This week, I'm at a conference focused on helping CIOs help their organizations. The overwhelming issue is security. Email security, data leakage, and data loss/theft are all huge focuses -- especially when the company is involved in the health care industry where it's legally and reputationally essential that data be kept under control.
IT's main defense strategies don't address biggest risks
In most discussions, the same two solutions have come up to help prevent data loss: data loss prevention (DLP) tools and user training.
Both Exchange and Office 365 have DLP built in, managed via an easy-to-use wizard interface for setting up DLP policies that create transport rules to prevent email messages and attachments from leaving the organization, such as those with Social Security numbers or other sensitive, personal information. There are also plenty of third-party DLP tools available to enhance the native Microsoft capabilities.
Solid user training helps ensure that people don't accidentally send information that may have sensitive information and don't get tricked by a phishing attack that opens a secret channel for data theft.
Both the technical DLP approach and the human training approach make the same assumption: The user doesn't want to harm the company. That is, any data leak is accidental on their part.
But what about the case of intentional leaks and theft, such as from a disgruntled employee or whistleblower?
Take this week's example of the Panama Papers that detailed possible money laundering by government officials and others throughout the world. Without inside assistance, it's hard to believe that 11.5 million documents would leak from a Panamanian law firm that has operated for 40 years without incident. (Though the firm claims the theft came from an outside hack.)
Then we have Edward Snowden, the NSA contractor who copied lots of sensitive government information and released it to the press to expose what he considered government lies.
It doesn't matter whether you consider these examples to be actions by heroes or by traitors. What occurred was the kind of intentional leak that most organizations fear so greatly.
The lesson? Too often, the defenses an IT organization puts in place focus on the perimeter, whether to stop attackers or prevent accidental leaks from the inside. And not enough effort is made to stop the intentional leak, where damage can be much greater. As a result, intentional breaches from the inside often go undetected until it's too late.
IT should also adopt user-behavior analytics
It's the inside-job scenario that demands IT add a third approach to DLP and training: user-behavior analytics (UBA). UBA software helps detect insider threats (along with insider fraud and targeted attacks, aka spear phishing or whaling).
My publishing company recently released a book by Derek A. Smith (a CISSP and cyber security expert), "Conversational User Behavior Analytics," where Smith describes a predictive system that watches the daily, normal behavior of a user and tries to detect when a serious change has occurred. For example, if a user typically downloads 10 documents a day, then suddenly starts downloading 11.5 million, that change might be a major red flag.
By monitoring user patterns -- where they log in from, what files they are poking around in, and so on -- and even their language in typed communication (what's called psycholinguistic analysis), the system can see a pattern and provide a preemptive heads-up to IT that an anomaly has been detected. It's not infallible, but it certainly is worth considering.
Forcepoint, Splunk, and Veriato are a few vendors that offer UBA software.
3 essential techniques to safeguard your data
There you have it, the three key deterrents to insider threats and data leakage:
- A DLP tool to prevent accidental data loss
- Training to prevent both accidental and outsider-manipulated data loss
- UBA to analyze your users' behavioral patterns through technical indicators and psycholinguistics to detect red-flag anomalies