Cloud Applications like Google Apps, Salesforce, Box, and Microsoft Office 365 are making productivity and collaboration easier and more effective without the need for big upfront investments in infrastructure and resources. Furthermore, these Cloud Apps are highly secure and have multiple levels of redundancy which are always on and safe.
For organizations using Cloud Apps, the only threats remaining are from insiders i.e their own users. Why? There are 2 main reasons:
- Attackers do not get in by penetrating or breaking down network firewalls but via weak trusting employees e.g. phishing.
- Some employees (users) may indulge in activities which are damaging to the organization.
Insider Threats and their Impact on Businesses
Data breaches, when reported in the media, cause irreparable damage to the business involved in terms of reputation and customer’s trust. Additionally, legal obligations may mandate public disclosure of such a leak. Furthermore, the breached data may be sensitive in nature such as: PII, login credentials, IP or Health Records. This exposure of key customer and business data puts both parties at risk.
All businesses are heavily invested in perimeter security tools for IDS, network monitoring, DLP, etc. and have dedicated personnel to monitor it; however, in many cases, they ignore the insider threat. A report by Intel Security titled, “Grand Theft Data Data Exfiltration Study: Actors, tactics, and detection”2 mentions that data exfiltration is a clear danger to many organizations. The report mentions that insiders were responsible for about 43% of data loss regardless of whether it is deliberate or accidental.
In the Verizon 2016 data breach investigation report1, there were a total of 10,489 incidents. The report mentions that “Retail Industry had 370 breaches of which 109 were from small businesses (less than 1000 employees) and 23 Medium and 238 Unknown.” According to the report, insider and privilege misuse accounted for more than 15 % of all incidents and internal threat actor accounted for 77 % within this category.
Assigning a $ cost to the data breaches by Insiders
The average cost of a lost or stolen record is hundreds to thousands of dollars given the cost of customer acquisition. These numbers are constant across all industries. So, if you had a small database of ten thousand sensitive records, it will cost you millions of dollars per breach.
Hackers and insiders cause a significant % of all breaches. It is better to pay the soft cost of protection in thousands of dollars rather than the hard cost in Millions, post breach.
Types of Insider Threats Today
The various insider threats are given below:
- Data Exfiltration Authorized employee taking valuable data out of the organization’s cloud apps with malicious intent (IP, PII thief).
- Malicious Users Disgruntled employees who delete, overwrite, expose and steal valuable data with mala fide intent. (Saboteur, Media leaker activist).
- Compromised Accounts Detect accounts broken into by hackers and stop attacks in their tracks (Negligent employee).
- Cloud Malware Discover, Monitor and Control third party apps installed by users in the Google Apps platform.
- Ransomware Recover from ransomware data damage by easily restoring data from our backups.
- Compliance Ready to use templates for PCI, HIPAA, FERPA, SOX, CIPA with hundreds of controls and workflows. Full compliance law audit reports and intelligent dashboards.
- Phishing Fraudulent emails sent by attackers posing to be from reputed trustworthy organizations with malicious intention to obtain personal identifiable information (PII), account credentials. Some insiders may be duped by this and give out the sensitive information.
Why aren’t cloud providers themselves protecting you?
|Threat||Threat Detail||Why is it a problem?||Why isn’t the Cloud App provider protecting me?|
|Sensitive Data Exfiltration||An authorized user taking sensitive and valuable data out of the organization’s cloud apps for their personal use
IP/PII/Contacts thief (recruited by competition),
Users who have resigned
|Organization key assets are being stolen or leaked and hard costs run into millions of dollars||It can’t since the person is an authorized user of that information as specified by the organization|
|Compromised Accounts||Employee account becomes compromised when outside hackers gain access to their account credentials and access their data
Compromised accounts are monitored first by hackers over a long period to understand how best to exploit the organization e.g ransomware
Examples: unknowing finance team user, negligent employees with weak credentials
|Organization key assets are at risk of being stolen. Impersonation leads to heavy damage to your partners and customers and organizations may never recover||It can’t since the user credentials are correctly entered|
|Malicious Users||Users who delete data or overwrite data with deliberate intent Users who access sensitive data beyond their role at the organization Users who exfiltrate data for personal or to damage your organization. Users who expose data to external users who could be compromised Examples : Disgruntled user saboteur, Media leaker activists||Your organization’s data and brand is at risk from the inside. Recovery is very costly||It can’t since the user is your employee, authorized by you to access data|
|Compliance Laws||Checking for sensitive data sharing in documents and emails per a particular compliance law.||Your organization’s data and brand is at risk from the inside. Organizations must adhere to their industries regulations. Mistakes are costly and damaging.||Users create and work with sensitive data daily. Compliance is a shared responsibility and it falls on your organization’s shoulders as well.|
|Cloud Malware||Third party apps installed on Google Drive by users.||Users install apps to help with their productivity and to solve problems all the time. Left unchecked, malicious apps can attack.||Users are allowed to install apps as needed to help with their work.|
Why would our employees be a risk to our organization?
