In 2015, internal actors were responsible for 43 percent of enterprise data loss—half intentional, half accidental. In 68 percent of the incidents, the data breach was serious enough to require public disclosure or have a negative financial impact on the company. What’s more, privileged-account attacks are behind every major cyber crime.
In short, today’s enterprise has its hands full when it comes to handling privileged-account attacks. I met with Rick Orloff, CSO at Code42, to gain his perspective on how the enterprise can prepare for privileged-account attacks before they happen.
Internal actors—especially those with privileged access—are a major concern for today’s enterprise. Can the enterprise prepare for privileged-account leaks and attacks?
It’s essential to put a plan in place before privileged-account incidents occur. Being prepared for any threat comes down to awareness of what is going on inside the enterprise network and providing visibility into the data and systems any employee can access, at any time. What data does the employee have access to and how much of that data is subject to regulation? Does the employee have access to HIPAA data or PII? What systems can this employee log into? Is this a developer with credentials and access to manage infrastructure? The goal is to maintain situational awareness and, if there is an incident involving user credentials, to disable all access as soon as a threat is identified and rapidly mitigate the threat.
What should the enterprise do when a threat is identified?
Every investigation is different, although the incident response methodology is the same. Once an alert is raised, it’s critical to determine what systems employees use, how much data they have access to, which data has been accessed, moved or copied, and how much of this data movement falls within the scope of the employees’ work.
It’s important to remember that a threat can come from anywhere and appearances can be misleading. Your initial investigation might indicate that an employee is behind the breach, but after talking to the employee and running forensics on his or her computer, you may discover that the employee’s credentials were compromised without his or her knowledge. The forensics will prove the employee’s innocence—or provide the proof needed to take next steps.
In your experience, what are some of the most common threat scenarios an enterprise faces today?
The most realistic enterprise data security threat is spear-phishing; it targets specific users based on their access to data and attempts to steal their credentials. Once inside the network, an intruder looks for ways to create new or hijack inactive credentials and extend hacker access to more systems. Smart hackers will create multiple sets of credentials using misspelled names or inactive accounts. Anomalies will expose the hacker, but only if your system monitors for them.
For example, an employee VPNs into the corporate infrastructure from his or her home in Minnesota—a completely normal occurrence for today’s mobile workforce—but the employee’s RFID badge was just used to access a data center in Nevada. While the VPN and the physical security systems both functioned properly on their own, the employee can’t be in both places at once. This should trigger an alert so you can investigate.
What security measures must the enterprise undertake to be adequately prepared for privileged-account leaks or attacks?
- Follow the principles of least privilege—if an employee doesn’t need access to a system or data set, he or she shouldn’t have it.
- Implement multiple layers of security control points to ensure people can’t access systems and data they shouldn’t.
- Separate infrastructure management from corporate access and require unique credentials for each system.
- Use multi-factor authentication to verify user identity.
- Make privileged-account access transparent through system controls and then monitor for anomalies. In the event of a number of failed-access attempts, your system should alert you. For example, when a marketing employee downloads—or attempts to download—a sensitive financial document, the system sends an alert based on an attempt to access data or systems outside an individual’s functions and duties.
- Correlate event data and look for trends in security control centers. Leverage the data housed in enterprise sub systems such as all authentication points, system access, endpoint backup software and data loss prevention tools. Correlated data from individual systems can reveal threats that would not have been identified otherwise.
- And finally, implement a real-time data recovery strategy so when a privileged employee deletes critical data before quitting, e.g., CRM data, product code, regulatory data, or financial documents, you can immediately restore them. Or when sensitive data is leaked, you can restore the file, accurately determine your exposure and decide whether or not the breach needs to be reported.
The simplest way to add real-time recovery is through an endpoint backup solution that captures every version of every file automatically and maintains productivity by enabling data recovery—anytime—by the end user.
Download The Guide to Modern Endpoint Backup and Data Visibility to learn more about selecting a modern endpoint backup solution in a dangerous world.