Meet Ai3, the DTEX Risk Assistant. Fast-track effective insider risk management with guided investigations.



Insider Risk Insights - DTEX Blog

Analyst Breach Insights, Week of December 19: Looking Back on 2019 and Forward to 2020 and Beyond

At long last, the end of a year — and a decade! — looms, and a new one is practically at our doorstep. In light of the end of 2019 and the beginning of a new chapter, this week’s Analyst Insights is all about looking at the big picture.

We talked to Dtex SVP of Customer Engineering Rajan Koo, Dtex VP of Field Engineering Steven Spadaccini, and Manager of Insider Threat and Cybersecurity Investigation Armaan Mahbod about what trends they’ve observed over the past year, and what those trends will mean for the years to come.

Their observations and predictions run the gamut from the growing issues of data sprawl, to access management, to the increasing savviness of cyberattackers. But, one thing unites all of their conclusions: the fact that they highlight a growing need for visibility, especially in a technological world that becomes increasingly difficult to secure.

Trend 1 – Raising the Stakes: More (Cloud) Data, More Problems

Many of this year’s biggest breaches involved massive databases or servers of information that were exploited or simply left exposed. This is a trend that’s likely to continue into 2020 and the coming years, simply because such a large quantity of data now exists in the cloud. Not only does this make these large pools of data a target for potential malicious actors, it also simply becomes more difficult to protect all of that data from innocent mistakes that have not-so-innocent consequences.

“Looking at the biggest breaches in the headlines this year, they all involved a large number of individuals, and the volume of data was extremely high,” Koo said. “That’s typically related to some sort of database being breached, or log files, or a deposit of large amounts of personally identifiable information exposed. There’s three common ways that databases fall into the wrong hands: it could be a vulnerability that was exploited, it could be a misconfiguration on those server environments granting someone the wrong level of access or allowing someone outside to get in, or it could be accidental data leakage by an insider. But regardless of how we get there, the headlines in 2020 will show us more of the same — and that’s because these kinds of mistakes are human and inevitable.”

The sheer quantity of data organizations must protect means that security teams need to fundamentally re-evaluate their approaches. Point solutions may be effective at solving point problems, but today’s demands necessitate that we step back and look at the broader issue.

“An organization can have the greatest number of security tools, or the most cutting-edge solutions,” Koo added. “We’ve seen that with some of the security companies that were breached this year, like Trend Micro — it’s not about the quality of the point solutions. Some sort of vulnerability is inevitable, and you need to be able to find it and mitigate it immediately. Doing that requires looking at behavioral trends, access controls, data, et cetera across the entire organization.”

Trend 2 – Blind-Spot Creep: You Don’t Know What You Don’t Know

The above problem leads right into the next issue that our experts discussed: the growing prevalence of blind-spots as data sprawls, technology advances, and organizations become more distributed. Many of the organizations we worked with this year found that data was exposed in ways they didn’t know about — a trend that was echoed in the headlines.

The crux of the matter is that breaches are happening because organizations don’t actually know where their data is located or who has access to it. Getting those answers has become increasingly difficult in recent years, but the effects are starting to be more obvious than ever.

“We frequently see data exposed simply because sensitive information exists somewhere the company didn’t expect,” Koo said. “For example, in one recent incident we investigated, a database was secured but the log files being collected from the database were themselves containing sensitive payroll information. An experienced individual was able to reconstruct that information from the logs alone. It was an incident where the system itself was secured and the tools were functioning as intended, but they just didn’t realize that sensitive information was being stored in that way.”

Spadaccini pointed out that this is a growing problem with cloud and server security as well, since the amount of data stored in the cloud, as we mentioned above, is still on the rise.

“Cloud security, with regards to third party providers, will continue to see a rise in compromise by those employees who have access to managed environments,” he said. “Many providers use shared accounts that a current or recently removed employee or contractor still may have access to it. This is a wide open door for cloudjacking. A lot of organizations just don’t know who has access to what resources when dealing with a third party.”

