Security has become front and center for many organizations amidst COVID-19, as more employees are working from remote locations. U.S. Census data shows that a whopping 75 million employees are now working from home. Working with less secure networks and the lack of corporate infrastructure, employees are more subsceptible to ransomware, phishing, and threat actors. But another threat may just surprise you: the organization’s own employees.
According to a recent study by The Ponemon Institute, the number of insider-caused cybersecurity incidents has increased by 47 percent since 2018. That report was released pre-COVID however, and according to security leaders, COVID has only exacerbated the issue.
At EXPLORE2020— a virtual summit sponsored by Cisco Investments and Corporate Development— top Cisco security leaders and Cisco Investments startups, Flashpoint and Illusive, discussed why malicious insiders are feeling more emboldened than ever and how cutting edge technology can help protect organizations from them.
Employees as hackers and why this is happening
Ofer Isreali, the founder and CEO of deception tech company Illusive Networks, shared that there are three factors contributing to the rise of insider threats.
- Emotional detachment
With employees working from home, there’s a natural psychological detachment between employee and company.
“We no longer see our coworkers in a day-to-day basis,” says Isreali, “We don't necessarily share coffee, or if we do over a virtual coffee, it's not quite the same. And that in its own right causes some a distance between the employee and the company, and if somebody is on the fence, it may lead them to choose the dark route.”
- Lack of oversight
Employees may not have someone “peering over their shoulder” to make sure they’re not doing something unsavory.
- Financial strain
The rise in job insecurity due to COVID-19 creates concern for employees as well.
“People are losing their jobs. Some people are getting concerned and financial strain naturally leads to something tipping over to the wrong side of the fence,” says Isreali, “We've seen that happen in previous crises—think about the 2008 crisis, a huge spike and surge on insiders. These same people are tucked away in their basement, nobody's peering over their shoulder, and also it gets them into a state of mind that nobody sees what they're doing. So, there's a great opportunity to operate in that realm. When you combine these three things, the financial, emotional, and opportunistic standpoints, it leads to a huge surge of insiders that CISOs are rightfully concerned about these days.”
How do you stop them? First step: Practice security hygiene
With more organizations moving to a work-from-home standard, it becomes easy for guards to come down—from an internal and external perspective. So, what can we do about it?
Both Hoffman and Israeli stress that practicing basic hygiene can help prevent many of these security attacks. Strong authentication like Duo MFA can protect any application on any device, and verifies a user’s identity in seconds—without just relying on one password. In addition, Cisco’s CTO of the Security Business Group Bret Hartman says VPN-based network is also essential.
“You need really strong VPN-based networking and the ability to establish trust from those devices to the services,” says Hartman.
Step up your game with deception technology and dark web mining
Even if you are practicing great security hygiene, malicious actors may still slip through the cracks. As they get creative, we have to get creative too.
That’s where cutting edge solutions like Illusive’s deception technology comes in. They are able to “flip the script” on attackers by mimicking the real data, credentials, and connections that bad actors are looking for. Once the deceptions are breached, Illusive warns of these breaches at the very beginning. This is crucial, since usual security patterns and behavioral models we used before the pandemic cannot be used in the way we’re working today.
“Things are changing so rapidly, so we can't rely on yesterday's patterns to say what looks suspicious today,” says Israeli, “So deterministic detection of malicious stuff that's happening becomes tenfold more important. I think that's exactly where deception plays a great role because the only signal you would get upon a deception entity being utilized is by a threat actor. It does not rely on the need to have everybody interact with it. We're definitely seeing this resonating pretty strongly and helping a lot of our customers out, especially these days.”
But what if insiders are still able to steal data and credentials? That’s where Flashpoint comes in— their intelligence platform mines data from illicit online communities—finding stolen data and passwords in places like the data web.
“The credential system that we are sitting on has 34 billion username and password pairs within there,” says Flashpoint VP of Intelligence Tom Hoffman, “A lot of those are repeats—there's about 6 billion unique entries. But it just underscores just how quickly these passwords are obtained and how quickly they can be stolen. There are underground economies that automate a lot of how these are resold, repackaged, and put into account checkers. We can give insights into when it's been stolen before it ever gets into being used for malicious activities.”
Many of these threats are attacking a distributed workforce that can encompass an entire ecosystem of employees, partners, and suppliers. Underground markets are looking for certain parts of the business that don’t have robust security defenses in order to find a way in. Hoffman says that underground markets run botnets to look for things like Remote Desktop Protocol ports to retrieve data. Ransomware groups can then acquire some of the accesses to deploy their ransomware.
The value of partnerships in security
Beyond basic hygiene, the Corporate Development and Investments team and its portfolio companies have seen the value of partnerships in covering the expansive nature of a distributed workforce.
“I think the lesson we've learned over and over again is that security is never one single component and never one single technology,” says Hartman, “It has to span across endpoint, network, cloud, application, pull both visibility and telemetry together and then enforce policies that work end to end.”
Partnerships like the one between Cisco, Flashpoint, and Illusive creates more oversight, helping to avoid any security blind spots. The portfolio companies have also been able to leverage Cisco’s new SecureX platform, an integrated security portfolio that provides a simplified platform experience.
“SecureX is our common platform that Cisco provides, and it pulls in different feeds,” says Hartman, “It has a broader dashboard that has APIs and it enables us to pull in third-party telemetry as well as our own to get visibility across products.”