April 29, 2009, 11:05 AM — The Verizon Business RISK team recently released its "2009 Data Breach Investigations Report," which gives a fresh look into the question of whether insiders or outsiders are the larger threat group. The report concludes that 74% of breaches result from external sources and "the predominance of total records lost was attributed to outsiders."
With nearly three-quarters of attackers still originating from outside, it is tempting to accept the inside threat as a lesser concern. Later, however, the report states external breaches have dropped nearly 20% over five years. The growth in threats seems to come from partners rather than insiders. Or can we really tell?
This question is something everyone should ask themselves, whether they store, process or transmit personal identity information. When looking at the data and conclusions of breach reports, it is important to consider several factors before accepting conclusions or taking a security posture.
First, the incident-response-team perspective does not reflect every environment or industry. Verizon provides data on only 600 incidents over five years, whereas public resources and research groups suggest 573 incidents occurred in 2008 alone and close to 1,500 occurred over the past five years. What happens if we include all other data points, or estimate the number of unreported breaches, or isolate breaches by industry?
Second, data points themselves remain blurry. External and internal threats often are not exclusive. External agents often include an element of insider activity. There are a number of reasons for this, such as the sophistication of monitoring at the perimeter compared with that at internal segments.
Note that the Verizon report defines insider threat to include individuals who "contribute to the breach" by picking up malware while browsing. With that in mind, 11% of all attacks are attributed to internal breaches alone, with no known external component involved. However, 39% of breaches involve multiple sources. The combined total of attacks involving insiders is therefore actually 50%. Furthermore, the 11% of attacks exclusive to insiders translates into 25% of all compromised records. When you consider this, the threat represented by insiders appears to increase substantially above 50%.
Viewed that way, the Verizon report helps put current security monitoring systems in perspective. Are your controls able to identify insider attacks? Consider the UCLA or recent Kaiser Permanente breach incidents. Is it possible to correlate external exposures with internal activity and access? Are your partner access points monitored? The answer to these questions comes from a modern logging and monitoring solution.
Carl Sagan used to say "The absence of evidence is not the evidence of absence." Collecting logs, storing them and performing analysis at the system, network and application layers will provide evidence of threats. Here are just two examples of how to build the necessary evidence of absence.
The first way to build evidence is to stop using shared accounts -- there is a reason why they are always discouraged by auditors and regulators. How can you figure out who did what if everyone uses a single account? Imagine trying to catch 23 attackers from outside and inside with just one data point -- a single generic username. Now imagine trying to catch 23 attackers from 10 IP addresses, 100 Web site logins, and 200 badge reads. Once a picture of staff habits and procedures is in place, organizations should be able to collect a meaningful view of user activity. An attack will not only stand out but be pinpointed with certainty as being external, internal or a blend before it is too late and forensic investigators have to be involved.
A second example builds upon that idea. High rates of access are often considered a sign of an attack when things go awry, but a business has to be able to define what "high rates" really mean. There might be high rates during certain procedures such as end-of-month batch processing, giant print jobs or similar circumstances. Therefore a spike in activity that is unique is not always sufficient as an indicator of attack. Building a centralized log system can give essential insight that illuminates trends and narrows down attack data to avoid false positives. The more data that is analyzed efficiently, the more likely an attacker will be profiled correctly.
Creating a picture of security activity most relevant to your specific organization and industry reduces the uncertainty about where breaches originate, whether your organization is highly dependent on diverse partner connections, requires relatively open access for insiders, or has a high profile under constant attack from external agents. The key is to use a system that allows you to become familiar enough with log activity to detect threats and respond before they become an incident. That is not only a good measure for business, but it also will keep you out of the debate over the next annual report on breaches.
Ottenheimer is director of compliance solutions at ArcSight.