fermer
fermer
Le réseau de demain
Le réseau de demain
Planifiez votre chemin vers un réseau plus rapide, plus sûr et plus résilient, conçu pour les applications et les utilisateurs que vous prenez en charge.
          Essayez Netskope
          Get Hands-on With the Netskope Platform
          Here's your chance to experience the Netskope One single-cloud platform first-hand. Sign up for self-paced, hands-on labs, join us for monthly live product demos, take a free test drive of Netskope Private Access, or join us for a live, instructor-led workshops.
            Un leader sur SSE. Désormais leader en matière de SASE à fournisseur unique.
            Un leader sur SSE. Désormais leader en matière de SASE à fournisseur unique.
            Netskope fait ses débuts en tant que leader dans le Magic Quadrant™ de Gartner® pour le SASE à fournisseur unique.
              Sécuriser l’IA générative pour les nuls
              Sécuriser l’IA générative pour les nuls
              Learn how your organization can balance the innovative potential of generative AI with robust data security practices.
                Modern data loss prevention (DLP) for Dummies eBook
                La prévention moderne des pertes de données (DLP) pour les Nuls
                Get tips and tricks for transitioning to a cloud-delivered DLP.
                  Réseau SD-WAN moderne avec SASE pour les nuls
                  Modern SD-WAN for SASE Dummies
                  Cessez de rattraper votre retard en matière d'architecture de réseau
                    Identification des risques
                    Advanced Analytics transforms the way security operations teams apply data-driven insights to implement better policies. With Advanced Analytics, you can identify trends, zero in on areas of concern and use the data to take action.
                        Les 6 cas d'utilisation les plus convaincants pour le remplacement complet des anciens VPN
                        Les 6 cas d'utilisation les plus convaincants pour le remplacement complet des anciens VPN
                        Netskope One Private Access is the only solution that allows you to retire your VPN for good.
                          Colgate-Palmolive protège sa "propriété intellectuelle" "grâce à une protection des données intelligente et adaptable
                          Colgate-Palmolive protège sa "propriété intellectuelle" "grâce à une protection des données intelligente et adaptable
                            Netskope GovCloud
                            Netskope obtient l'autorisation FedRAMP High Authorization
                            Choisissez Netskope GovCloud pour accélérer la transformation de votre agence.
                              Let's Do Great Things Together
                              La stratégie de commercialisation de Netskope privilégie ses partenaires, ce qui leur permet de maximiser leur croissance et leur rentabilité, tout en transformant la sécurité des entreprises.
                                Solutions Netskope
                                Netskope Cloud Exchange
                                Netskope Cloud Exchange (CE) provides customers with powerful integration tools to leverage investments across their security posture.
                                  Support technique de Netskope
                                  Support technique de Netskope
                                  Nos ingénieurs d'assistance qualifiés sont répartis dans le monde entier et possèdent des expériences diverses dans les domaines de la sécurité du cloud, des réseaux, de la virtualisation, de la diffusion de contenu et du développement de logiciels, afin de garantir une assistance technique rapide et de qualité
                                    Vidéo Netskope
                                    Formation Netskope
                                    Grâce à Netskope, devenez un expert de la sécurité du cloud. Nous sommes là pour vous aider à achever votre transformation digitale en toute sécurité, pour que vous puissiez profiter pleinement de vos applications cloud, Web et privées.

                                      Insider Threats Packing Their Bags With Corporate Data

                                      May 11 2023

                                      Introduction

                                      The insider story, whether it is a disgruntled or negligent employee, is one that is familiar to many organizations. The 2020 Securonix Insider Threat Report found that 60% of the insider threat cases they dealt with involved a “flight risk” employee, or an individual that is getting ready to leave their employment. In today’s cyber ecosystem identifying these threats has become more important than ever, since more organizations are responsible for personally identifiable information (PII) and intellectual property (IP) than ever before. Since every organization is likely responsible for sensitive data and has these “flight risk” users, a strategy for addressing insider threats is necessary.

                                      In this blog, we will summarize a study we conducted on 58,314 people that left their employment, the behaviors they exhibited before leaving, and the nature of the data they attempted to take with them. Furthermore, we will outline some techniques you can use in your own environment to find similar cases of data exfiltration via cloud apps.

                                      We found that the last 50 days of employment is when a majority of the data movement occurs.

                                      The analysis presented in this blog post is based on anonymized usage data collected by the Netskope Security Cloud platform relating to a subset of Netskope customers with prior authorization.

                                      Scope

                                      Insider threat can mean a vast array of things, but for the sake of scoping this research, when we say insider, we mean an individual that has exfiltrated sensitive corporate data using cloud apps, where sensitive data is defined as data that could hurt an organization if it were to be leaked to the public or a competitor. 

