How agencies can incorporate Insider Risk Management protections into their zero trust frameworks
March 18, 20211:34 pm
5 min read
This content is provided by Code42.
As with so many other things in the federal space, the COVID-19 pandemic has accelerated agency adoption of zero trust approaches to security. When federal agencies moved to a primarily work from home model, it greatly expanded their risk footprint as the endpoints they had to secure were now outside the traditional network boundaries, forcing them to respond to a new paradigm. But while zero trust helps agencies secure their networks against outside adversaries, insider risk can still be a major problem, and many data loss prevention strategies leave gaps and do not effectively address insider risk.
How can federal agencies address insider risk? To begin, they need visibility into data movement across their environment, whether endpoints are on or off the network. They’ll want to see all files, exfiltration vectors and users as well as key risk indicators. Additionally, agencies need the capability to manage higher risk users, such as those with admin privileges, access to sensitive data stores, departing employees or contractors. Lastly, agencies need real time visibility into data exfiltration coupled with the capability to engage and respond when exfiltration events take place.
That’s what Code42’s Incydr Gov product brings to the table.
“Incydr covers all of the most common ways data is exfiltrated. Many times people think about data exfiltration as a really sophisticated process, but the reality is that, as human beings, we’re going to do it the simplest way possible,” said Todd Thorsen, director of information security at Code42. “’I’m going to just email a document to my personal email or upload sensitive files to a removable media device or move a file to a personal cloud file share.’ These are the quickest, simplest, most common ways that we see data exfiltration occurring. These are by no means exotic methods to exfiltrate data. At the end of the day, they all pose real risk to agencies.”
One key difference in the platform is that Code42 doesn’t believe in blocking. Thorsen said it just doesn’t work and you can’t possibly write enough policies to stop data exfiltration. Antiquated tools like traditional DLP don’t work with cloud collaboration platforms, are costly, time consuming and resource intensive to deploy; and once deployed are resource intensive to manage. Think about all of the policies that have to be written, tuned and managed and then consider the permutations of policies that have to be created to deal with all of the false positive alerts that block legitimate work and collaboration. Research from Code42 conducted in the fall of 2020 showed just how common of a problem blocking legitimate work is – 51% of employees complain at least weekly to information security leaders that their legitimate work was blocked. Despite all of the time and effort and resources used to manage your DLP, sensitive data still gets out! DLP isn’t an insider risk management solution and precious insider risk management resources should spend their time managing insider risk, not their tools and policies, especially when those tools are not designed to manage insider risk. There’s too much overhead, too many policies and too many permutations that lead to too many false positives. And that can stifle productivity and anger personnel who are performing legitimate work. To effectively manage insider risk, you do not want to create an adversarial relationship with agency personnel, and taking action that blocks legitimate work encourages people to sidestep tools and policies so they can get their jobs done.
Another item that is important to remember is that 80% of insider data exfiltration is not malicious. It’s just ordinary employees trying to get their work done as efficiently as possible. Workarounds involving home computers and home printers are becoming more common in the current remote work environment, and that’s creating more risk. Other common missteps include emailing the wrong person or sharing a file too broadly or with the wrong people. Security fatigue also contributes to these problems.
For example, Thorsen said one customer articulated a scenario where they had an individual working from home who was authorized for sensitive docs. But that individual wasn’t able to sync their agency endpoint with their home printer. So they came up with a workaround: They emailed documents to their personal email and then accessed via their personal device, which was connected to their home printer. They then printed those documents, so that they could be signed in ink, then took pictures of the signed documents with their personal smartphone and emailed them back to their agency email address. This individual did not have malicious intent; they were simply trying to do their job and encountered a perceived technical blocker, which they worked around. The problem is that the documents were sensitive and now resided on devices outside of the agency’s control. While this was non-malicious, it still represented significant risk to the agency.
“There are inherent risks in moving to a remote work model. But there’s also risk as we evolve back to a semblance of working on agency networks and agency environments. In all likelihood, there’ll be a hybrid approach,” Thorsen said. “It may be a bit of a challenge to bring everybody back into working from the office when employees have been able to effectively work remotely. So what agencies may experience is a hybrid approach to work in the future, one where certain employees can work remotely while others may have to work from agency offices. This makes having visibility to data movement both on and off the network so important.”
Incydr Gov is also FedRAMP authorized at the Moderate level. Code42 has completed its Cybersecurity Maturity Model Certification (CMMC) self-assessment and aligns with CMMC Level 3 requirements. Lastly, Code42 Incydr meets International Traffic and Arms (ITAR) requirements allowing agencies to keep their data in the United States and is supported by U.S. Persons.
Many people tend to think of insider threat in terms of big problems requiring equally big solutions. But it’s the little risks that add up to billions of dollars’ worth of lost data. It’s the little problems like email and USB drives that CISOs really need to worry about.
“Blocking just doesn’t work at the end of the day. It’s unintelligent risk management,” Thorsen said. “We focus on the user, the file and the vector for removal. So it’s a holistic context that we provide, which can be really powerful.”