threats from Business Partners ................................... 11
Use Data Classification ......................................................................... 11
Plan in the Event of an Insider Attack.................................................... 12
Conclusion................................................................................................... 12

Sponsor Directory .............................................................................................. 13

Author Profile ..................................................................................................... 14

Appendix A: Research Methodology .................................................................. 15

All print and electronic rights are the property of AberdeenGroup © 2006.
AberdeenGroup
The InsiderThreat Benchmark Report

Table of Contents

Appendix B: Related Aberdeen Research & Tools ............................................. 17

About AberdeenGroup ...................................................................................... 18

All print and electronic rights are the property of AberdeenGroup © 2006.
AberdeenGroup
The Insider Threat Benchmark Report

Figures

Figure 1: Best-in-Class Defined ...........................................................................2

Figure 2 IT and Business Initiatives Used to Measure Performance


of Addressing the Insider Threat .........................................................................4

Figure 3: Criteria for Selecting a Solution to Address Insider Threats ..................7

Tables
Table 1: Technology Solutions in Current Use and Planned for Use ....................3

Table 2: Top Five Insider Threat Challenges and Responses (All Respondents) .8

Table 3: Top Five Insider Threat Challenges and Responses (Best in Class) ......9

Table 4: Relationship between PACE and Competitive Framework ................... 16

All print and electronic rights are the property of AberdeenGroup © 2006.
AberdeenGroup
The InsiderThreat Benchmark Report

Chapter One:
Issue at Hand
Key Takeaways

• Global business issues trigger greater emphasis on internal security.


• The traditional “moat and castle” approach to IT security is not sufficient.
• There are few good controls to measure a so-called “negative deliverable.”

A Market Emerges: Addressing the Insider Threat

T he most powerful drivers for organizations to address the risk of insider threats
stems from two distinctly different areas: the need to provide better solutions in a
business environment of growing risk and regulatory mandates, and the globaliza-
tion of business. The focus on insider threats has been primarily fueled by news
reports of company information being leaked advertently or intentionally, and costs in
time and money, as well as company brand.
In addition, global business issues are triggering greater em-
phasis on internal security. Companies must comply with Competitive Framework
regulatory mandates to ensure security of intellectual prop- Key
erty and privacy of personal information. These laws are The Aberdeen Competitive
generally ratified on a country-by-country basis. Globaliza- Framework defines enter-
tion requires that enterprises understand the laws of the prises as falling into one of
countries in which they operate. the three following levels of
The fundamental challenge for organizations operating in a practices and performance:
global marketplace and having to comply with multiple Laggards (30%) —practices
regulations is that the traditional “moat and castle” approach that are significantly behind
to IT security no longer offers sufficient protection for con- the average of the industry
fidential company and customer information. This is driving
the “de-perimeterization” of information security because of Industry norm (50%) —
the increased threat on the internal network. practices that represent the
average or norm
AberdeenGroup surveyed 88 companies to understand how
best-in-class organizations use technology to mitigate the Best in class (20%) —
risk of insider threats. The data reveals that 25% of compa- practices that are the best
nies surveyed are operating at best-in-class levels and re- currently being employed
ported a 13% decrease in security events, vulnerabilities, and significantly superior to
and in identified and remediated code defects. the industry norm

Moreover, 100% of best-in-class companies cite data protection as the number one factor
driving them to implement technology to combat an insider security breach or attack
(Figure 1). Best-in-class companies were also more likely to establish employee policies
for authentication and access (75%), and create a business case to support deployment
(75%).

All print and electronic rights are the property of AberdeenGroup © 2006.
AberdeenGroup • 1
The Insider Threat Benchmark Report

Figure 1: Best-in-Class Defined

Best-in-Class Characteristics 120%


Best in class
• BIC focus on decreasing secu- 100%
100% Industry norm
rity events, vulnerabilities, and
82% Laggards
code defects 80% 75%
• Create a business case to 60%
support deployment 60%
45%
• Value product flexibility to inte-
40%
grate
25%
20% 20%
• Use fully automated processes 20%
with executive view of 9%
dashboards, time analysis and 0%
team-wide remediation Create Value Use fully
business flexibility for automated
case integration process
Best in class 75% 100% 25%
Industry norm 45% 82% 9%
Laggards 20% 60% 20%

