Amrit Williams, BigFix CTO begins an interesting series of conversations with author and speaker Michael Santarcangelo. Michael questions the statistics and growing concerns over insider threats.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome, this is Amrit Williams, your host on Beyond the Perimeter. Today I am joined by Michael Santarcangelo. Michael is a catalyst, an author, and a speaker. Michael is also a good friend. Michael, just great to have you back with us today. So thank you for joining me.

Michael Santarcangelo: Hey, it’s always a pleasure to be with you my friend.

Amrit Williams: So Michael, we were talking just briefly before this a little bit about the numbers around insider threats. I know some stuff came out from the Verizon Data Breach Report and there is a lot of numbers floating around. Several years ago it was positive that insider threats were the biggest threat that we faced. And then recently some of the reports have come out and said, well, no, insiders may not be as big a threat as people face.

I know you have started a series of discussions and concepts around turning insiders into allies and we definitely want to focus in on that as part of a series. But I did want to focus in on something, what’s striking to me is, I think that the majority of external attacks can probably be related to negligence or improper use, misconfiguration, misadministration on the part of the IT department, and that when people talk about insider threats, it’s not always clear what they are talking about.

I always viewed the insider threats specifically and distinctly as those who maliciously try to compromise, take advantage, or steal something from the organization that they work for, as opposed to those who just negligently let data leak. But I wanted to ask you, what are your thoughts on the insider threat, and I know that you had some comments about the Verizon story, and I know that you and Anton have gone back and forth on it. But why don’t you expand on that, what are your thoughts on the insider threat?

Michael Santarcangelo: Yeah. The first thing that I would point out is, what generated some of this discussion was that, when I wrote into the Breach, in the introduction, I put a couple of myths that I wanted to dispel. What I was focused on doing wasn’t so much as saying, look, I have authoritative proof this is something else, but at the time when I wrote the book, the heavy reliance was, we are only under attack from outsiders.

It reminded me very much of the 90s, where the mantra was simple, Internet bad, firewall good. So if you are on the Internet, which is bad; no disrespect to Al Gore by the way, he did a great job hooking us up with the Internet, but if you are on it and you don’t have a firewall, clearly you are doing something wrong. So it felt like that kind of persisted and persisted and persisted.

So here I am watching all these breaches happening and I am saying, wow, it’s hardworking, good people, who don’t know better. Of course, we go through the book and we explain some of these types of things. So I started just reviewing the breaches that I could, anything that was made public.

There are plenty of great websites that have these. There were some research reports that were coming out, pretty much as I was wrapping up the book, and they were starting to show a trend that due to employee error, and theft, and loss, and actions; so not the deliberate, not the intentional upset person with a malicious intent, but just people’s actions, it was actually more like anywhere from two-thirds, 75% of the breaches were in fact caused by insiders.

Now, that’s kind of an interesting thing to think about, because where I have gone further is, I don’t like to declare that we have a people problem. So I looked at it and went, wait a minute. So what I did was I paused and I said, look, here is a myth. The myth is that all attacks — and by the way, I have learned about how to position this better myself, my myth was, all attacks are caused by outsiders, and I attempted to debunk it to say, think about this, 70% of our breaches are caused by insiders.

What I realized in talking with Anton Chuvakin is, he took umbrage with me using that as a statistic. I pushed back on them, and I pushed back on them pretty hard; with no disrespect to the Verizon, because I think it’s a great report, what I said was, please don’t cite me one report back. Don’t cite me one report if somebody engaging a services of a professional firm, expecting, I am hunkering down for a fight. He comes back and he says no, actually, I don’t think anybody knows, and I think citing a number is reckless. I went, oh, yeah, good point. I mean, that’s not an argument you are prepared for.

