Do not rely on employees to guard against data leakage

Original author: Rob Enderle
Malicious programs are becoming more sophisticated and aggressive, and observer Rob Enderle believes that you can’t always rely on employees to fight them. He offers his plan to counter this threat.

image

These companies are hacked, and your executives shrug their shoulders and supposedly have nothing to do with it. It was this phrase that came to my mind the other day during breakfast at RSA with employees of the Intel security department, where I accidentally heard the story described below. I pricked up my ears when I heard the word “spearfishing”, which was the key to the real story told by one of Intel's executives. Spearfishing ("hunting with a prison") means an attack on a specific employee of the company with the aim of stealing his personal data and / or disrupting the operation of his equipment.

Apparently, this supervisor received an e-mail with a PDF document from a suspicious Chinese graduate student. This letter contained personal information about the continuing education program in which this supervisor had previously participated, and also provided enough specific data about the educational institution to make the letter look real. It was a request to check the attached dissertation in PDF format. Although there was no warning about the possible danger of the PDF file, and it seemed harmless, the recipient did not open it, but instead sent it to McAfee's laboratory for verification.

Not intentionally! According to a lab report, the file contained many instances of previously unseen malware. In other words, hackers not only chose a specific manager to target, but also developed a special package whose uniqueness did not allow malware detection systems to identify it as dangerous. We have been warned for a long time that PDF files are especially dangerous, but judging by the described event, even intermediate software corrections did not allow to eliminate the threat.

What scares me the most is that this malware was written specifically for the “hunt” for the head of a security company. The leaders of security companies in this sense are welcome prey, since the information stolen from them can provide access to all customers of the company.

In critical situations, you cannot rely on employees.

In this particular case, the manager did the right thing, but how many of his colleagues in this or other companies received the same mail attachment? And the main question: how many of them have opened a personalized investment addressed to them personally, and how many are now hacked as a result of these companies?

We know that our children's computers are very vulnerable to hacking, and since our PCs and devices are often on the same network, our systems can also be hacked. After that, we can become “carriers” if we inadvertently bring these systems back to the office. Suppose we are cautious enough and scan these machines before they are allowed into the network, but scanning is often unable to detect unique malicious programs written specifically for hacking specific employees.
And since we know that our own leaders are not so careful, the likelihood that we will be hacked is extremely close to inevitability.

Golden hour

The guys from Intel talked about the "golden hour", that is, how much time is available from the moment of hacking to the moment when it must be detected and eliminated. Another guy at the table said that the largest banks now have to make instant money transfers, which means that the standard grace period, which allowed banks to verify transactions, will soon be eliminated, and the “Nigerian princes”, so generously managing their fictitious money, will soon get rich at the expense of your own.

If we thought that a hack could already have occurred, then our approach to security would have undergone very serious changes. We are now focused on preventing threats, but obviously this is not enough. If you know that a malicious object is already operating in your company, then you will pay more attention to aggressive threat detection (McAfee SIEM), response to them (Invotas) and increased protection of information (Varonis). In other words, if the robbers are already in your house, it's too late to change locks. Instead, it's time to hide values ​​and look for ways to eliminate uninvited guests.

The same is true in our case: if we accept the fact that our security is violated, we must first try to prevent our intellectual property from getting where we do not want, and then focus on identifying and eliminating unauthorized access.

SIEM (Security Information and Event Management) technology integrated into the universal console (supplied by Intel / MacAfee), combined with the automatic response system provided by Invotas, gives you the weapon to “expel” uninvited guests, and protection Varonis IP addresses provide enough time to take action before your valuables are stolen.

Optimal data leakage protection system includes 3 levels of protection

Although I know that after hacking into Sony they deployed some of these tools, I have not yet found anyone to install this particular combination. I believe that you need all three components — SIEM, Automated Threat Response (Automated Threat Response), and Automated Unstructured Data Protection — so that you have the time and ability to deal with the growing intrusion.

I have listed these providers above because I am well acquainted and sometimes work with them, and also because this is a good option to start with (McAfee, Invotas and Varonis). I chose McAfee because of their connection with Intel and the corresponding change in their interaction-oriented strategy, Invotas because they look the most aggressive in terms of responding to threats, and Varonis because they are by far the best in protecting unstructured data. However, ensuring the effectiveness of the interaction of the individual components (especially the first two) will obviously be equally important for a perfect combination.

Over the next weeks, I am going to look for someone who has already installed this toolkit and report to you about what a perfect combination of solutions really can be.

In the meantime, you should remind all your managers and IT professionals of the need to refrain from opening attachments sent by unknown persons or those they did not expect to receive (in case of simulating sending a letter by a known person) on anything other than a special isolated PC - if only they do not want to earn notoriety in their company.

And if they nevertheless opened an attachment (especially a PDF), which they did not expect to receive, it is necessary to send it for analysis to the security service. If it was harmless, great. If not, then security specialists should immediately begin the process of liquidating the damage and guarantee isolation and the impossibility of repeating this event.

I feel that this will be a bad decade for the heads of security departments (CSO).

Rob Enderle

Rob Enderley is President and Chief Analyst at Enderle Group. He previously served as a senior fellow at Forrester Research and the Giga Information Group. Prior to that, he worked at IBM, holding positions in the internal audit, competitive analysis, marketing, finance and security divisions. Enderley is currently writing materials on new technologies, security and Linux for various publications, and also appears on national news channels, including CNBC, FOX, Bloomberg and NPR.

Also popular now: