This morning, Trend Micro confirmed that a rogue employee stole data belonging to 120K customers and sold it to cyber fraudsters. Trend Micro only became aware of the insider threat after customers complained about fraudulent calls claiming to be Trend Micro employees.
Graham Cluley is right when he says this is every security firms nightmare. Security firms are reliant on their reputation for customers to retain their trust in the organisation and any product or service is sells. For a breach to impact their users is huge. However, this is an area of risk that is becoming high on any organisations priority list, \”Insider Threat\”, or at least it should be high on the priority list! Insider threat covers more than just the nefarious insider, such as this particular case, but includes the unintentional insider threat and insider threat from \”trusted\” third parties (suppliers, contractors etc.). As organisations become better at protecting their data and assets which is within their control, options for gaining access to that data are turning to insiders. This particular case may have been a single users selling the data for personal gain or it could have been that external bad actors could have been in play and may have solicited the sale of the data.
The report states that the user in question \”improperly accessed the data\”. That being the case, if a modern behaviour analytics solution, such as GRA, had been deployed this activity would have been highlighted before the user had the chance to extract the data and sell it. This would have, not only stopped the data exfiltration, but would have also stopped the Trend Micro users getting the scam calls. Reputation is all!
Trend Micro customers whose information was leaked in this breach are at risk of phishing and scams from criminals posing as Trend Micro staff. Customers might receive fake tech support or billing calls intended to trick them into giving up sensitive information such as passwords and credit card numbers, or even remote access to their devices. They could also receive texts from Trend Micro imposters with links that direct them to phishing sites.
Trend Micro does not make unannounced calls to its customers. All calls are scheduled in advance, so if you receive an unsolicited call from Trend Micro, hang up and report it to Trend Micro support.
The breach at Trend Micro underscores a major, yet unfortunate, disconnect in IT security today where perimeter security, UBA, database encryption, DLP, and fraud/threat detection are deployed without a complementary deployment of security that ensures the data inside is protected. The belief that “if I build a high enough wall they can’t get in and my data is safe inside” is a fallacy that has been exposed repeatedly in 2019. Instead of just building virtual Maginot lines around data, organizations need to adopt a data-centric security model to protect the data inside from either external or internal threats – in other words, protect what matters most inside as well as you do to protect the outside perimeter. Data-centric security technologies such as Tokenization protect data at rest, in motion, and in use and protect enterprise-wide. In the Trend Micro case, this could have stopped the rogue employee because although they may have had elevated credentials to the customer service database, they would have found that the database contained useless tokens instead of salable data.
Taking a Zero Trust approach is a must today, and the insider threat incident at Trend Micro is proof that we cannot trust employees to have the organization and its customers\’ best interests in mind. Today, we have more users and more data than ever, spanning across different geographies, business units, and the environment- cloud and on-prem. It’s naïve and dangerous to assume that there’s a trusted internal network because you’re ignoring or, in this case, trusting insider threats, which are becoming more prevalent whether they are intentional or unintentional. Vendors who support Zero Trust continuously assess “trust” through a risk-based analysis of all sources of data available. They are in a better position to deliver integrated services and security functions because they obtain visibility into the interaction between users, applications, and data, which allow their customers to consolidate data controls.
Detecting malicious employees is easier than negligent employees that don’t know they’re doing harm because their behavior is more obvious. Anomalous activity at the network level could indicate a compromised insider threat. Likewise, if an employee appears to be dissatisfied or holds a grudge, or if an employee starts to take on more tasks with excessive enthusiasm, this could be an indication of foul play. Even if an employee is not outwardly showing signs of malicious intent, data security technology exists that can watch all user behavior on data. It’s at the intersection of users and data, where data breaches occur and as such, going beyond simply watching endpoints and user behavior is critical in protecting data. Today, successful identification of all three insider threats, compromised, negligent and malicious requires database activity monitoring or collection as well as, modern machine learning that can sift through the collected data to find actionable security incidents.