The recent Pentagon breach — in which 21-year-old guardsman Jack Teixeira allegedly leaked sensitive intelligence on social media sites to elevate his social standing — is reigniting conversations about protecting data from malicious insiders. From the snake in the Garden of Eden (the original insider) to Snowden, Manning, Winner and now Teixeira, it only takes one bad apple to change the course of history.
Information access — and the fact that there's far too much access to sensitive data in general — is a common theme that ties insiders together. As Robert Litt, former General Counsel of the Office of the Director of National Intelligence, assesses, "In the aftermath of the leaks, there should be a sober and penetrating review of information sharing, of the number of people with security clearances, of implementation of existing policies regarding 'need to know, 'and of monitoring of classified systems."
Insider threats are the most difficult risk to defend against and can do the most damage. The Pentagon probably did everything right within its physical and digital perimeters; Teixeira worked in a SCIF, or sensitive compartmented information facility, that "guards against electronic surveillance and suppresses data leakage."
That means no USB keys were going in or out, nothing could be uploaded to the internet and no transmissions could take place. Still, none of its perimeter controls would help with this threat.
Anatomy Of An Insider Attack
So, what went wrong? The leaker was given ample access to sensitive data that he arguably didn't need. Despite the industry buzz around zero trust, this case seems to be a failure in the need-to-know model and/or a breakdown in monitoring classified systems.
In many organizations, the focus is often on safeguarding perimeters rather than protecting the target itself — the data on the inside.
Imagine this conversation between a CEO and an IT security team tasked with protecting sensitive data.
CEO: Do we patch our systems?
IT security team: Of course. Attackers would exploit vulnerabilities if we didn't.
CEO: Do we train our employees by using simulated phishing attempts?
IT security team: Yes, we train employees because people get phishing emails all the time.
CEO: Do we keep security software on everyone's endpoints?
IT security team: Yes, because after people are phished, endpoint software helps block the malware attackers try to install.
CEO: Do we block USB keys and bulk uploads?
IT security team: Yes, they make it easy for insiders to steal data.
CEO: Do we lock down and monitor our most important data?
IT security team: Nope.
Isn't it strange that organizations have so many controls where the risk isn't located? After all, banks don't focus more on what comes through their doors and windows than who and what goes in and out of the vault — then the cash would get the same security as the pens.
If Teixeira hadn't had access to so much sensitive information in the first place, the potential damage could have been nonexistent or greatly reduced and far more quickly contained. The Pentagon could have failed at the perimeter, but no one would know Teixeira's name if the data had been kept safe all along.
Striking A Balance Between Access And Security
Locking the vault in the digital world is, of course, a big challenge. More sensitive data is stored in more places every day, and collaboration requires balancing productivity and security. Data only has value if it can be shared.
If you lock down data completely or too tightly, it's a frozen asset. The intelligence community learned this after restricting information shared among various agencies before September 11. If you loosen restrictions too much, information assets can quickly become a liability, as seen in the recent Pentagon breach.
How can you balance access and security? Here are five steps you can take to see how prepared you are for a nefarious insider or an outside attacker that compromises an insider's account or computer.
- Take an inventory of the rules you have about protecting sensitive data. Have you decided when and how to delete, quarantine or lock down sensitive data?
- Check to see if you can enforce these rules manually or with automation.
- Understand how easily you can see violations of these rules.
- Look for rules that should be created, refined or enforced more effectively.
- If you're just getting started, consider taking an inventory of your data to see where users store sensitive data and with whom they share it.
If you're like most organizations, your employees access sensitive data from anywhere, from many devices, in cloud-connected applications and data stores — pretty much the opposite of a SCIF. With such a distributed, unpredictable perimeter, it makes even less sense to allocate most of our scarce security resources there — we have no idea where the attacks will originate.
We do, however, know where the attackers will go. Your business may not be holding top-secret intelligence, but chances are you have information that someone wants. And that's where it makes sense to focus scarce resources.
Securing information on a need-to-know basis and closely monitoring that data for signs of unusual activity can help reduce the damage that insiders can do and make them easier to spot. Outside attackers that take over an employee computer or account (and effectively become insiders) must work much harder to get to the data they want, giving monitoring solutions more chances to catch them.
It doesn't matter whether you're handling military or trade secrets, or if your employees work in a SCIF, in a building, or at home — prioritizing your controls around data protects it better from insiders and outside attackers. You're killing two snakes with one stone.
This article first appeared on Forbes.
What you should do now
Below are three ways we can help you begin your journey to reducing data risk at your company:
- Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
- Download our free report and learn the risks associated with SaaS data exposure.
- Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Co-Founder and CEO of Varonis, responsible for leading the management, strategic direction, and execution of the company.