Source: AberdeenGroup, December 2005

In researching this subject, we took on the challenge of understanding the link between
the increases in insider security exploits, inadvertent or intentional, and the current and
planned use of technology and processes to mitigate risk. Within the past 12 months, the
number of independent software vendors that market technologies to address insider
threats has increased while large IT vendors are extending the capabilities of their exist-
ing products and articulating similar value propositions.
This creates both opportunity and confusion for enterprise customers. Because the ability
to adequately address insider threats requires a mix of technologies and processes, not all
protocols and standards are supported by the same vendor and products vary in what can
be detected and how they can detect threats. The use of technologies that automate user
access is the first step toward reducing business risk.
Using Technology to Reduce Business Risk
How do best-in-class organizations use technology to improve security and reduce the
risk of insider threats? Across multiple industry segments, survey respondents cite key
technologies, including passwords, single-sign-on, biometric tools, identity repositories,
perimeter scanning, and network packet filtering to automate security and control user
access to applications and resources, and to secure confidential information from unau-
thorized users. Table 1 highlights the top solutions in use and planned within 12 to 24
months.
Also, 50% of the best in class report using strong passwords, network packet filtering,
and access control lists. These technologies provide a layered approach and enhance the
security of confidential company information and enable regulatory compliance. As the

All print and electronic rights are the property of AberdeenGroup © 2006.
2 • AberdeenGroup
The InsiderThreat Benchmark Report

market matures over the next 36 months, we believe a more integrated approach will
emerge and coalesce into business services.
Although technology can reduce business risk, organizations should not neglect physical
security. For example, Marriott International, the large hotelier, recently reported that it
cannot locate backup tapes containing personal data of more than 200,000 customers and
employees. This shows that while companies beef up data in motion, they may neglect
data at rest. Surveillance, background checks, and other measures can be used to protect
data at rest.

Table 1: Technology Solutions in Current Use and Planned for Use


Technology Current Use Plan to use in
12 months
Strong passwords 67% 26%
Access control lists 66% 24%
Network packet filtering 53% 28%
ID cards 49% 13%
Perimeter scanning 45% 23%
Automatic monitoring of employee access 42% 30%
Data classification 42% 44%
Single sign-on 38% 33%
Tokens 29% 19%
Challenge response questions 28% 28%
Authentication call back to a mobile device 24% 21%
Source: AberdeenGroup, December 2005

Defining Processes and Performance Metrics


Our research uncovered that the use of technology to address insider threats is in the
early adopter phase at organizations of all sizes ─ from those with less than $50 million
in annual revenues to those with annual revenues in excess of $1 billion.
Although the majority of survey respondents cite data protection as a strategic objective,
few are using audits consistently to measure security performance. Hence, other, more
easily measurable metrics ─ increases or decreases in security events, vulnerabilities, and
code defects ─ were used to distinguish best-in-class performance.
We also focused on other measurable metrics, such as the reduction of IT labor costs,
increase in accounts automatically serviced, and improvements to regulatory compliance.
What we did not measure is the increase or decrease in insider threats because adoption
of technology and processes is still at an early stage and there are far too many variables.
For example, the change in insider attacks could be attributed to the inadequate testing of
new software, poor system configuration, or even a decrease in the number of employees
leaving their passwords on sticky notes near their computers, allowing others to gain un-
authorized access. Overall, there are few good controls to benchmark such so-called
“negative deliverables.”
Although surveyed companies provided responses to the question of how they measure
their performance in addressing the insider threat (Figure 2), we believe the survey re-

All print and electronic rights are the property of AberdeenGroup © 2006.
AberdeenGroup • 3
The Insider Threat Benchmark Report

spondents are misinterpreting the term “performance metric” ─ something that can be
easily measured ─ and are instead focusing on goals. As organizations investigate ap-
proaches to preventing insider threats, we anticipate they will leverage audits more and
develop true performance metrics linked with ROI.

Figure 2: IT and Business Initiatives Used to Measure Performance


of Addressing the Insider Threat
Best-in-class Industry norm Laggards

Risk mitigation 100% 36% 60%

Improvements to overall
50% 27% 60%
business operations

Improvements to security
for online access to 50% 20%
information

Ability to prevent external


25% 20%
attacks

Balanced operational
25% 18%
agility and risk

Reduced business and or


25% 73% 40%
personal risk

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Source: AberdeenGroup, December 2005

All print and electronic rights are the property of AberdeenGroup © 2006.
4 • AberdeenGroup
The InsiderThreat Benchmark Report

Chapter Two:
Key Business Value Findings

• Today’s technologies and processes to address insider threats are overwhelmingly tacti-
Key Takeaways

cal, not strategic.


