Fighting Insider Attacks Is Tough: Survey
Only 21 percent of respondents continuously monitor user behavior to thwart insider attacks, finds a Crowd Research Partners survey.
Fighting insider threats is a tough task for enterprise security organizations because traditional security controls such as encryption and multi-factor authentication are often ineffective against privileged insiders with direct access to sensitive data and systems.
Just how tough is revealed in a recent report by Crowd Research Partners, conducted in cooperation with the Information Security Community on LinkedIn. While 62 percent of survey respondents said insider threats have become more frequent in the last 12 months, only 34 percent of the security pros expect to receive additional budget to address the problem.
In addition, 62 percent of respondents said insider attacks are more difficult to detect and prevent than external attacks.
Insiders can easily bypass security controls in environments with insufficient security protocols and controls, said Holger Schulze, founder of the Information Security Community. "In fact, many insider attacks can go unnoticed for long periods of time, even years," he said.
Lack of User Monitoring
Despite the difficulty of detecting insider attacks, many respondents seemed overconfident of their ability to detect and stop insider breaches, pointed out Rich Campagna, VP of Products with Bitglass, one of the sponsors of the survey. Just 11 percent of respondents think it will take them six months or more to detect an insider threat -- a statistic he called surprising given that, on average, it takes nearly seven months for detection.
"In the security community, many feel that, 'It won't happen to us,' or, 'We have superior prevention technologies in place.' Security professionals must learn to focus on rapid detection as a means for limiting damage when the inevitable occurs," Campagna said.
Just 21 percent of respondents said they continuously monitor user behavior. Twenty-six percent monitor access logging only, while 14 percent do so only after an incident is flagged by forensic analysis and 14 percent do so only in special circumstances, such as shadowing specific users.
Despite the popularity of cloud applications, just 25 percent of organizations monitor user behavior within the cloud. In contrast, three-quarters of organizations deploy user monitoring for their on-premise applications.
Fifty-seven percent of respondents tapped databases as the most vulnerable point, followed by file servers (mentioned by 55 percent). This is especially worrisome, given the relative inattention given to databases. As reported earlier on eSecurity Planet, a recent Ponemon Institute survey found that organizations allocate only about half as much budget to database security as they do to network security.
"The dominant philosophy has been to create an impenetrable perimeter security defense using such things as firewalls and intrusion detection systems (IDS)," Michael Sabo, vice president of Marketing at DB Networks, told eSecurity Planet. "If you believe that nothing can get through your perimeter it probably seems like a waste of money, time, and effort to invest in database security."
A troubling 45 percent of respondents said they could not determine whether their organizations had experienced insider attacks in the last 12 months.
Most respondents identified organizational issues rather than technical issues as the biggest hurdles to effective insider threat management. Lack of training and expertise was mentioned by 63 percent of respondents, followed by lack of budget (48 percent) and not a priority (43 percent).
User training, cited by 45 percent of respondents, was the most popular tactic for fighting insider threats, followed by background checks (41 percent) and user activity monitoring (39 percent).
Campagna, from Bitglass, would like to see more emphasis on technology. "Insiders are human, and relying on training/education is relying on humans not to make mistakes," he said. "Technology is a better answer, to automate things that humans must do."
One way to boost the effectiveness of user training, Campagna suggested, is by providing ongoing user coaching at the point of the incident, mentioning as an example "warning a user in health care about potential leakage of PHI (protected health information) when they send an email versus solely in a periodic compliance training."
In addition to Bitglass, corporate sponsors of the survey were Dell Software, Fasoo, LightCyber, Heat Software, ObserveIT, Palerra, RES Software, Sergeant Laboratories, SpecterSoft, Vectra Networks and Watchful Software.
Ann All is the editor of Enterprise Apps Today and eSecurity Planet. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.
By Jeff Goldman
April 15, 2015
Still, 32 percent told the SANS Institute they have no ability to prevent an insider breach.