For those of you that haven’t had the chance to read through the recently released Verizon data breach report (DBIR) 2014, the report contains a very interesting trend showing that out of the top 153 successful breaches, 88% were due to privilege abuse. Or, in layman’s terms, users have either circumvented access control, or have been given excessive privileges to access data and as a result the data was exfiltrated. Not only that, 33% of all incidents took multiple days to discover. This essentially means that the exposed data might already be in the hands of criminals by the time the organization discovers the breach.
Last year was interesting for anyone following security and data breaches in general. Some of the incidents that happened have created shifts in the ways that organizations build their entire security strategies.
While opinions on Snowden vary, let’s put those to the side and just examine the incident itself. What we can deduce is a classic data exfiltration example, in this case with SharePoint, that occurs due to the lack of monitoring and enforcement controls over a user that is highly privileged. This was one of the most direct examples of the insider threat. An insider threat is defined by the ability of a user to cause harm to an organization either by accident or maliciously based on the fact that this user has privileged access to data. It has now become one of the biggest concerns for security pros around the world.
Workplace collaboration, securely.
In the above case, data was exfiltrated mostly via a SharePoint collaboration system that allowed access to data as a business collaboration tool.
Aberdeen Group recently reported that SharePoint adoption has reached 65% with their enterprise customers. With nearly two-thirds of these enterprises using SharePoint as a collaboration tool, this makes SharePoint a potential petri dish for insider threat incidents. Why? Because controls around SharePoint are not a common practice due to the complexity.
Security strategy, the right way
As a file and content repository, SharePoint requires monitoring and audit to allow security teams to understand what happens so they can foresee the next big data exfiltration incident. When an incident of a user downloading 1000s of files happens, a security administrator with monitoring in place should see an alert. And it needs to go a step further. Security officers should also have the ability to block these incidents before they happen. (Imperva’s SecureSphere 10.5 enables blocking on SharePoint activity.)
While collaboration is an essential tool for businesses to operate, the past year has taught us that doing collaboration securely is even more important.
Where can you learn more?
- The Verizon data breach report 2014, here
Posted by Barry Shteiman at 08:37:09 PM