• More often, the ability to protect against insider threats entails the cobbling together of
multiple technologies in the absence of integrated solutions.
• U.S. and European privacy directives are already having an impact on marketing and IT.

T he absence of a single, distinct point of user access to information has forced or-
ganizations to implement mechanisms to provide centralized management in a
distributed environment. Technology can enable manageability, accountability,
and security. Many customers delegate the evaluation and selection of technology to
cross-functional teams in various departments with the involvement of C-level executives
to review progress and provide recommendations for action. However, the ability to ad-
dress insider threats requires striking a balance between operations and IT and under-
standing the difference between using technology as a tactic tool and a strategic agenda.
Today’s technologies and processes to address insider threats are overwhelmingly tacti-
cal. This is because IT vendors do not market “insider threat software” but rather a col-
lection of software such as content correlation, anomaly detection, data classification, and
access control. Yet, 51% of companies in Aberdeen’s survey said an integrated solution
to address insider threats is extremely important, while 49% called it only somewhat im-
portant. The priority that at least half of the respondents place on integrated solutions
tells us they’re aware of the problem and understand the challenge of cobbling together a
mix of software solutions.
Priorities
Some industries more than others are under an obligation to protect customer privacy and
information. Also, legislation on national and state levels is changing the priority compa-
nies place on protecting confidential information. This information may include credit
card or Social Security numbers, birthdates, home addresses, or healthcare information.
The Health Insurance Portability and Accountability Act (HIPAA) mandates security
practices to protect confidential informational and the integrity and availability of infor-
mation. HIPAA also defines appropriate and inappropriate disclosure of individually
identifiable information.
Similarly, the focus of U.S. and European privacy regulations ─ such as the Electronic
Communications Privacy Act of 1986 (ECPA) and the European Union Data Protection
Directive ─ are already affecting marketing and IT. Also, legislation by individual states
such as California Senate Bill (SB) 1386 requires organizations that have customers in
California to disclose security breaches related to specific types of data, such as Social
Security numbers, drivers’ license numbers, and account, credit or debit card numbers.
The State of New York has followed California and enacted the Information Security
Breach and Notification Act. This law requires any state agency or business that owns or

All print and electronic rights are the property of AberdeenGroup © 2006.
AberdeenGroup • 5
The Insider Threat Benchmark Report

licenses a computerized database that includes vulnerable personal information to dis-


close any security breach of such a system to any state resident whose unencrypted per-
sonal information may have been acquired by an unauthorized person. New York joins
20 other states that have passed data breach notification laws.
Organizations need to understand the implications of legislative directives, how to use
technology to achieve compliance with regulations, and the risk of non-compliance with
privacy directives. The primary driver for compliance is ─ clearly ─ liquidity. According
to companies and auditors Aberdeen interviewed, there is a need to automate authorized
access to relevant controls and information. Companies that do not automate access con-
trol lists, provisioning, and data classification can face potential liability from failing to
enable and document compliance with regulatory mandates. Overall, 78% of respondents
cite data protection as their key driver for addressing insider threats.

Actions
Organizations are only beginning improve their ability to address insider threats. Despite
the fact that psychological factors and the illicit financial gain from fraud that drive dis-
gruntled employees to disable or delete applications or corporate information are under-
reported, current trends lead us to believe insider threats are likely to increase.

Extending Secure Authentication and Access


A majority of respondents ─ 67% ─use strong passwords; and an additional 26% say
they plan to support this capability within 12 months. Also, 38% of respondents say their
companies use single sign-on, with another 43% planning to utilize this capability in the
future. Another sign that the use of technology is maturing: About two-thirds (66%) util-
ize access control lists and another 24% plan to within the next 13 months.

Use of Analytic Tools for Identification, Remediation, and Analysis


CIOs, CTOs, directors, and IT managers are beginning to use digital dashboards to ana-
lyze and model security events. Currently, 22% of respondents use dashboards and an-
other 37% plan to within 12 months. This nearly matches the 53% who use network
packet filtering. Network security solutions can identify anomalies such as unauthorized
access to information, but the use of dashboards enhances the intelligence an organiza-
tion can use to model and assess vulnerabilities at various levels of the firm. These tools
also empower organizations to establish better policies for authentication and access.

Use of Data Classification to Assign Levels of Sensitivity


Today, only 42% of respondents say they use data classification, which allows organiza-
tions to segment data when it’s created, changed, stored, or transmitted by levels of sensi-
tivity. Another 44% claim they plan to use data classification within 12 months.

