Is Your Data Insider-Proof? Five Steps To Keep Your Secrets Safe

This article explains the five steps you can take to see how prepared you are for a nefarious insider or an outside attacker that compromises an insider's account or computer.
Yaki Faitelson
3 min read
Last updated August 16, 2023

The recent Pentagon breach — in which 21-year-old guardsman Jack Teixeira allegedly leaked sensitive intelligence on social media sites to elevate his social standing — is reigniting conversations about protecting data from malicious insiders. From the snake in the Garden of Eden (the original insider) to Snowden, Manning, Winner and now Teixeira, it only takes one bad apple to change the course of history.

Information access — and the fact that there's far too much access to sensitive data in general — is a common theme that ties insiders together. As Robert Litt, former General Counsel of the Office of the Director of National Intelligence, assesses, "In the aftermath of the leaks, there should be a sober and penetrating review of information sharing, of the number of people with security clearances, of implementation of existing policies regarding 'need to know, 'and of monitoring of classified systems."

Insider threats are the most difficult risk to defend against and can do the most damage. The Pentagon probably did everything right within its physical and digital perimeters; Teixeira worked in a SCIF, or sensitive compartmented information facility, that "guards against electronic surveillance and suppresses data leakage."

That means no USB keys were going in or out, nothing could be uploaded to the internet and no transmissions could take place. Still, none of its perimeter controls would help with this threat.

Anatomy Of An Insider Attack

So, what went wrong? The leaker was given ample access to sensitive data that he arguably didn't need. Despite the industry buzz around zero trust, this case seems to be a failure in the need-to-know model and/or a breakdown in monitoring classified systems.

In many organizations, the focus is often on safeguarding perimeters rather than protecting the target itself — the data on the inside.

Imagine this conversation between a CEO and an IT security team tasked with protecting sensitive data.

CEO: Do we patch our systems?

IT security team: Of course. Attackers would exploit vulnerabilities if we didn't.

CEO: Do we train our employees by using simulated phishing attempts?
IT security team: Yes, we train employees because people get phishing emails all the time.

CEO: Do we keep security software on everyone's endpoints?

IT security team: Yes, because after people are phished, endpoint software helps block the malware attackers try to install.

CEO: Do we block USB keys and bulk uploads?
IT security team: Yes, they make it easy for insiders to steal data.

CEO: Do we lock down and monitor our most important data?
IT security team: Nope.

Isn't it strange that organizations have so many controls where the risk isn't located? After all, banks don't focus more on what comes through their doors and windows than who and what goes in and out of the vault — then the cash would get the same security as the pens.

If Teixeira hadn't had access to so much sensitive information in the first place, the potential damage could have been nonexistent or greatly reduced and far more quickly contained. The Pentagon could have failed at the perimeter, but no one would know Teixeira's name if the data had been kept safe all along.

Striking A Balance Between Access And Security

Locking the vault in the digital world is, of course, a big challenge. More sensitive data is stored in more places every day, and collaboration requires balancing productivity and security. Data only has value if it can be shared.

If you lock down data completely or too tightly, it's a frozen asset. The intelligence community learned this after restricting information shared among various agencies before September 11. If you loosen restrictions too much, information assets can quickly become a liability, as seen in the recent Pentagon breach.

How can you balance access and security? Here are five steps you can take to see how prepared you are for a nefarious insider or an outside attacker that compromises an insider's account or computer.

  1. Take an inventory of the rules you have about protecting sensitive data. Have you decided when and how to delete, quarantine or lock down sensitive data?
  2. Check to see if you can enforce these rules manually or with automation.
  3. Understand how easily you can see violations of these rules.
  4. Look for rules that should be created, refined or enforced more effectively.
  5. If you're just getting started, consider taking an inventory of your data to see where users store sensitive data and with whom they share it.

If you're like most organizations, your employees access sensitive data from anywhere, from many devices, in cloud-connected applications and data stores — pretty much the opposite of a SCIF. With such a distributed, unpredictable perimeter, it makes even less sense to allocate most of our scarce security resources there — we have no idea where the attacks will originate.

We do, however, know where the attackers will go. Your business may not be holding top-secret intelligence, but chances are you have information that someone wants. And that's where it makes sense to focus scarce resources.

Securing information on a need-to-know basis and closely monitoring that data for signs of unusual activity can help reduce the damage that insiders can do and make them easier to spot. Outside attackers that take over an employee computer or account (and effectively become insiders) must work much harder to get to the data they want, giving monitoring solutions more chances to catch them.

It doesn't matter whether you're handling military or trade secrets, or if your employees work in a SCIF, in a building, or at home — prioritizing your controls around data protects it better from insiders and outside attackers. You're killing two snakes with one stone.


This article first appeared on Forbes.

 

 

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

is-your-biggest-security-threat-already-inside-your-organization?
Is Your Biggest Security Threat Already Inside Your Organization?
Is your company protected against insider threats? From malicious ex-employees to negligent staff, your biggest cybersecurity concern may already be inside.
three-ways-varonis-helps-you-fight-insider-threats
Three Ways Varonis Helps You Fight Insider Threats
Insider threats are difficult for organizations to combat. Varonis’ modern cybersecurity answer uses the data security triad of sensitivity, access, and activity to combat threats.
what-is-an-insider-threat?-definition-and-examples
What is an Insider Threat? Definition and Examples
Insider threats are internal risks to cybersecurity and data — learn more about insider threats, indicators, and how to detect them and prevent breaches.
visualize-your-risk-with-the-datalert-dashboard
Visualize your risk with the DatAlert dashboard
Last week, we introduced over 20 new threat models to help defend your data against insider threats, ransomware attacks and threats to your most sensitive data. But with all this...