Preventing Malicious Insider Data Leaks – Connecting Who with What
A malicious data leak involves a company employee or contractor who deliberately transports confidential information outside of the company for personal use. One of the key difficulties with insiders leaking information is that they are frequently entitled to use the information that they are taking. In order to stop insider leaks, you have to analyze several different dimensions of information about the people who are using your sensitive data. And you need to correlate that information with how it is transmitted and to where.
For effective protection against deliberate insider leaks, you need to analyze three things – the who, the what and the where. Even though a person may have clearance for access to certain kinds of classified information, they should not be able to send it anywhere using any transport method. For example, people who normally correspond about internal financial information via company email should not be allowed to send the same information over personal email. The same sorts of rules can apply to using cloud applications. A person who has clearance to upload information to Github, may not be allowed to upload that same information to a personal Box account.
In order to successfully transmit sensitive information, the user must have: clearance to use the content, the destination person or application must have clearance to receive the information and the transmission method must be appropriate. The intersection of these data items delivers an extremely precise pattern of usage. This pattern can be analyzed by policies to determine if any transaction is appropriate or not.
The analysis of the identity of both the sender and receiver is critical to this correlation. In the case where the receiver is an application, the application itself is analyzed for access rights the same way a person is analyzed. This gives the security team power to determine who can put what information where. A non-sanctioned web application is the same as a non-sanctioned employee with respect to use of company sensitive data.
GhangorCloud calls this type of analysis 3-D correlation. The output of a 3-D correlation produces the most granular possible policies so that malicious insiders cannot move information anywhere other than to allowed sites and persons. Using 3-D correlation, you can control who is using what sensitive information in your network. This paradigm delivers a generational improvement in your ability to detect, and stop, malicious data leaks.