Focus on De-Perimeterization
The same 53% that use network packet filtering believe security at the perimeter alone is
insufficient in securing the internal network. Security appliances are increasingly being
used for network operations because of the ease of acquisition and deployment. This
level of protection also enables an organization to use a VPN to interact with external
partners and suppliers without the tradeoff of lowering security standards. The survey
data supports the fact that there is a shift in augmenting network security with additional
solutions to optimize information access and governance.

All print and electronic rights are the property of AberdeenGroup © 2006.
6 • AberdeenGroup
The InsiderThreat Benchmark Report

Challenges
Survey respondents confirmed they’re beginning to use and continuing to evaluate tech-
nology solutions to address security insider threats. The challenge for organizations is
that more often the ability to protect against insider threats entails the cobbling together
of multiple technologies in the absence of integrated solutions. Also, companies are at
risk of having disgruntled employees with authorized levels of trust modify files and ren-
der systems unusable. There is also the issue of inadvertent insider leaks of confidential
company information. For example, in 2001, an employee of Eli Lilly sent an e-mail to
all Prozac users who subscribed to the pharmaceutical company’s prescription service
with their names in the message. Hence, the potential for inadvertent mistakes, miscon-
figuration, poorly written applications, and inadequate application testing all point to the
importance of establishing procedures and training to address the people issues.
Enablers
A number of technology tools and processes can be implemented to improve the security
of confidential information and ensure compliance with privacy laws and other regula-
tory mandates. Overall, when selecting a solution to address insider threats, survey re-
spondents cited product flexibility to integrate with partners or existing infrastructure.
Clearly, customers want solutions that they don’t have to glue together themselves and
that work well with their existing IT investments (Figure 3). Chapter Three looks more
closely at the current approaches, actions, and technology enablers that distinguish best-
in-class companies from the industry norm and laggards in addressing the insider threat.
Figure 3: Criteria for Selecting a Solution to Address Insider Threats

Best-in-class Industry norm Laggards


120%

100%
100%

80% 82%
80% 75%

55% 55% 60%


60% 50% 60%
36%
40% 40% 36%
25% 27% 25% 25%

20% 20% 20%

0%
Vendor viability Performance Features and Vendor support Cost of solution Product
functionality and services or serivce flexibility to
integrate

Source: AberdeenGroup, December 2005

All print and electronic rights are the property of AberdeenGroup © 2006.
AberdeenGroup • 7
The Insider Threat Benchmark Report

Chapter Three:
Implications & Analysis

• The utilization of technology to address insider threats can help boost profits by reduc-
ing expenses and contributing to the liquidity of an organization.
Key Takeaways

• Companies succeed by focusing on short project cycles with quick returns, incremen-
tally rolling out the solution, and slowly expanding it to user populations.
• Best-in-class companies achieved an average 13% reduction in identified and remedi-
ated security events, vulnerabilities, and code defects.
• Best-in-class companies are primarily challenged by overlaps with existing technology.

A
wareness of the risk of insider threats is increasing organizations’ priorities to
implement technology and processes to comply with government mandates and
public policy directives to protect confidential information and customer data. As
discussed earlier, to better understand organizational priorities, actions, chal-
lenges, and enablers, AberdeenGroup segments respondents as best in class, industry
norms, and laggards according to key performance metrics, processes, or the use of tech-
nology enablers. However, with the majority of the respondents in the early adoption
stages of applying technology and process to address the risk of insider threats, it would
be premature to focus exclusively on a competitive framework. AberdeenGroup believes
that illustrating the primary challenges and responses to these challenges provides useful
insights and guidance to others considering the use of solutions for secure access controls
and privacy and regulatory compliance.

Table 2: Top Five Insider Threat Challenges and Responses (All Respondents)
Challenges % Selected Responses to Challenges % Selected
1. Limited IT resources to deploy and 44% 1. Define requirements prior to im- 57%
manage solution plementation
2. Complexity of software solution 40% 2. Define data and process owner- 49%
ship
3.Overlap with pre-existing technology 38% 3. Institute top/down approach from 45%
CIO/CTO to other departments
3. Employees will not comply with 38% 4. Focus on short project cycles with 36%
processes quick returns
5. Overlap with existing processes 32% 4. Provide training in new procedures 36%
and processes
Source: AberdeenGroup, December 2005