                                      We are not focused on insiders doing any of the following:

                                      • Using a USB drive to move data
                                      • Printing out documents and walking out of the building with them
                                      • Taking pictures of a monitor with their phones

                                      Overview of our approach

                                      Our approach to addressing this threat can be broken down into three elements:

                                      1. Having the correct architecture to monitor cloud traffic
                                      2. Applying labels to the data being moved
                                      3. Analyzing the data for anomalous behavior 

                                      Architecture

                                      Architecture to monitor cloud traffic

                                      To successfully identify data movement to the cloud from the corporate environment, we monitor both inline forward proxy logs and API audit logs. The inline forward proxy logs are able to identify data movement to managed and unmanaged cloud applications. And the audit logs identify access from managed and unmanaged devices. All of this information is then anonymized and analyzed for anomalies. 

                                      Applying labels

                                      The cloud traffic needs to be labeled via two mechanisms so we can gain the most insight from the logs.

                                      Applying Instance Labels

                                      We apply instance labels by looking at the application itself, the name of the instance extracted by the proxy, and the domain of the username used to log into the application. For example, a user named John working at Acme uses Google Gmail for personal correspondence, and Acme provides him a Google Gmail account for business correspondence. We consider these two instances of the same app; John’s personal instance and the Acme organization instance.

                                      ApplicationDomainLabel
                                      Google Driveacme.comBusiness
                                      Google Drivegmail.comPersonal
                                      Google Drivefoobar.comUnknown

                                      Applying Data Labels

                                      To apply data labels, the files in the traffic are sent to the DLP module to ensure compliance with organization-configured DLP policies. When files that violate the policies set by the organization are moved, an alert is raised.

                                      When these labels are applied to the data, the result looks something like the following:

                                      UserAppApp Instance labelActivityFile NameDLP Violation
                                      [email protected]Google Drivepersonaluploadblack_project.docxSecret project code names

                                      Anomaly Detection

                                      All of the above events are then sent to an anomaly detection component that identifies unusual deviations from the individuals’ baseline behavior. This behavior is focused on data movement anomalies that violate corporate DLP policy.

                                      Anomaly detection looks for spikes in activities that are different from the user’s baseline behavior. For example, if a user usually uploads under 2 MB to their personal applications but suddenly uploads 2 TB to their personal Google Drive in one day, this would be anomalous behavior.

                                      The key to accurately detecting insider threats exfiltrating data to cloud apps is to have all three components, instance labels, data labels, and anomaly detection. Omitting one or more of these components results in a significant decrease in detection efficacy. 

                                      Data Exfiltration

                                      15% of the “flight risk” employees moved data to personal cloud applications, but only 2% of the “flight risk” employees violated corporate policies.

                                      The 2% of “flight risks” that violated corporate policies moved:

                                      • 94% of the files in the last 91 days
                                      • 84% of the files in the last 49 days
                                      • 74% of the files in the last 28 days
                                      • 49% of the files in the last 14 days

                                      So, if you were to monitor the last 14 days of employment, you may detect about half of the files being exfiltrated. In order to catch the full 2% of users, you would need proactive analysis for a longer period. 

                                      Conclusion

                                      In this blog, we reviewed the insights we gathered by looking at more than 58k users that left their employment. We saw that about 2% of individuals that leave their employment mishandle corporate data before leaving. While 2% might not seem like a lot, the data that these individuals target ends up being about 70% IP and PII. To mitigate this, we need to:

                                      • Understand that 2% of “flight risks” take sensitive data with them
                                      • And that 75% of data is uploaded in the last 50 days, before the typical 14 day notice
                                      • But by monitoring the nature, volume, and direction of data moved we are able to detect these cases

                                      If you enjoyed the insights from this blog post, keep up with the latest from Netskope Threat Labs here.  

                                      author image
                                      Dagmawi Mulugeta
                                      Dagmawi Mulugeta is a security researcher with interests in cloud security, incident analysis & prediction, exploit development, and large-scale data analysis.
                                      Dagmawi Mulugeta is a security researcher with interests in cloud security, incident analysis & prediction, exploit development, and large-scale data analysis.
                                      author image
                                      Colin Estep
                                      Colin Estep has 16 years of experience in software, with 11 years focused on information security. He's a researcher at Netskope, where he focuses on security for AWS and GCP.
                                      Colin Estep has 16 years of experience in software, with 11 years focused on information security. He's a researcher at Netskope, where he focuses on security for AWS and GCP.

                                      Restez informé !

                                      Abonnez-vous pour recevoir les dernières nouvelles du blog de Netskope