Can you find them before it’s too late?
June 26, 2019
What’s the most valuable thing in your network?
Though your hardware may be expensive, data, — be it a source code of software you are developing, your company’s “know how,” a database of your contacts, personal information of your clients, or something entirely different — is the most valuable by far. According to Radware, the average cost of a cyber-attack is $1.1 million in years 2018 and 2019 (dwarfing the cost of hardware). Loss of such data can put some companies out of business, often from the loss of competitive advantage, but also due to fines or damage mitigation costs. When US retailer Target lost the credit card data of 70 million customers, it lost nearly a billion dollars in value, and spent $100 million to upgrade its IT infrastructure.
Data leaks are something that every company has, or will face sooner or later. In some cases, they are too minor to cause any serious damage, like mail sent to the wrong receiver or an internal discussion overheard in a public place. The biggest source of data leaks doesn’t lie in some malicious activity, but in human mistakes.
All leaks are not the same
The mis-sent email
Picture the following situation – Derek the Accountant is handling hundreds of emails and requests on a daily basis. Derek also doesn’t understand basic principles of prevention. He is not exactly cautious, and likes to use the company’s resources for personal purposes; like sending personal emails from his company email. He organized a road trip with his friends via email, but unfortunately the travel agent’s email address was nearly identical (beside the domain) to that of his direct supervisor. One day, Derek was unsure about a few invoices, so he wrote an email, took the first suggestion of recipient’s email from his mail application and attached files and sent the email off. Unlucky for Derek and the company, he sent the email to a third-party travel agent.
The angry employee
Another situation – Karen from HR likes to with various friends across several chat platforms. She often doesn’t pay attention in meetings because Facebook Messenger is more interesting; and ends up improvising, often to negative effect. The company is fed up with this and decide to terminate her contract; but since her boss likes her, Karent finds out about this eventuality in advance, with the intention of her making arrangements and find a new job. Karen is obviously displeased with this information, and decides that she will not tolerate such a slight to her honor. With access to personal information of every company employee, she decides to sell it to the highest bidder, out of spite. She downloads everything that she can and uploads it to Dropbox (the use of which is highly uncommon within the company) so she can store it before she executes her plan.
The cavalier contractor
A recent example from the United States Government puts different, but no less important point on the issue. The Customs and Border Patrol (CBP) recent identified that a large amount of data (license plate and identification documents, as well as information on government technological capabilities, passwords, equipment lists, etc.) were stolen by unknown parties. Without authorization, a government contractor had obtained the batch of personally identifying data, was then itself breached, and the data was lost (later to appear on the internet). While the reasons why the contractor had this database are not known as of this post (“normal activity,” malicious theft by the contractor, or another reason), the major issue remains the same: a significant amount of data left the CBP network to an unauthorized location, unknown to the network administrator.
An ounce of prevention…
Each of these examples can be either prevented or detected before the damage happens. Let’s cover the above-mentioned examples.
Derek shouldn’t use his company’s email for personal purposes in the first place, which can be achieved by educating the employees. Here, as simple security audit which includes social engineering techniques should be enough to help the team see that they are vulnerable.
The second two data breaches can be solved in similar ways, focused on developing an accurate and timely understanding of what is, and what is not going on in the network at any given time.
Unless you have a reliable way to tell what’s happening on your network, you will be unable to tell what Karen has done and when. Not every system logs activity in it, so it’s possible you could never find out. NTA solutions can increase network visibility to requisite levels. In both examples, data is leaving the network in a way which is suspicious. In Karen’s case, data is being uploaded to a strange location (e.g. Dropbox) which will trigger a series of alerts (not just for the location, but potentially the amount of data as well, and/or GDPR or HIPPA-related information like personal identification numbers) which can be used to identify these behaviors as taking place, and depending on the network traffic analysis solution in place, that Karen is the perpetrator. In the CBP example, it is essential to know when large amounts of data leave the network counter to normal network behavior. Even if this data transfer was somehow sanctioned internally, NTA technology shows that this has happened because of the volume of data which is leaving, and raises flags creating questions, which stop potential issues like this one. GREYCORTEX Mendel identifies these behaviors (including transfers to anomalous locations e.g.- Dropbox, and volumes of data; event to potentially trusted hosts).
Data is the most valuable thing a company has and should be treated like that. With its loss, it can be put out of the business. Employee education plays a critical role, as well as detailed, timely, easy-to-access visibility into the network, which is a major benefit of network traffic analysis tools like Mendel.