All print and electronic rights are the property of AberdeenGroup © 2006.
8 • AberdeenGroup
The InsiderThreat Benchmark Report

An examination of the top five challenges and responses in initiating or implementing a


solution to address insider threats reveals the differences between best-in-class organiza-
tions and all respondents (Tables 2 and 3). The difference in the ranking of the challenges
faced by the best-in-class and all survey respondents is telling. The number one challenge
cited by the best-in-class is an overlap with existing technology; for all respondents, it’s
limited IT resources. Best-in-class organizations do a better job of balancing process with
the acquisition of technology, then measuring the use of technology against performance
metrics. We found that best-in-class organizations that have already implemented a de-
fense in-depth security framework, with network security and application security inter-
twined seek ways to leverage existing infrastructure. Whereas organizations for which IT
personnel is considered a finite resource, all new endeavors are subject to this constraint.

Table 3: Top Five Insider Threat Challenges and Responses (Best in Class)
Challenges % Selected Responses to Challenges % Selected
1. Overlap with pre-existing technol- 75% 1. Focused on short project cycles 50%
ogy with quick returns
2. Employees will not comply with 50% 1. Incremental roll-out and slowly 50%
processes expanded to user populations
2.No budget to allocate resources to 50% 1. Instituted top/down approach from 50%
implement CIO/CTO to other departments
2. Limited IT resources to deploy and 50% 4. Demonstrated features and func- 25%
manage solution tionality to department heads to get
buy-in
5. Limited understanding in how to use 25% 4. Provided training in new proc- 25%
dashboards and other tools to analyze esses and procedures
risk
Source: AberdeenGroup, December 2005

Capabilities and Processes


Both best-in-class and all respondents, to different degrees, are challenged by employees
who will not comply with processes. For example, organizations face the challenge of
employees not complying with data classification processes or upgrading or patching
systems according to company best practices and procedures. In information security,
people are always at least half the problem. For example, if an organization allows con-
tractors, partners, and suppliers to access its network but does not institute processes for
accessing information, then the security of confidential data can be at risk.
Under closer examination, the issue of process and the response to this challenge by best-
in-class, industry norm, and laggard companies is revealing. On the whole, companies
that indicate process as a challenge overcome it by focusing on short project cycles with
quick returns, and incrementally rolling out the solution and slowly expanding it to user
populations. In general, laggards and industry norm organizations have fewer automated
and integrated solutions and leaner staffing resources. These users generally either have
fewer resources to analyze and mandate process improvements, or do not utilize them

All print and electronic rights are the property of AberdeenGroup © 2006.
AberdeenGroup • 9
The Insider Threat Benchmark Report

effectively. Often, the use of automated security processes is the key to overcoming the
limitations of IT personnel.
According to the survey results, 25% of best-in-class companies have fully automated
processes with executive views of dashboards as well as time analysis and team-wide
remediation of security events. In comparison, only 9% of industry norm claim the use of
such practices, while 60% of laggards wrestle with partially automated processes.
Understanding the problem and defining ownership of roles and technology can be useful
to companies challenged by software complexity. Best-in-class organizations tend to suc-
ceed in addressing software complexity when they focus on short project cycles with
quick returns and incremental rollouts. Although industry norm companies emphasize
hierarchy as much as best-in-class organizations do, they falter by not demonstrating fea-
tures and functionality to secure executive buy-in.

Technology Use
The use of technology, when it’s aligned with business requirements, can improve infor-
mation security performance. This fact will continue to foster demand for automated IT
controls that can govern access to company information. Increasingly, customers will
seek technical solutions to augment application and network security. Perimeter scanning
is a case in point: At one time, organizations thought that if they built a strong perimeter
defense, it would preclude external attackers from gaining unauthorized access. How-
ever, what organizations realized is that perimeter scanning without other layers of de-
fense at the internal network level can enable an attacker, once authenticated from inside
or outside the company, unmonitored access to network resources. Among respondents
whose companies have utilized technologies to address insider threats, the average im-
provements in percentage points are as follows:
• 3.5% reduction in number of complaints to IT and the IT help desk;
• 13% reduction in identified and remediated security events, vulnerabilities
and code defects; and
• 17.5 % decrease in IT labor costs.
Therefore, using technology to address insider threats can help boost profits by reducing
expenses and contributing to the liquidity of an organization. We anticipate that this fact,
combined with the priorities of organizations to meet compliance regulations and enable
global business operations, will aid organizations in creating ROI analyses to support the
adoption of technologies that can address insider threats.

