close
close
Your Network of Tomorrow
Your Network of Tomorrow
Plan your path toward a faster, more secure, and more resilient network designed for the applications and users that you support.
          Experience Netskope
          Get Hands-on With the Netskope Platform
          Here's your chance to experience the Netskope One single-cloud platform first-hand. Sign up for self-paced, hands-on labs, join us for monthly live product demos, take a free test drive of Netskope Private Access, or join us for a live, instructor-led workshops.
            A Leader in SSE. Now a Leader in Single-Vendor SASE.
            A Leader in SSE. Now a Leader in Single-Vendor SASE.
            Netskope debuts as a Leader in the Gartner® Magic Quadrant™ for Single-Vendor SASE
              Securing Generative AI for Dummies
              Securing Generative AI for Dummies
              Learn how your organization can balance the innovative potential of generative AI with robust data security practices.
                Modern data loss prevention (DLP) for Dummies eBook
                Modern Data Loss Prevention (DLP) for Dummies
                Get tips and tricks for transitioning to a cloud-delivered DLP.
                  Modern SD-WAN for SASE Dummies Book
                  Modern SD-WAN for SASE Dummies
                  Stop playing catch up with your networking architecture
                    Understanding where the risk lies
                    Advanced Analytics transforms the way security operations teams apply data-driven insights to implement better policies. With Advanced Analytics, you can identify trends, zero in on areas of concern and use the data to take action.
                        The 6 Most Compelling Use Cases for Complete Legacy VPN Replacement
                        The 6 Most Compelling Use Cases for Complete Legacy VPN Replacement
                        Netskope One Private Access is the only solution that allows you to retire your VPN for good.
                          Colgate-Palmolive Safeguards its "Intellectual Property” with Smart and Adaptable Data Protection
                          Colgate-Palmolive Safeguards its "Intellectual Property” with Smart and Adaptable Data Protection
                            Netskope GovCloud
                            Netskope achieves FedRAMP High Authorization
                            Choose Netskope GovCloud to accelerate your agency’s transformation.
                              Let's Do Great Things Together
                              Netskope’s partner-centric go-to-market strategy enables our partners to maximize their growth and profitability while transforming enterprise security.
                                Netskope solutions
                                Netskope Cloud Exchange
                                Netskope Cloud Exchange (CE) provides customers with powerful integration tools to leverage investments across their security posture.
                                  Netskope Technical Support
                                  Netskope Technical Support
                                  Our qualified support engineers are located worldwide and have diverse backgrounds in cloud security, networking, virtualization, content delivery, and software development, ensuring timely and quality technical assistance
                                    Netskope video
                                    Netskope Training
                                    Netskope training will help you become a cloud security expert. We are here to help you secure your digital transformation journey and make the most of your cloud, web, and private applications.

                                      Insider Threats Packing Their Bags With Corporate Data

                                      May 11 2023

                                      Introduction

                                      The insider story, whether it is a disgruntled or negligent employee, is one that is familiar to many organizations. The 2020 Securonix Insider Threat Report found that 60% of the insider threat cases they dealt with involved a “flight risk” employee, or an individual that is getting ready to leave their employment. In today’s cyber ecosystem identifying these threats has become more important than ever, since more organizations are responsible for personally identifiable information (PII) and intellectual property (IP) than ever before. Since every organization is likely responsible for sensitive data and has these “flight risk” users, a strategy for addressing insider threats is necessary.

                                      In this blog, we will summarize a study we conducted on 58,314 people that left their employment, the behaviors they exhibited before leaving, and the nature of the data they attempted to take with them. Furthermore, we will outline some techniques you can use in your own environment to find similar cases of data exfiltration via cloud apps.

                                      We found that the last 50 days of employment is when a majority of the data movement occurs.

                                      The analysis presented in this blog post is based on anonymized usage data collected by the Netskope Security Cloud platform relating to a subset of Netskope customers with prior authorization.

                                      Scope

                                      Insider threat can mean a vast array of things, but for the sake of scoping this research, when we say insider, we mean an individual that has exfiltrated sensitive corporate data using cloud apps, where sensitive data is defined as data that could hurt an organization if it were to be leaked to the public or a competitor. 