So talking to you, I mean, I think, we have to step back for a second and say, well, wait a minute, what’s an attack, what is an insider, and when we are talking about something like an insider threat, what is it that we are actually talking about? When you were just going through some statistics and numbers there, it’s kind of fascinating, because I used to suggest, if we were looking at the malicious determined insider; and this is one of those made up statistics, but I would say it’s like 2%, 1%, it’s a 4:34 view of the world, but I think most people are good. I think they are well-intentioned.

But there were some reports that came out where like Robert Half and others have actually gone out and interviewed employees, and they would say, if you were terminated, will you take company data with you? So I don’t think that they went so far as to say, will you be a stealing, lying, cheating person, but I think they made it pretty clear that it’s company data, it’s not yours, are you going to take it with you?

What amazed me was the number of people who said yes. 68% said, yeah, absolutely. By the way, I am guessing that the number, probably they inverted that. It’s probably like 86% would do it, 68% are going to tell you to your face that they are going to take it. Now, is that an insider threat? Probably. So the thing that’s fascinating –

Amrit Williams: But the thing there though, again is though that that is an intentional, malicious violation of corporate policy. So when you look at the insider threat, I think it’s important to break up the unintentional or the negligent versus the intentional and the malicious, because they imply different type of controls and different type of processes that an organization might put in place to ensure that they limit the amount of churn or damage to the organization. Do you not believe that that’s viable?

Michael Santarcangelo: No, I do. In fact, what I am starting to take a look at is that, I think we have to look at this differently. I had a great conversation last week with a client. During the conversation I realized — we got talking about awareness, which — it’s kind of fascinating, you flattered me last time when you made a compliment to me about how I have shifted some of your thinking on awareness, my turn to flatter you back, you have done the same for me.

When you and I first met face-to-face in Atlanta a couple of years ago and we got talking about why awareness fails, I think I probably made some sort of flippant remark that you did it the wrong way. I would still hold by that statement today, but what I realize is, the way that the rest of the world defines awareness and stuff, I don’t think is effective at all. I think people would be better not to spend any money at all, than to do what traditionally passes as awareness.

Well, bring it back to this. We got talking about carrots and sticks, and how some people are motivated because they don’t want to get hit by the stick, and some people are motivated because they want the reward. We were looking at that in the terms of awareness, and it started me down this whole cascade of, maybe it’s not so black and white, people will steal, people won’t steal. I am actually doing a lot of work right now on looking at like the fraud triangle, Cressey’s fraud triangle and things. When it comes to looking at the controls of our organization then, I am going to make two statements, and they may be contrasting. So I think it’s something that as an industry we need more dialog around.

The first of which is, I think yes, we do have to consider that there is insiders and outsiders, and then that there is people, when they are insiders, some are going to be inclined to take a negative action, but there is going to have to be variance on that. Because somebody stealing data that they work with is clearly a problem, but is a lot different than somebody planting a logic bomb in a system design to take it down the day they get fired, or a week after they get fired.

But in terms of, does that change things? I am going to counter it with, maybe it doesn’t matter. So I have got a background in economics and a background in measurement, and studying things and looking at people and figuring these things out, and I love them. But what I am starting to realize; and this is kind of like the point to the book, we have to step back and we have to manage people, we have to manage information, and we have to manage our risk. Maybe it doesn’t matter so much whether they are insiders or outsiders, maybe what matters is making sure that we have a pretty good understanding of our information.

Notice, I am not saying data, I am pretty clear in that distinction. I get why we focus on data, but to me data denotes electrons. I think if we focus on information and we start to look at the way people are using it and the way it’s being used, then we can start to actually get a much more accurate picture of our risk, and then we can manage the risk a little bit better. What do you think about that?

Amrit Williams: Well, I think that’s important. So what I would like to do Michael is have you come back for another part here. Thank you for joining me now. When you come back what I would like to dig into is people information and risk and how we look at the economy or economic factors of information as security versus the human ecology of it. So Michael, thanks for joining me, we will be back soon.

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix Inc. Views expressed on this Podcast are the personal opinions of Podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening.