Insider Threat: 'You Can't Stop Stupid'
"You can't stop stupid," Cole says. "But you can control and limit stupid."
In an exclusive interview, Cole discusses:
- Today's top insider threats - and what's most misunderstood about them;
- Technology solutions that ease the risks;
- Advice on how to limit your own organization's vulnerability.
Cole is an industry-recognized security expert with over 20 years of hands-on experience. He currently performs leading-edge security consulting and works in research and development to advance the state of the art in information systems security. Cole is the author of several books, including Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. He is the inventor of over 20 patents and is a researcher, writer and speaker. He is also a member of the Commission on Cyber Security for the 44th President and several executive advisory boards. Dr. Cole is also the CTO of the Americas for McAfee. Cole is actively involved with the SANS Technology Institute (STI) and SANS working with students, teaching, and maintaining and developing courseware. He is a SANS faculty fellow and course author.
TOM FIELD: What is the latest on the insider threat? Hi, this is Tom Field, Editorial Director with Information Security Media Group. We are talking today about the insider threat with Dr. Eric Cole, the CTO of the Americas for McAfee and also with SANS. Eric thanks so much for joining me today.
DR. ERIC COLE: My pleasure to be here.
FIELD: Now, I have mentioned only a couple of your roles. Maybe you can go on and give a bit of background on what you are working on today with McAfee, SANS and elsewhere.
COLE: I have actually been involved in cybersecurity for over 20 years and have written a book on insider threat. So one of the things that I do a lot with both McAfee and in my teaching ability with SANS is try to understand what customers' problems are and give them actual solutions that work. One of the things we find is that organizations are spending a lot of money on cybersecurity, and they are still getting broken into -- not because they are not trying, but because they are fixing the wrong problems.
So what I like to always do is trace everything back to risk, help organizations better understand what their biggest exposures are, and give them solutions that are not just good things to do, but the right things to do. One of those biggest areas today is protecting, controlling and managing the insiders.
FIELD: Well, let's talk about the insider threat. Particularly since the economic meltdown of a couple of years ago, we find that awareness to the insider threat is up, but so are the incidents. Why is that?
COLE: One of the biggest problems is even though organizations are more aware that problems are being caused by the insider, they are still not addressing them with their budget. If you look at the latest numbers, about 50 percent of the loss to an organization from attacks is from the inside, and about 50 percent is from external attacks.
However, if you look at their budget, they are still spending 80 percent of their budget on the external threat and only about 15 to 20 percent on the insider threat, so there is still not that proper balance because organizations think that if they put up preventive measures and firewalls that is going to deal with the insider, when in reality the insider is using simple tools, like web browsers, email clients and others, to be able to go in and cause harm to the organization.
So organizations are starting to recognize that it's a problem, but their budget, their solutions and where they are putting their energy are not going to stop it because they are trying to focus in on making people aware of the problem. In reality, they need to put measures in to control, protect and limit what the insiders really do within their organizations.
FIELD: So we've talked about the awareness. What do you find to be most misunderstood about the insider threat?
COLE: Probably the biggest area is most people, when they hear the word insider threat, they think of what I call the deliberate insider -- the people that are in an organization that are deliberately working for the enemy, working for a competitor trying to cause harm to that company.
While that still happens today, that is the less likely percent of loss to an organization. The biggest thing that most people misunderstand is not the deliberate insider they need to worry about; it's what I call the accident insider. The person who is not trying to cause harm, but clicks on the wrong link or opens up the wrong email that causes money, damage or intellectual property to be stolen from the organization.
So the thing most misunderstood by managers, executives and even technical folks that I talk to -- they don't realize that the insider threat is not from people who are deliberately causing it, but accidentally causing harm. In many cases, the insider isn't even realizing they are the source or the cause of the loss to the organization.
FIELD: Well, I have got to think, too, that these risks only accelerate when you are looking at people leaving workplaces with laptops, with portable media, by using social media?
COLE: Exactly, and social media is a perfect example where employees and individuals are now putting themselves at such a great risk because they are out there with Facebook and Twitter and MySpace and all these different things. They are pouring out all of their personal information and their data to what they think are their friends, but they have no idea that anybody can harvest, grab or gather that data.
Just for example, if you think of what most people use as their passwords, and what they use as those challenge phrases if they forget their passwords -- mother's maiden name, place of birth, name of a pet ... You go and look at what they are putting in social media, and through a few searches all that information is right there in their profile, in their bio and in their background.
So for somebody to find an individual at a corporation, target them, steal their credentials and even directly break in and steal information without the individual realizing it today is really quite straightforward.
FIELD: Now at Information Security Media Group, we deal primarily with financial institutions, with government agencies, with healthcare organizations. In your experience, are there types of organizations that are most vulnerable now to the insider threat, or is it really something that cuts across any kind of vertical industry barriers?
COLE: In terms of vulnerable to the insider threat, I usually say that organizations that are the most vulnerable are organizations that are connected to the internet, that have sensitive information, and that have employees working for them -- which pretty much means everyone. Now if you tie that with what is being targeted most today, a lot of the information that is being targeted are things for monetary gain; Social Security numbers for identity theft, credit card numbers for fraudulent charges, bank account information, research data and anything like that.
So when you are looking at the financial community, all that information on account records, credit card data and personal data -- that is going to be the primary target of the attackers. And what they are looking for today is: While targeting an individual can have benefit, going after the backend databases where all that resource is stored is going to give them a much better payoff. Why target 30,000 individuals when I could target one individual who works at a financial institution with access to a database that can give me 50,000, 80,000 or 100,000 records with a single attack?
