What the Landmark White data breach can teach us about insider threats

  • By Terry Burgess

The Landmark White incident signals it’s time that organisations invest in insider threat programs with identity governance at the foundation to the same extent that they’ve bought into external network protection, writes SailPoint’s Terry Burgess.

Last week, property valuation firm Landmark White released more information on the data breach it experienced earlier in the year that saw the property valuations, personal details and driver’s licenses of 275,000 individuals made “readily available on the dark web.”

In a statement on an arrest made in relation to the incident, the firm said the incident had caused “significant disruption to its business” and “a great deal of stress and angst to [its] staff.”

If there is one lesson other organisations can learn from the statement, it’s this: Landmark White’s investigations found the breach was “carried out by an individual external to LMW with trusted inside access.”

It’s becoming increasingly clear that ‘insider threat’ is no longer a security buzzword. It has become an enterprise concern commanding executive-level attention.

In government, devastating data disclosures by the likes of Edward Snowden and Chelsea (then Bradley) Manning have brought attention to the reality that malicious actions by trusted employees within an organisation can undermine that organisation’s security and, in these cases, jeopardise national security.

The Landmark White incident demonstrates that insider attacks at private entities can have consequences for an organisations’ customers, employees, operations, reputation and bottom line.

Landmark White has taken positive steps to improve its cybersecurity posture and reduce business risk post-incident, including “significant investment in IT security and other system enhancements” and “engaging external network security experts.”

However, if a threat is coming from the inside, an approach rooted in traditional perimeter defences is insufficient.

A people-centric approach to insider threat mitigation must start with the buy in of corporate leadership.

Ultimately, an insider threat is best addressed by a comprehensive approach to identity management—this is the only way to understand who has access to what, should they have access, and what that access is being used for.

In the case of a malicious insider, they’ve more than likely compromised an existing user account, which allows them to masquerade as a legitimate user – so detection is far trickier without the right visibility into all users and their access across an organisation.

While organisations are becoming increasingly aware of the depth of the threat posed by insiders, mitigation measures are immature.

The first step towards addressing insider threat is recognising that it cannot be fully eliminated, only mitigated. That said, a mature approach that integrates both people and technology can help.

 A people-centric approach to insider threat mitigation must start with the buy in of corporate leadership.

Insider threat programs must have the support, funding and oversight from corporate leadership to ensure a culture of security and best practices to avoid data loss.

An insider threat program may include an insider risk working group, the creation of a lifecycle framework that considers an employee’s time and service with the organisation (including hiring and onboarding, employment, and departure) and can be used to determine their access privileges, alongside enterprise-wide training and education programs.

However, as demonstrated by the Snowden and Manning cases, people-centric approaches, such as background checks and rigorous security training, are not themselves sufficient to prevent determined threat actors from executing an attack.

Organisations should also use technology solutions to guard against insider threats.

Strong, multi-factor authentication is an essential first step, but this is just the beginning. It must be coupled with an identity governance solution that goes far beyond authentication, addressing the full lifecycle of every user in the organisation, putting strong controls in place to govern a users’ access to sensitive data and business applications throughout their journey as an employee.

The strongest identity governance solutions are capable of assigning risk profiles for both employees and contractors, and automatically flagging privilege escalation requests to deter inadvertent or intentional  access  to  restricted  networks  without  proper authorisation.

The number  of  incidents  attributed  to  insiders  is  on  the  rise,  and  individual  incidents  are commanding more attention as their consequences become more damaging.

Terry Burgess is the Vice President, Asia Pacific Japan at enterprise identity governance provider SailPoint. He is charged with building and executing the next phase of SailPoint’s growth in this rapidly expanding market.