                                      We are not focused on insiders doing any of the following:

                                      • Using a USB drive to move data
                                      • Printing out documents and walking out of the building with them
                                      • Taking pictures of a monitor with their phones

                                      Overview of our approach

                                      Our approach to addressing this threat can be broken down into three elements:

                                      1. Having the correct architecture to monitor cloud traffic
                                      2. Applying labels to the data being moved
                                      3. Analyzing the data for anomalous behavior 

                                      Architecture

                                      Architecture to monitor cloud traffic

                                      To successfully identify data movement to the cloud from the corporate environment, we monitor both inline forward proxy logs and API audit logs. The inline forward proxy logs are able to identify data movement to managed and unmanaged cloud applications. And the audit logs identify access from managed and unmanaged devices. All of this information is then anonymized and analyzed for anomalies. 

                                      Applying labels

                                      The cloud traffic needs to be labeled via two mechanisms so we can gain the most insight from the logs.

                                      Applying Instance Labels

                                      We apply instance labels by looking at the application itself, the name of the instance extracted by the proxy, and the domain of the username used to log into the application. For example, a user named John working at Acme uses Google Gmail for personal correspondence, and Acme provides him a Google Gmail account for business correspondence. We consider these two instances of the same app; John’s personal instance and the Acme organization instance.

                                      ApplicationDomainLabel
                                      Google Driveacme.comBusiness
                                      Google Drivegmail.comPersonal
                                      Google Drivefoobar.comUnknown

                                      Applying Data Labels

                                      To apply data labels, the files in the traffic are sent to the DLP module to ensure compliance with organization-configured DLP policies. When files that violate the policies set by the organization are moved, an alert is raised.

                                      When these labels are applied to the data, the result looks something like the following:

                                      UserAppApp Instance labelActivityFile NameDLP Violation
                                      [email protected]Google Drivepersonaluploadblack_project.docxSecret project code names

                                      Anomaly Detection

                                      All of the above events are then sent to an anomaly detection component that identifies unusual deviations from the individuals’ baseline behavior. This behavior is focused on data movement anomalies that violate corporate DLP policy.

                                      Anomaly detection looks for spikes in activities that are different from the user’s baseline behavior. For example, if a user usually uploads under 2 MB to their personal applications but suddenly uploads 2 TB to their personal Google Drive in one day, this would be anomalous behavior.

                                      The key to accurately detecting insider threats exfiltrating data to cloud apps is to have all three components, instance labels, data labels, and anomaly detection. Omitting one or more of these components results in a significant decrease in detection efficacy. 

                                      Data Exfiltration

                                      15% of the “flight risk” employees moved data to personal cloud applications, but only 2% of the “flight risk” employees violated corporate policies.

                                      The 2% of “flight risks” that violated corporate policies moved:

                                      • 94% of the files in the last 91 days
                                      • 84% of the files in the last 49 days
                                      • 74% of the files in the last 28 days
                                      • 49% of the files in the last 14 days

                                      So, if you were to monitor the last 14 days of employment, you may detect about half of the files being exfiltrated. In order to catch the full 2% of users, you would need proactive analysis for a longer period. 

                                      Conclusion

                                      In this blog, we reviewed the insights we gathered by looking at more than 58k users that left their employment. We saw that about 2% of individuals that leave their employment mishandle corporate data before leaving. While 2% might not seem like a lot, the data that these individuals target ends up being about 70% IP and PII. To mitigate this, we need to:

                                      • Understand that 2% of “flight risks” take sensitive data with them
                                      • And that 75% of data is uploaded in the last 50 days, before the typical 14 day notice
                                      • But by monitoring the nature, volume, and direction of data moved we are able to detect these cases

                                      If you enjoyed the insights from this blog post, keep up with the latest from Netskope Threat Labs here.  

                                      author image
                                      Dagmawi Mulugeta
                                      Dagmawi Mulugeta is a security researcher with interests in cloud security, incident analysis & prediction, exploit development, and large-scale data analysis.
                                      Dagmawi Mulugeta is a security researcher with interests in cloud security, incident analysis & prediction, exploit development, and large-scale data analysis.
                                      author image
                                      Colin Estep
                                      Colin Estep has 16 years of experience in software, with 11 years focused on information security. He's a researcher at Netskope, where he focuses on security for AWS and GCP.
                                      Colin Estep has 16 years of experience in software, with 11 years focused on information security. He's a researcher at Netskope, where he focuses on security for AWS and GCP.

                                      Stay informed!

                                      Subscribe for the latest from the Netskope Blog