Two years ago it was the US Army and Manning, now it's the NSA and Snowden. The same sad story repeats itself. Trusted insiders, taking highly sensitive files with a simple burn of a DVD or copy to a USB memory stick. The privileged user has a unique role within an organization. They are granted the right to access systems on which sensitive applications and information are found on the condition that they know and abide by all corporate governing policies. Most of the time, they do. But all too often, they do not.
These events are particularly sad to see for those of us who have been engaged in preventing this type of activity and catching the perpetrators for many years. It's true that comprehensive information protection is not easy. It takes resources and discipline, but the fact is, many of the world’s leading companies and organizations are successfully protecting their data. My company alone is protecting billions of files on over two million computers. We've caught and helped bring to justice many such malicious insiders, including two of the seven IP theft case studies profiled in the Administration Strategy on Mitigating the Theft of U.S. Trade Secrets released by the White House earlier this year: http://www.whitehouse.gov/sites/default/files/omb/IPEC/admin_strategy_on_mitigating_the_theft_of_u.s._trade_secrets.pdf.
The media and blogosphere have latched on to the fact that Snowden was a system administrator. “He was privileged and therefore couldn’t be stopped!” Based on our experience, he could have been stopped. Privileged user compartmentalization has been a successfully deployed and solved use case for several years now. One global company we work with rolled out such a use case with control policies across 5,000 servers last year specifically for this purpose. Bottom line: their system administrators can still do their work, but cannot see or access sensitive files. This is because technology has advanced to the point where we have the ability to understand not only the content, but also the context of who the user is, and what role and authorization they have.
Companies that protect against the privileged insider do several things right. They take a strategic view, with strong, top-down, policy-driven information protection. They use data tags on critical data, making classification an operational part of their processes. They look at all the ways data could be compromised -- from print, CD/DVD burn, FTP and cloud to webmail, email, USB, mobile device and so on. They build compartmentalization into their technology and process to limit access to information to those who need to know in order to perform their jobs. Successful firms monitor data usage, but doing the job right means understanding normal data usage so that when abnormal activity occurs, security teams are alerted -- before pages of content are compromised. Finally, monitoring and managing privileged users is most effective when SIEM technology is used in conjunction with endpoint protection. In these use cases, we see systems evolving that are capable of monitoring millions of events and moving them in realtime from endpoint sensors to a SIEM for correlation with many other sensor inputs, further bolstering defenses.
Catching an insider thief does not require boiling the ocean. Successful data protection programs are built in stages over time and focus on mitigating the largest potential sources of information loss first.
Comprehensive information protection is now more proven and more practical than ever. It mitigates the risk of both insider and cyber (outsider) attacks. Fortunately, history need not repeat itself.