All print and electronic rights are the property of AberdeenGroup © 2006.
10 • AberdeenGroup
The InsiderThreat Benchmark Report

Chapter Four:
Recommendations for Action
Key Takeaways

• Tailor actions based on industry segment and the requirement to adhere to privacy di-
rectives and other regulations.
• Address insider threats by linking IT and audit.
• Don’t forget that the people problem can be the weakest link to information security
success.

P rofitability, reductions in IT labor costs, and better security await all firms that
commit resources toward addressing insider threats. Actions an organization takes
should depend on the industry in which it competes and its requirement in adhering
to privacy directives and other regulations. Companies can learn valuable lessons from
the priorities, actions, challenges, and enablers of best-in-class companies to address in-
sider threats and readers should consider them. Here are five actions organizations should
consider:

One Size Does Not Fit All


Regarding the use of technology to address insider threats, we discovered that one size
does not fit all. The components that would suffer the greatest impact if they were
breached or made unavailable will differ by organization. Also, the ability to adequately
address insider threats requires a mix of technologies and processes. Not all protocols and
standards are supported by the same vendor products and hence vary in what can be de-
tected. For example, organizations that rely primarily on perimeter scanning should shore
up internal network security and use access control lists. Also, an insider attack on data at
rest versus data in motion may reveal different levels of exposure and necessary remedia-
tion.

Link Operations and Audit


Who is responsible for information security? That has changed because security is no
longer a particular area within an organization; it fits within an amalgam of areas such as
networking, application, development, and audit. Hence, the ability to address insider
threats requires an intersection between IT and audit.
Protect against Threats from Business Partners
Organizations with integrated business models or that operate on a global scale should
use network packet filtering and strong authentication to prevent the security problems of
their contractors, partners, and suppliers from becoming theirs as well.

Use Data Classification


Organizations should utilize data classification to designate the sensitivity of data when
it’s created, modified, stored, or transmitted. Data classification can also help companies

All print and electronic rights are the property of AberdeenGroup © 2006.
AberdeenGroup • 11
The Insider Threat Benchmark Report

define the applications and information that are high-value targets for an insider attack.
Organizations that establish and automate policies for data classification can improve
security and achieve cost reductions from increased efficiency.

Plan in the Event of an Insider Attack


The severity of an incident, whether the attack is intentional or inadvertent, and whether
there is a requirement for disclose it to the public should determine the appropriate re-
sponse. Organizations should use different strategies based on the nature of an insider
attack. Also, consider the process changes that must be made to address threats.

Conclusion
We have found that best-in-class organizations are not addressing insider threats with a
singular focus on technical concerns, but are mapping their technical requirements with
business objectives. The number of vulnerabilities that can be identified is a useful meas-
urement, but is far down the customer’s selection criteria list. Integration, cost, and the
ability to ensure data protection are much higher priorities.
The ability to successfully address insider threats is done by leveraging cross-functional
teams that set priorities, establish actions, evaluate enabling technologies, provide re-
sponses to challenges, and measure performance. Readers should define their own priori-
tized PACE selections and utilize the practices and process of best-in-class companies to
establish performance metrics that link to business value and expand the use of technol-
ogy and address intentional and inadvertent insider exploits.
Although best-in-class companies are defined as leaders, we believe all survey respon-
dents still have a way to go in using technology and processes to secure access to confi-
dential information and demonstrate compliance with regulatory mandates. Customers
stand to benefit from the growing number of IT vendor solutions to address insider
threats.
One more fact to consider is that while the marketplace for insider threat solutions is in
an embryonic stage, the one factor that will not change is the “people problem.” End-
users always have veto power over the best-orchestrated policies and procedures and it’s
imperative to strike a balance between process and technology.

All print and electronic rights are the property of AberdeenGroup © 2006.
12 • AberdeenGroup
The InsiderThreat Benchmark Report

Sponsor Directory

Apani Networks
1800 E. Imperial Highway
Brea, CA 92821
(866) 638-625
1-714-792-1800
http://www.apani.com

All print and electronic rights are the property of AberdeenGroup © 2006.
AberdeenGroup • 13
The Insider Threat Benchmark Report

Author Profile

Stacey Quandt
Research Director
Security Solutions and Services
AberdeenGroup, Inc.