Trend 3 – The Risk of Improper Access Management

This point also spoke to another growing risk our team saw throughout 2019 and predict will continue into the new year: the inherent threat posed by outdated access management, whether that access is granted internally (in the form of elevated credentials, etc) or to third-parties.

Third-parties pose an especially big risk because as digital sprawl continues, organizations involve more third parties than ever in their day to day operations — freelancers and contractors, service providers, agencies, etc. And while these third parties all provide significant value to the business, every one of them — maliciously or not – can open up a potential vulnerability.

“This is always going to be a problem because IT administrators are trying not to impact critical business function while still needing to manage controls,” Mahbod said. “These teams are usually understaffed and overworked, and they’re providing the needed access to third-parties to get their job done. You never want to hinder that business progress and success. But at the same time, most IT teams are going to struggle to keep up with who has access to what due to lack of clarity on proper processes and direct communications between departments.”

Koo pointed out that even beyond the immediate issue of access management, third parties also open up a door to many possibilities of accidental misuse.

“We have many customers that use a significant number of contractors, and we’ve seen that contractors are usually going to do what they need to do to get the job done,” he said. “From an actual user perspective, these contractors have access to two or more totally separate systems, multiple security policies, multiple levels of access… there are so many opportunities for misuse, even if it’s purely accidental. This is why it’s so important to have visibility into how these users are utilizing and accessing your data.”

This also extended to granting and managing administrative access internally.

“This year, we’ve seen a lot of companies grapple with how to grant and manage admin access — how do you give it to those who need it and then take it away when they don’t? How do you audit it?” Koo said. “If you do it manually, there will always be mistakes. The key to success is creating an audit trail and using that visibility to monitor who has admin access and how they’re using it. That’s the only consistently successful approach.”

Trend 4 – Maturing Cyberattackers: As We Grow, So Do They

And lastly, the final trend our experts identified is perhaps the most concerning: that malicious actors will soon begin to use our own tools against us. Over the last several years, security companies have touted AI and machine learning as silver bullets against modern security threats. These are definitely useful tools, but like any security measure, their effectiveness will decrease as opponents learn how to circumvent them.

“I don’t think any human can look at a bunch of raw data and know what to do with it, because there’s just too much of it,” Spadaccini said. “The industry’s answer to that has been AI. But the most successful cybercriminals are going to start leveraging AI and machine learning themselves to get to valued targets. Data integrity is going to become a much more pressing issue when or if that occurs.”

We’ve already observed this happening firsthand on a smaller scale. More and more threat actors are learning how to avoid detection by point solutions — one critical reason why threat intelligence, for example, is no longer an effective catch-all against malware or outside attackers.

“We recently saw a phishing email that deployed a java backdoor, which slipped past EDR and multiple layers of AV,” Koo said. “It was able to do that because every action it took was designed to mimic extremely common user behavior. The techniques used were very ‘normal’ and thus, it didn’t trigger any alerts in those solutions.”

Koo mentions, as well, that he’s personally seen attackers get more focused and targeted in order to adapt to stronger security practices.

“Even with simple attacks like phishing emails, we’ve seen much more targeted approaches rather than scattershot attempts,” he said. “The people who are generating these attacks are using behavioral analysis. They keep track of what they send out and what generates the desired responses. They’re using very similar techniques to many advanced security platforms, and they keep getting rewarded for it.”

In Conclusion…

While all of these observations and predictions span a range of topics, there’s one obvious solution that unites them all: the need for contextual data across the whole enterprise. In order to confront any of these challenges in 2020 and beyond, organizations have a more pressing need than ever to fully understand what’s happening with their data, machines, applications, and people.

Firing into the dark won’t be an effective approach, especially as the technology landscape continues to shift. It’s only by asking the right questions, and wielding the right answers, that security teams will be able to make informed, data-driven security decisions.

If you want to learn more firsthand about how Dtex can help you achieve this visibility, read more about why organizations deploy Dtex or — better yet — join us in person on RSA week for the fifth annual Global Insider Threat Summit.

Until then… enjoy the holidays and your final weeks of 2019. We’ll see you in the new decade!