Vormetric Sees Post-PRISM Reaction to Insider Threats

Security company research says ‘enemy within’ must be constrained, as evidenced by Edward Snowden case

The Edward Snowden/NSA/PRISM affair was, among other things, a salient reminder that for all the fears over crackers, spoofers, social engineering, hacktivists and organised crime syndicates, internal workers can represent the biggest threats to data compromises and computer misuse.

As a contractor, Snowden was effectively an insider and, before the web changed matters somewhat, it was always considered canonical that people who worked for the company were those most likely to misuse systems.

I recently caught up with Alan Kessler, CEO of security company Vormetric which commissioned the timely Insider Threat Report from Enterprise Strategy Group. The research covered over 700 IT decision-makers, mostly from enterprises but about one-sixth from mid-market firms.

So, some key findings: 56% said that its more difficult to detect or prevent insider attacks compared to just a couple of years ago, while 46% said they felt vulnerable to an insider attack. (That latter number seems way low to me but kidding yourself with false optimism seems to be a characteristic response in such surveys.)

A significant 63% said they felt vulnerable to an abuse of privileged user rights, 48% believe contractors pose a threat and, most remarkable of all, 45% said they had changed their views on insider threats since Snowden’s disclosures.

Kessler, an affable, wry American who was once president at Palm, cheerfully confesses that the security industry is “known for trying to terrify customers” but he insists that 50-60% are “trying to protect the network perimeter and the bad guys are inside”. These are the “rodents running around the house”, the disgruntled employees who have fallen away from the spotlight until the Snowden case.

Too many have tried to cover all the bases at the expense of innovation, Kessler believes, but the solution is to “protect what matters”, that is, analysing the most important threats and focusing on those rather than trying to attempt the impossible. Also, it’s critical to grant privileged access with great care and the simple guide applies: does that user really need to see that information?

“A CIO friend said his job is allowing business users to be able to run down the hallway carrying scissors [inasmuchas sometimes being a CISO involves helping a business understand the risk and trade-offs inherent in what they want to do]. You have to reduce the attack surface. The ex-CISO of the CIA said the NSA cut corners … Snowden had trusted access granted to move from network to network. The only thing you can do is slow down [the bad guys] and watch what’s going on. Blind the privileged users from seeing the data and track what they do and constrain what they can do.”

The issue is exacerbated by the fact that miscreants are “going after the crown jewels and playing it long and slow”. It’s a situation that Kessler says is causing systemic changes to ICT security. And, although Kessler doesn’t expect a return to lockdown or security through obscurity, he believes that more conservatism might be the fallout for CISOs who have observed the Snowden case. Cloud service providers aren’t immune: larger financial services companies are moving away from services like Salesforce.com in the most extreme, regulated businesses, Kessler contends.

Unfortunately for businesses today, CISOs need to be on their wits permanently. Snowden reminds us all that it’s important not just to look all around, but also within.


Martin Veitch is Editorial Director at IDG Connect