Shrinking the elephant in the room

By: Dietrich Benjes, VP EMEA, Varonis

When it comes to information security, the notion of the insider threat is increasingly rearing its head. The sensational idea that immediately springs to mind is of corporate espionage – competitors going incognito or rogue employees stealing information. Though this certainly does happen, the reality of true insider threats is one that is far less thrilling, yet just as serious. It’s the great, big elephant in the room: employee misjudgement. Sure, you may run training courses, teach them how to spot a phishing email and run awareness programmes, but mistakes are made (we’re all human after all). In fact, the majority (60%) of insider threats according to the 2014 DBIR were not malicious, but due to employee mistakes which can leave an organisation to foot bills of $800k on average.[1] A common example is that of the ‘copy and pasters’ of the world. The employees who, by trying to make life easier for themselves, inadvertently leave private or sensitive data dotted about the corporate network just waiting to be found.

And even if it may go a little deeper, say an employee snooping an area of the network they shouldn’t with any malicious intent, if they’ve seen it from their user account that has been hacked, then so has the hacker. While pure human nature makes us more biased towards fearing the more dramatic of risks, in truth, the frequent mundane threats that stare us in the face every day will be the ones that take us down. So it’s time to shrink the elephant in the room. Here are five tips organisations can implement to help take the emphasis off of employees and put it on something easier to control: the data.


Global access is a big, blunt weapon that should not be used except for information that is 100% public. Many systems give the option to grant global access to information via a special group like the “Everyone” group or “Authenticated Users” in Windows. When organisations grant access via a global access group, they’re effectively saying, “I don’t care what happens to this data.” It’s not even unheard of to see global access applied to folders with millions of credit card numbers, socials, and more. This is absurd. Seriously, stop using global access groups.


According to a recent study with the Ponemon Institute, four out of five IT pros say their organisations don’t enforce a strict need-to-know data security model. This means that, in most organisations, employees have way more access than they need and, ultimately, the surface area for employee privilege abuse is way bigger than it has any right to be.

This is because:

  • People change jobs, departments, responsibilities
  • Temporary projects often require temporary access
  • Consulting contracts start and end
  • Permissions are granted accidentally
  • People leave the company

Permissions creep plagues most companies. It’s hard to prevent and can be even harder to remediate. Excessive access applies to both people and software. If the web server has a vulnerability and it’s running under a privileged domain user that has access to the file system or, worse yet, network shares, any vulnerability in that web server software is now YOUR problem. Consider software an insider and limit its access to need-to-know.

For temporary employees, contractors, consultants, and project teams, entitlements should always be assigned an expiration date **at the time they are granted**. This is the best shot at eliminating permissions creep.

Furthermore, even with auto-expiry at your disposal, it still pays to have business users do periodic reviews. After all, they know the people who use the data. IT admins might not. Put the decisions in the hands of the people with the most context, and give them the power to make changes.


Not only should you frequently perform an entitlement review on the Domain Admin group to ensure its members are legit, but it is also extremely helpful to setup alerts for additions to that group. Additions to privileged groups should be extremely rare, so it’s nice to get an email alert or SMS message anytime that happens – especially if it happens outside of a change window.

Auditing Active Directory is also vital as it is the heart and soul of access control for many companies. If someone gets access to critical information via an Active Directory group, the organisation will want to know who did it, when, and why. Then use file analysis logs to figure out exactly what the user did with their newfound access.

Another useful tool is behavioural analytics. According to Avivah Litan of Gartner, the Target breach and the Snowden disclosures could have been prevented by behavioural analytics. Who are we to argue? It’s not enough to look at one element out of context, the way traditional IPS systems do. You have to look at events in situ (e.g., Joe deleted 250 legal contracts five minutes ago and he works in the coffee shop – big red flag.)

Creating profiles of normal behaviour on a per-user basis helps build this context. If each user’s normal activity is given a baseline, then alerts can be triggered when that activity spikes or they start behaving uncharacteristically.

Note: this can only be done if and only if you have file analysis software in place to record and analyse every event across your file sharing (and email) infrastructure. However, once file analysis is implemented, you can do all sorts of cool things like:

  • Detect when a sensitive file is created in a public folder and auto-quarantine it.
  • Set up threshold alerts to sound when say, thousands of file copy events are firing within a minute.

This will usually indicate that a user is doing a massive copy/paste from a network share to a potentially unmonitored endpoint: exfiltration.

  • Monitor for normal business users creating or running EXE files on a server.

It’s also a best practice to monitor for excessive activity outside of normal operating hours and information beyond a person’s normal departmental data stores.


A honeypot is a shared folder with data that looks lucrative and is open to everyone. It is set up purely to be monitored to see who tries to access it. The recipe is quite simple. First, set up a shared folder that is open to everyone. Something like:

X:\Share\Payroll or X:\Share\CEO. Then sit back and see who abuses it. You might find curious employees just snooping around or catch malware in action.


It’s very important to know where your crown jewels are, and that typically requires some sort of data classification technology. But it shouldn’t end at discovery. Knowing that 700,000 files in the organisation’s environment contain unencrypted credit card numbers is nice (though it may induce a panic attack), but it’s not actionable. The classification software should also answer questions like: Who owns the files (not the creator/owner attribute – who really owns them)? Who has access to them? What are they doing with it? Have they been opened? Copied? By whom? When?

Once context is added through metadata, the classification results become much more actionable and it is possible to find and prioritise the riskiest data sets, keeping close tabs on the permissions, review access often (as mentioned earlier), and set up some alerts to detect abuse and leakage.

In addition to monitoring high-risk data, keep a very close watch on high-risk people, like IT administrators. It can be very difficult to monitor and police admin accounts because they usually need lots of access, but if domain admins are reading email in other people’s inboxes and marking them unread, that’s a red flag.

Whether organisations care to admit it or not, one of the biggest and most common threats to their businesses comes from within; and it isn’t usually best-seller material. While considerable time and money may be spent on contingency plans for the next big catastrophe or installing the latest and greatest security technology that promises to prevent another Heartbleed-esque disaster, many organisations completely overlook and underestimate the simple, albeit no less important, threats that can result from human error or privilege abuse. Following the above security guidelines will go a long way towards cutting back on the number of security incidents that are allowed to happen by focusing on the data itself rather than getting people to change their ways, thus significantly shrinking that elephant in the room.

[1] CMU Study