My previous blog post showed that data breaches related to insider and privilege misuse are the hardest to discover and are costly to resolve. I also explained that prevention starts by helping your organization’s leadership answer these two key questions:
- What assets am I protecting?
- From whom am I protecting these assets?
Once you have the answers, use these five steps to implement prevention.
Step 1: Make sure the organization has business policies for access control
This requires buy-in from the entire organization. Security and access control has traditionally been in the IT and security team’s domain. However, one positive fallout of the recent spate of high-profile cybercrimes is that company executives and boardrooms are acknowledging that protecting critical information and services is the entire organization’s responsibility. Leverage your leadership’s position on cybercrime prevention to get your organization to create business policies for access control.
If you don’t have the buy-in from your leadership, these studies may help you elevate the cybersecurity discussion to the highest levels in your organization.
- Bringing Cybersecurity to the Boardroom
- Governance of Cybersecurity Report
- Cybersecurity in the Boardroom
- A Real Board-Level Cybersecurity Strategy: What Has To Be There
- Cybersecurity: The Board’s Role
Work with Legal and HR teams and other leaders in your organization to make sure business policies define who should have access to what. The organization must also invest in educating users about these business policies; for example, through new hire orientation programs, email campaigns, fun events and regular trainings. You can’t do it alone; this is a team sport, and your organization must support your breach prevention strategy.
Step 2: Use technology to implement your business policies
Implement access control policies in multiple places. One obvious place to start is the applications themselves. As a security practitioner, implementing role-based access control in applications may not be under your purview. To accomplish this, raise awareness with leaders of the application and operations groups.
In addition, implement access control policies in your network security equipment. The firewall is the one place that sees all network traffic and is the most logical place to implement these policies. Make sure you have a next-generation firewall (NGFW) that can get user identities from multiple sources (user-based control is one of the 10 Things Your Next Firewall Must Do).
“The estimated ROI for companies that extensively deploy advanced perimeter controls such as NGFW is 20 percent.”
As you create technical controls, make sure an ex-employee’s access to organizational assets is removed. There should be minimum lag between the time the employee leaves an organization, the employee’s status gets updated in the directory servers, and the information gets propagated to applications and firewalls that implement access controls.
Step 3: Segregate resources in your private and public cloud using virtual firewalls
Infrastructure is getting virtualized and workloads are moving to the cloud, both private and public. The impact of a compromise in your virtualized environment is amplified because your workloads and the associated data are centralized, without any security barriers in between to keep them segmented. If your virtual environment is compromised, the attacker has access to your entire virtualized environment.
In addition to implementing access control policies for your critical assets, use hardware and/or virtualized firewalls to apply segmentation policies inside your data centers to separate your critical assets from the rest.
Step 4: Build processes to consistently review access reports
Your network security equipment, such as the next-generation firewall, must provide summarized, as well as detailed, reports based on user access. It is critical to look for anomalies between general group access and individual user access. For example, someone in engineering spending a lot of time on Salesforce, way more than the average engineer, is something you should pay attention to. Bring abnormal usage patterns to the attention of front-line managers, and collaborate with them to determine if an action is warranted.
Step 5: Build processes to regularly review access levels
Policies change. Old applications get retired and new applications are onboarded. Organizations get acquired and assimilated. How do you make sure the access policies you defined several months ago are still relevant and up to date? You can do this by putting in place regular review processes, which must involve the business leadership. You can also invest in internal audits or spot testing of certain assets to make sure you remain protected.
Call to action for all security practitioners
First, educate yourself and your users on the insider threat landscape. Here are some useful resources:
- Verizon 2016 Data Breach Investigations Report
- Ponemon Institute’s 2015 Cost of Cyber Crime Study: Global
- Gartner Understanding Insider Threats, May 2016 (must be a Gartner client to access)
Second, get answers to the two key questions highlighted above, and get organizational alignment.
Third, create a 3–6 month plan to follow the five steps for preventing insider and privilege misuse.
Call to action for the Palo Alto Networks security practitioners
Read this tech tips white paper to discover a step-by-step approach for enabling User-ID™ technology.