As director of AberdeenGroup's Security Solutions and Services practice, Stacey Quandt


provides IT executives with crucial tactical and strategic advice to maintain and enhance
enterprise security. The overall themes of her research are security’s role for effective
enterprise risk mitigation and the benefits of security automation in healthcare, retail,
financial services, government, and other industries. Stacey's current research under-
scores how best-in-class companies leverage security to protect IT resources and data,
and how these organizations build trust with customers and stakeholders. Her studies
give organizations vital information in understanding how the security solutions enter-
prises implement prevent data loss, demonstrate regulatory compliance, and highlight
importance of establishing clear policies and roles to achieve best-in-class information
security practices.

All print and electronic rights are the property of AberdeenGroup © 2006.
14 • AberdeenGroup
The InsiderThreat Benchmark Report

Appendix A:
Research Methodology

B etween October and November 2005, AberdeenGroup examined the use, proce-
dures, experiences, and intentions of 88 enterprises in several industries, includ-
ing automotive, finance, banking, accounting, healthcare, high-tech, insurance,
and the public sector.
Responding chief operating officers, IT leaders, directors, and operations executives
completed an online survey that included questions designed to determine the following:
• The top challenges in addressing insider threats, and the technology and proc-
esses utilized in response to these challenges;
• The evaluation criteria organizations use to select technologies to address insider
threats;
• How companies measure success in combating data loss prevention; and
• How regulatory mandates are influencing the actions of organizations to protect
confidential information.
The study aimed to identify emerging best practices for addressing insider threats and
provide a framework by which readers could assess their own capabilities for security
risk mitigation
Responding enterprises included the following:
• Job title/function: The research sample included respondents with the following
job titles: Senior management, such as CEO, CFO, and COO (25%); CIO/IT
leader (6%); director (15%); manager (26%), and internal consultant (10%).
• Industry: The research sample included respondents predominantly from high
tech and finance/banking accounting.
• Geography: Nearly half of all study respondents were from North America
(43%), Remaining respondents were from Europe (27%), Asia Pacific (18%),
South/Central America and Caribbean (7%), and Middle East/Africa (5%).
• Company size: About 35% of respondents were from large enterprises (annual
revenues above $1 billion); 40% were from mid-size enterprises (annual reve-
nues between $50 million and $1 billion); and 25% of respondents were from
small businesses ($50 million or less).
Solution providers recognized as sponsors of this report were solicited after the fact and
had no substantive influence on the direction of the Insider Threat Benchmark Report.
Their sponsorship has made it possible for AberdeenGroup to make these findings avail-
able to readers at no charge.

All print and electronic rights are the property of AberdeenGroup © 2006.
AberdeenGroup • 15
The Insider Threat Benchmark Report

Table 4: Relationship between PACE and Competitive Framework

PACE and Competitive Framework How They Interact


Aberdeen research indicates that companies that identify the most impactful pressures and take the most
transformational and effective actions are most likely to achieve superior performance. The level of com-
petitive performance that a company achieves is strongly determined by the PACE choices that they make
and how well they execute.

Source: AberdeenGroup, December 2005

All print and electronic rights are the property of AberdeenGroup © 2006.
16 • AberdeenGroup
The InsiderThreat Benchmark Report

Appendix B:
Related Aberdeen Research & Tools

Related Aberdeen research that forms a companion or reference to this report includes:
• HP Acquires Trustgenix, Becomes Federated Identity Contender (December
2005)
• Oracle Fortifies Identity Management Capability with New Acquisitions (No-
vember 2005)
• IBM Mainframe Capability for Encrypted Tape Plays Well with Others (October
2005)
• Best Practices in Security: Governance (June 2005)
• Best Practices in Security: Information and Access (June 2005)
• SOX Compliance and Automation Benchmark Report (March 2005)
Information on these and any other Aberdeen publications can be found at
www.Aberdeen.com.

All print and electronic rights are the property of AberdeenGroup © 2006.
AberdeenGroup • 17
The Insider Threat Benchmark Report

About
AberdeenGroup

Our Mission
To be the trusted advisor and business value research destination of choice for the Global
Business Executive.