FIELD: Well let's talk about solutions now. In your experience, what types of technology solutions work best to mitigate the insider threat?
COLE: One of the big phrases that I always say with the insider is: No matter how hard you try, and no matter what you do in an organization, you can't stop stupid. The insiders in a lot of cases, when you talk about the accidental insider, are people that are doing stupid things that they don't think about.
The phrase that I always like to say is: While you can't stop people from doing stupid things, you can control and limit stupid. So one of the technologies that we are seeing that has a lot of benefit is isolation, or sandboxing. That is not only done with individual users, but that is also controlling access.
So for example, anybody who logs in as a privileged user or an administrator or root on your systems, let them perform that privileged access, but why would you ever allow somebody who is logged in as an admin or root to check email or surf the web? It is just an unnecessary risk. So by going in and allowing people logged in as privileged users only to perform the functions that are needed inside their organization and not allowing them to go out to the internet or perform any task they can do as a regular user is one form of what we are calling isolation or sandboxing.
The other area is going in and when you run high risk applications -- and right now today the two most high risk applications are of course email clients and web browsing -- why not run those in separate virtual machines? You can do this completely transparent to the individual users. Now, when they bring up their computer and they double click on the email client for their web browser, it works the way it always works except little do they know that it is running in a separate isolated virtual machine, or a guest operating systems, on that primary host. Now if they get infected with malware, if they get compromised or if they get targeted, then they shut down that application, all the malware goes away, that instance of the operating system disappears, and now in essence you have got infected for five minutes instead of five days, five weeks or five months because you are controlling and limiting what they are doing.
The other technology we are seeing is application white-listing. The problem with a lot of the security technology today is that it looks for evenness. It tries to find patterns, signature or behavior of bad things that are occurring on a network. While that is okay, the different ways that people are being targeted in terms of the evilness changes so often that trying to control and manage the bad things is too difficult. What application white-listing does is say "Let's control the good. Let's go in and figure out what are the minimalistic things that users need to do to perform their job function and then control and limit and only allow that to occur on the system."
FIELD: Well, let's look ahead now, Eric. What does the next generation of solutions have to do to, as you say, control and limit the stupid?
COLE: The biggest thing is they have to be more adoptive. Going in and being very rigid where you make a binary decision all the time, this is good or this is bad, just doesn't scale because as you mentioned earlier, businesses are very, very dynamic today. What somebody had to do yesterday is different than today, the data is more portable, there is a lot more mobile devices out there.
So what we need to start moving toward is more adaptive or predictive technology that is focused on behavioral patterns. Better understanding what is the behavior of a good legitimate user and what is the behavior of somebody who is going to do harm in a specific environment, and one thing we have got a lot of positive output from is what we call reputational ranking.
The idea behind reputational ranking is you have a ranking of "Is this person acting more like a good or more like a bad individual on your network," and as they exhibit behavior of a good legitimate person, they get more access. As they exhibit behavior of the bad person or an attacker, they get less access.
The reason why this is critical is one of the biggest challenges with online banking. The attackers enter the network and look just like a legitimate user, because as we talked about with all the social media and public information and social engineering attacks and spear phishing that are occurring today, it is fairly easy for an attacker to get credentials. So they are entering the network just like a legitimate user, which means you are not going to be able to prevent or stop them from entering the network. Therefore, what you have to do is control and limit their behaviors to only those good things, so now when they log in they are given a base level of access. If they start exhibiting good behavior, then you allow them more access to their records; and if they are doing bad behavior, you limit or control it.
So now by being more predictive and doing reputational ranking, you can truly have adaptive protection to limit and control the insider threat in your organization.
FIELD: So, let's boil it now down as best we can. If you could give a single piece of advice to organizations to help them mitigate their vulnerability to the insider threat, what would you advise?
COLE: My biggest piece of advice is to understand your environment. It amazes me how much today organizations are trying to approach security with blindfolds on. They are putting all of this technology in place, but when you ask them simple questions -- what percent of traffic leaving your organization is encrypted? What is the average length of a connection? How much data leaves your organization per hour or per minute? -- they can't answer those basic questions.
If you don't have an idea of what is normal or legitimate behavior, you are going to have no chance of being able to track and find the anomalies.
It is very similar to when you go to a doctor. If you went to a doctor's office because you weren't feeling good, and they came into the office without examining you and without asking you any questions, and handed you a prescription, you would be very frustrated because you would say "Doc, how could you give me a prescription without having looked or examined or seen what is wrong with me?" They couldn't. What they need to do is take your temperature, check your blood pressure, examine you, and what the doctor is doing is looking for anomalies. They are looking for a fever that is higher than normal. They are looking for glands that are more swollen than a normal gland. Those anomalies are what are helping them troubleshoot and figure out what is wrong.
Today we need to do the same thing with our networks. Understand what is normal traffic in your environment, and look for the anomalies and the anomalies. That's how you are going to catch the insider. The important thing to remember is you can't prevent the insider 100 percent. Prevention is ideal, but detection is a must.
The way you catch and detect the insider is not by looking at the inbound traffic, but switch your thinking and focus on the outbound traffic. By understanding what the normal outbound patterns are, looking for anomalies you will be able to catch, identify and limit the damage that a potential insider will cause in your organization.
FIELD: Very good, Eric. Thank you so much for your time and your insight today.
COLE: My pleasure.
FIELD: We have been talking about the insider threat. We have been talking with Dr. Eric Cole, CTO of the Americas for McAfee and a SANS Faculty Fellow. For Information Security Media Group, I'm Tom Field. Thank you very much.