Tesla's recent revelation that an employee turned saboteur messed with code and exfiltrated data underscores the continuing challenge and complexity of insider threats and the difficulty ferreting them out before they can do harm.
"Taking things at face value, this is basically a smorgasbord of cybercrime, and it could have affected any company anywhere," said Raytheon CTO of Cybersecurity Michael Daly. "You have an insider threat. You have altered data affecting the factory operating system. You have leaked proprietary data. You have credential theft. And you have it all, apparently, at the hands of a disgruntled employee.”
Disgruntled employees, like Tesla's Martin Tripp, who the company sued on Wednesday, will always be of concern at companies, said Saryu Nayyar, CEO of Gurucul. “Even progressive companies that can afford the best cybersecurity protection can be taken down by one malicious insider.”
But insiders often get short shrift in organizations, which are inundated with threats from multiple attack vectors.
Andy Smith, vice president of product marketing at Centrify to the 2017 Insider Threat Report by Crowd Research Partners, which found that “74 percent of companies feel that they are vulnerable to insider threats, with seven percent reporting an extreme vulnerability.”
Likewise, a recent Raytheon-commissioned survey of IT security professionals found that “insider threats ranked low on the CISOs' priority lists. Only 36 percent said they consider malicious or criminal insiders to be a high risk,” said Daly. “It's time to change that stat and make insider threat a top priority.”
That's particularly important when companies give their employees access – deliberately or inadvertently – to sensitive data. “In a recent report, we found that 41 percent of companies had at least 1,000 sensitive files open to all employees,” said Ken Spinner, vice president of global engineering at Varonis, referring to the situation as the rule rather than the exception.
“Companies are doing and creating, but they're not locking down their data. Think about it is way: If you had a meeting with top executives to discuss a brand-new game-changing product, you wouldn't hold it in the middle of lunchroom, would you?” he said. “The same thing goes for your data: You have to protect it from curious and malicious employees.”
Businesses can take [steps] to prevent unwarranted access to control systems by exercising access control,” agreed Tim Roddy, vice president of cybersecurity product strategy, Fidelis Cybersecurity. “By using change logs and setting up approvals for any code changes you can add an additional layer of security to protect critical code.” said Tim Roddy, vice president of cybersecurity product strategy, Fidelis Cybersecurity.
Noting that Gartner pegged privileged access as the top project for organizations in 2018, Joseph Carson, chief security scientist at Thycotic, said, “organizations continue to fail at the most important aspect on restricting privileged access which is proactively discovering privileged accounts in the environment.”
It appears, he said, “that Telsa has failed to do that most important step in least privilege: discovering and detecting unapproved privileged access.” Telsa likely has learned a major lesson from the incident, though Carson said he hoped the sabotage “is not related to the recent accidents with their vehicles which I am sure the regulators will be looking into if they are related.”
Centrify's Smith favors a zero trust model, which “assumes that the bad actors are already on the inside, so no one is to be trusted, even if they've proven to be trustworthy in the past,” he said. “By staying vigilant and requiring employees to verify who they are, validate their device, and then limiting their access and privilege, organizations can reduce exposure from internal and external security threats.”
The Tesla employee “was able to make 'direct code changes to the Tesla Manufacturing Operating System under false usernames, potentially damaging several aspects of the business operations simply by having too much access and privilege,” Smith said, something that a zero trust approach wouldn't have allowed. “Tesla employees would have been verified through multiple factors of authentication, granted only the minimal amount of access necessary to do their job, and their access and activity would have been captured and reviewed. That's the essence of Zero Trust Security.”
To protect against exfiltration of highly sensitive data, Roddy said, “Data Loss Prevention on endpoints and primary network services is not enough. Organizations need to analyze all ports and protocols to prevent any blind spots.”
Putting a greater emphasis on analyzing behavior can help organizations thwart insider threats, but that “challenge is compounded by the dynamics of our IT environments where everyday users change behaviors for innocuous reasons,” said Seth Goldhammer, senior director of product marketing at LogRhythm.
While tracking each network or user behavior anomaly is both impractical and costly, it can and mask those anomalies that bear scrutiny. “To remain efficient, organizations are challenged to discover anomalies that also include security relevancy,” said Goldhammer. “Once a relevant security anomaly is discovered, organizations need to follow procedural steps to vet, qualify, and eventually mitigate the discovered threat.”
Deception technology also will notify security pros “if an internal user is moving around the network and trespassing into areas that they really shouldn't know about,” said Roddy. “This is a great indicator for spotting disgruntled employees going about any unnecessary reconnaissance.”