Our Approach
Aberdeen delivers unbiased, primary research that helps enterprises derive tangible busi-
ness value from technology-enabled solutions. Through continuous benchmarking and
analysis of value chain practices, Aberdeen offers a unique mix of research, tools, and
services to help Global Business Executives accomplish the following:
• IMPROVE the financial and competitive position of their business now
• PRIORITIZE operational improvement areas to drive immediate, tangible value
to their business
• LEVERAGE information technology for tangible business value.
Aberdeen also offers selected solution providers fact-based tools and services to em-
power and equip them to accomplish the following:
• CREATE DEMAND, by reaching the right level of executives in companies
where their solutions can deliver differentiated results
• ACCELERATE SALES, by accessing executive decision-makers who need a so-
lution and arming the sales team with fact-based differentiation around business
impact
• EXPAND CUSTOMERS, by fortifying their value proposition with independent
fact-based research and demonstrating installed base proof points

Our History of Integrity


Aberdeen was founded in 1988 to conduct fact-based, unbiased research that delivers
tangible value to executives trying to advance their businesses with technology-enabled
solutions.
Aberdeen's integrity has always been and always will be beyond reproach. We provide
independent research and analysis of the dynamics underlying specific technology-
enabled business strategies, market trends, and technology solutions. While some reports
or portions of reports may be underwritten by corporate sponsors, these sponsors do not
influence Aberdeen's research findings.

All print and electronic rights are the property of AberdeenGroup © 2006.
18 • AberdeenGroup
The InsiderThreat Benchmark Report

AberdeenGroup, Inc. Founded in 1988, AberdeenGroup is the technology-


260 Franklin Street driven research destination of choice for the global
Boston, Massachusetts business executive. AberdeenGroup has over 100,000
02110-3112 research members in over 36 countries around the world
USA that both participate in and direct the most comprehen-
sive technology-driven value chain research in the
Telephone: 617 723 7890 market. Through its continued fact-based research,
Fax: 617 723 7897 benchmarking, and actionable analysis, AberdeenGroup
www.aberdeen.com offers global business and technology executives a
unique mix of actionable research, KPIs, tools,
© 2006 AberdeenGroup, Inc. and services.
All rights reserved
January 2006
The information contained in this publication has been obtained from sources Aberdeen believes to be reliable, but
is not guaranteed by Aberdeen. Aberdeen publications reflect the analyst’s judgment at the time and are subject to
change without notice.
The trademarks and registered trademarks of the corporations mentioned in this publication are the property of their
respective holders.
THIS DOCUMENT IS FOR ELECTRONIC DELIVERY ONLY
The following acts are strictly prohibited:
• Reproduction for Sale
• Posting on a Web Site
• Transmittal via the Internet
Copyright © 2005 Aberdeen Group, Inc. Boston, Massachusetts

Terms and Conditions


Upon receipt of this electronic report, it is understood that the user will and must fully comply with the
terms of purchase as stipulated in the Purchase Agreement signed by the user or by an authorized
representative of the user’s organization.

This publication is protected by United States copyright laws and international treaties. Unless otherwise
noted in the Purchase Agreement, the entire contents of this publication are copyrighted by Aberdeen
Group, Inc., and may not be reproduced, stored in another retrieval system, posted on a Web site, or
transmitted in any form or by any means without prior written consent of the publisher. Unauthorized
reproduction or distribution of this publication, or any portion of it, may result in severe civil and criminal
penalties, and will be prosecuted to the maximum extent necessary to protect the rights of the publisher.

The trademarks and registered trademarks of the corporations mentioned in this publication are the
property of their respective holders.

All information contained in this report is current as of publication date. Information contained in this
publication has been obtained from sources Aberdeen believes to be reliable, but is not warranted by the
publisher. Opinions reflect judgment at the time of publication and are subject to change without notice.

Usage Tips
Report viewing in this PDF format offers several benefits:
• Table of Contents: A dynamic Table of Contents (TOC) helps you navigate through the
report. Simply select "Show Bookmarks" from the "Windows" menu, or click on the bookmark
icon (fourth icon from the left on the standard toolbar) to access this feature. The TOC is both
expandable and collapsible; simply click on the plus sign to the left of the chapter titles listed
in the TOC. This feature enables you to change your view of the TOC, depending on whether
you would rather see an overview of the report or focus on any given chapter in greater
depth.
• Scroll Bar: Another online navigation feature can be accessed from the scroll bar to the right
of your document window. By dragging the scroll bar, you can easily navigate through the
entire document page by page. If you continue to press the mouse button while dragging the
scroll bar, Acrobat Reader will list each page number as you scroll. This feature is helpful if
you are searching for a specific page reference.
• Text-Based Searching: The PDF format also offers online text-based searching capabilities.
This can be a great asset if you are searching for references to a specific type of technology
or any other elements within the report.
• Reader Guide: To further explore the benefits of the PDF file format, please consult the
Reader Guide available from the Help menu.