McAfee Labs annual Threats Report released recently focuses on Information Theft and advises organisations to employ both internal mechanism (such as DLP) and external sources (such as cyber intelligence services) to increase the chance of identifying data leaks.
McAfee Labs release their annual Threats Report in September 2016 (http://www.mcafee.com/us/resources/reports/rp-quarterly-threats-sep-2016.p)
The main topic, discussed in depth in the report, is Information Theft: the perpetrators and the victims, the process and prevention of data leakage. The report begins, “On average, a company detects 17 data loss incidents per day," and continues to discuss the differences between industries, entity size (number of employees) and geography. Personal information regarding customers or employees now makes up the majority of breaches, in comparison to several years ago, when credit card information was the “best seller”.
The report focuses on the following points:
- The gap between data loss and breach discovery is growing
A large gap exists between detection and remediation. Data breaches are not discovered nearly often enough by internal security teams.
- Health care providers and manufacturers are easy targets
Industries that tend to have less mature security systems, such as healthcare and manufacturing, are at significant risk, particularly as these industries possess much-coveted PID and medical information.
- The typical data loss prevention approach is increasingly ineffective against new theft targets
Time and again such mechanisms fail, allowing colossal data breaches
- Visibility is vital
Understanding and identifying that a hack has taken place is essential to speedy remediation.
The report recommends a series of data leakage prevention measures and technologies which, when implemented, are professed to reduce the massive outflow of data. In our opinion, however, while it’s certainly sensible for organisations to invest in, and enforce DLP procedures, it is no longer sufficient. DLP measures can be bypassed by sophisticated attackers or malicious insiders, and cannot accommodate more traditional methods of data theft, such as laptop or paper theft, both of which are real dangers. According to another study, 32% of insider data theft was carried by paper and 58% from stolen laptops. Thus, total prevention is not possible, no matter how secure an organisation’s DLP strategy is.
We at IntSights believe that in addition to looking inwards (i.e. integral IT systems, security logs, etc.) organisations should assume that a portion of their precious information has ALREADY leaked, and try to identify the information and remediate the situation before further damage is done. Accordingly, organisations need to constantly monitor the open web and darknet, social media sites and other platforms. Automatic mechanisms are the only way to enable this, and subsequent alerts. Visibility (monitoring and alerting) is not enough, however, the organisation must have a way to remediate these incidents.
E.g. If a sensitive piece of information, obtained illegally, or through employee negligence, is sold on a darknet forum, the organisation’s CISO must receive a real-time alert and be able to remove this information from whatever platform has published it.
Monitoring such leakages over time will enable a security team to identify patterns of use, allowing them anticipate and even identify the source of the leak. The synergy between internal systems (DLP, UBA) and external systems and inputs (cyber intelligence) provides far higher security levels, and reduces shocking statistics, such as those revealed in the McAfee Labs Threats Report.
This post was written by IntSights CPO, Alon Arvatz.