Stories from the DLP Front
This article originally appeared in Forbes.
Meet Kevin. He works in his company’s research lab. And he’s the most dangerous person in the world.
The funny thing is that Kevin doesn’t know it yet — nor does his company. But last weekend, Kevin did something that will imperil his work, his company and possibly the known universe: He looked at a picture of his daughter.
Bad Guys Want Your Data
Data-loss scenarios typically fall into three categories: outsider with intent, insider with intent or insider without intent.
The outsider with intent is an obvious example. Picture the evil villain: “We’re in!” says the toque-wearing, basement-dwelling hacker into the headset microphone (at least in the pop-culture version). In reality, that outsider may be a hacker located in a state-sanctioned boiler room tasked with attacking data-rich targets. Or it may be an alleged African prince. Or Edward Snowden.
Next is the intentional insider. The insider may harbor a grudge against an employer. Or the insider may seek personal gain from access to proprietary information. The insider threat could also come from a partner playing the double-cross. (Some insider activities are more entertaining than others. Hollywood has even taken note.) The insider steals data, embezzles money, or sabotages an organization from within. Think Guy Fawkes, Jiaqiang Xu or Christopher Victor Grupe.
Kevin, The Greatest Risk To Your Organization
And then there’s Kevin, the most dangerous threat of all. Kevin’s a good guy: diligent worker, loyal employee, dutiful parent. But to hackers, Kevin’s an information-rich target. His knowledge would be of inestimable value to a competitor.
Now, think like a bad guy. You want the proprietary assets Kevin holds. You could do something extreme, like take a hostage (or say you’ve taken a hostage) and demand a ransom of intellectual property. But that could get messy. You could go the carrot route and bribe Kevin. But if he’s ethical, that could get messy, too. Getting to Kevin will require something more insidious. Oh, and you'll need to be sure to cover your tracks.
Back to Kevin. His company takes strong measures to combat data-loss prevention (DLP). Its security solution employs exact-data-match algorithms to recognize threats coming in and unauthorized proprietary information going out. It analyzes behavior to identify potentially suspicious activity (e.g., “Why is someone in finance accessing the dev repository?” “Why has Person X’s download/upload volume tripled?”).
But Kevin’s experience is different. One Sunday, he took his laptop to the coffee place down the street to work on a draft proposal. He didn’t bother with the VPN since everything he needed was on his machine. He checked Gmail: A parent had shared team photos from Kevin’s daughter’s recent Little League game. He clicked the link to a well-known file-storage website, but the link was broken. He thought little of it and resumed work.
One Click And You’re Done For
You can see what’s coming. Kevin’s click had the potential to cripple the company. He logged on to the internet but never secured his connection. He had no need to access corporate resources in the data center, and the VPN would have slowed his web performance.
What Kevin didn’t realize was that he had been phished — spear-phished, to be exact. Hackers phish to gain access to logins, passwords or personal information. In a more sinister spear-phishing attack, hackers turn the social-engineering malevolence up a notch, name-dropping personally identifiable information (PII) to make the (most likely spoofed) source and the call to action (e.g., a link-click in an email) appear more credible.
Hackers targeted Kevin. The bad actors knew he had access to valuable information. They did their homework by learning his daughter’s name, her baseball team’s name and more. (A side note to this story: Consider what you post to social media — and always check your privacy settings.)
As for motive, maybe the bad guys wanted to reverse-engineer Kevin’s in-development product. Or sell whatever confidential information they could glean to the highest bidder, perhaps a competitor or a foreign state actor. Either could then exploit Kevin’s costly R&D work and beat his company to market with a lower-priced product.
This story is true (names and identifying information have been changed). After several days, Kevin noticed performance degradation. One help desk ticket later, and his company’s IT support team was inspecting the laptop. With that one click, Kevin had triggered malware that, unbeknownst to him, installed a screen-scraper bot on his work computer. The hidden bot logged keystrokes, took screenshots and sent them to an external site via SSL. The potential risk was immeasurable. But Kevin’s company got lucky: One help desk employee had once seen something similar. IT discovered the bot and called in the FBI.
What You Can Do Now
DLP tactics like enterprise data management and behavioral analytics are the first steps to combating insider, outsider and unintentional data theft. But to protect Kevin, and reduce risk, IT leads must rethink enterprise data-loss detection:
- Examine all data movement, especially when employees are offline or not connected to the corporate network.
- For employees and machines with access to your company’s crown jewels of classified information, consider extreme BIOS-level measures like disabling USB ports or blocking Bluetooth.
- Up your inspection game. Can your security solution comprehensively inspect encrypted SSL data? If not, your EDM detection will be less effective.
- No more sampling! Bad guys hide in data. The more data in motion, the harder nefarious activities are to detect. Scrutinize all data entering and leaving your organization. All of it. No exceptions.
- Reduce trust vulnerabilities. For example, increase MFA authentication-challenge frequency to reduce the potential lifespan of stolen credentials.
- Educate your staff. Train all employees and partners on infosec best practices, and if you can, get those partners to guarantee the same (or even better) level of security practices as your organization.
Kevin almost unintentionally handed over company keys to the vault. Potential Kevins are everywhere. But with a comprehensive enterprise DLP strategy, full SSL decryption, training and remediation methods in place, your organization can help Kevin become a lot less dangerous.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Stan Lowe is the Global CISO for Zscaler