Employees of organizations are hired, trained and do assigned work in a safe and productive environment. However, there are situations in most organizations at some point when certain insider threats arise due to the following types of employees:
- Malicious Users Employees who delete, overwrite, expose and steal valuable data with mala fide intent
- Negligent IT team member Does not enable and use multi-factor authentication. Had a strong password but it was broken into due to similar password used at another site which was hacked. Attacker has broken into the privileged admin accounts. This is the worst nightmare scenario for any organization and they are not even aware of it.
- Gullible Executive: Phishing Attack scenario: Working in Finance / Purchase Dept. responded to fraudulent emails sent by attackers posing as existing suppliers or as their own CEO and this executive gives away Bank Account related information because he thinks the request is genuine from a trusted source.
- Privileged User: Data Exfiltration Authorized employee with valid credentials and privileges, exports data from the cloud apps with malicious intent
- Press News leaker: Disillusioned with your organization due to any reason including recent downsizing, cost cutting measures, with management in terms of strategic direction, product positioning, market focus, customer service and layoffs, etc and is now in contact with media for telling the story and revealing confidential and intellectual property roadmap secrets.
- Careless employees Installing cloud apps from Google Apps Marketplace developed by unknown companies introduces Malware in the organization’s Google drive and causes damage till the IT team discovers and removes the malware.
Another scenario : Installs Apps that contain malware , leading to subsequent Ransomware attack and Google drive contents encrypted by the attackers demanding ransom.
How SysCloud protects your organization from insider threats
Our software scans Cloud Apps (Google Apps including Gmail, Hangouts, Drive and Salesforce, Box, etc) data and user behavior, looking for various factors including:
- Sensitive data (based on customer business specialization)
- User Behavior including
- Shared externally
- Shared externally count
- Heavy downloads
- Abnormal deletes
- Abnormal exports
- Time of day of activities
- IP address
- Simultaneous login
- Heavy ACL (access control list) change activity
- Url links inside emails or documents
- Role of user in organization
- Contextual data analysis
Using above factors:
- SysCloud uses data analytics and machine learning algorithms to detect various threats like malicious insiders, data exfiltration, compromised accounts, compliance, etc
- SysCloud policy engine automatically protects you from threats
- SysCloud alert, incident response and exception management software allows you to be on top with ease
Free Threat Report
Install the SysCloud threat detection App from the Google Apps marketplace. This will scan and give you a free threat report. This report details specific threats using our analytics engine aided by machine learning.
The report contains threat cards which provide risk insights into your organization’s cloud Apps data, users and Apps. Each card provides an insight specific to your industry, which can be further drilled down. Every card will also allow the IT team to take various actions specific to their business to mitigate the risk detailed in the card.
1 Verizons 2016 Data Breach Investigation Report 2016 , http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/
2 Intel Security, Grand Theft Data Data exfiltration study: Actors, tactics, and detection, :http://www.mcafee.com/us/resources/reports/rp-data-exfiltration.pdf
Founded in 2010, SysCloud is a Google for Work Premier Partner. SysCloud detects and stops insider threats across cloud apps, which can damage an organization and its brand. The platform is currently used by over 1,500,000 users from 32 countries around the world. SysCloud has offices in California, New Jersey and India.
For more information please contact us at firstname.lastname@example.org or visit us at www.syscloud.com