KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Professor Dr. Yo ick, who is a professor teacher on a police academy, Republic of Croatia. He's a criminologist and expert in light detection methods. The reason why we considered that inside that threat topic is important for cybersecurity community. And to look into, let's say another perspective, give you another perspective is because we understand it as a very hybrid threat hands. You have to look at from a holistic perspective, not just through technology and DLP and user behavioral analytics, but rather looking at in a very holistic way.
The insider threat topic is very interesting, not only because of the big data that are being collected and, and, and, and are being produced as an intellectual property, that lies mainly in the digital form. He ha has a possibility to also be leaked and, and breached by our malicious, inside of working for our company. But also the topic is very important due to the situation that we find ourselves in right now, pandemic and post pandemic, remote working hybrid working world, which is going to definitely impact on the rise of inside a threat.
And the reason the reason would be a loss of social cohesion that we are noticing amongst the teams. The teams are not sitting anymore with each other. The managers cannot anymore observe the behavior. People are sometimes hiding, not turning on the cameras. You cannot really understand anymore whether the person is radicalized, whether the depress disgruntled and the third point why the topic of insider threat is very important in this world is that we have a loss of loyalty or decrease of loyalty that comes also from change in generation.
We have millennials, we have generation Z coming in the workforce. They don't stay too long. So the moment when you have a loss of social cohesion, far from the eyes far from the site, loss of loyalty is when you're inside a threat topic is going to rise. So it's very interesting for corporate security, cybersecurity information, security departments and HR departments as well. But there, there are not so many companies that I have met that have a very comprehensive holistic inside the threat program running right now.
And also there are not so many companies that have a sanction framework, and there are also, there are not so many governments that have a sanction framework. Let me give you an example. Maybe one of the most known insiders lately would be Mr. Anthony Levandowski.
He was, I dunno if you know, Waymo, the Google or alphabet daughter company, which is producing autonomous electric vehicles, Laos engineer, working for them seven years and producing a laser technology for autonomous electric vehicles. So then he quit his job in Google and founded a startup. And this startup named Otto was then after a couple of months, bought by Uber for 680 million Euro Sooki. So obviously the Uber launched autonomous electric vehicles based on a very similar laser system. And then Google suit Uber and Uber said, oh, whoa, whoa.
We did not know that was a fraudulent behavior behind this. And Anthony Ladowski was then a sued single suit against him from Google. He ended up on a court and after two years last year, he admitted that he has taken with himself 14,000 and encrypted files and all the intellectual property around those laser systems. So imagine the damage he has done to competitive advantage of way more.
However, what happened to Anthony is also very interesting in the context of a sanction framework, not so much, he had to pay 150 something million to Google and ended up six months in jail, sending a message. It's a quite lucrative. Actually you can earn a lot of money and end up not so long in a chain. So malicious insider is a topic that is very interesting because you have four categories of insider threat that you need to be paying attention to.
You have a malicious one that would be a person who is working for your company, hence has a trust of the company and breaches the confidentiality, integrity and availability of data, but with the motivation and with an intention to do so. And then you have a non-malicious sectors. These are the people who would been without intention and motivation to do the harm, anyhow, bridge the policies, for example, plug USB stick, or let the person tailgate in your offices. And hence lead to let's say a cyber attacker data breach.
And then you would have an accidental inside a threat that would be a person who clicked on a fishing link, did not really have any motivation to do so did not understand that harm will be as a consequence. And then you have a compromised actor, a compromised actor would be a person who has been compromised in the act of corporate espionage by foreign government, by a co competitor or person who has been working long for you or person who has been recruited just for this purpose of sabotage.
So just to finish and wrap up my part, I think it's very important to ask yourself, why does the person become a malicious insider? And so there was a very, very interesting 2018 a report from Verizon saying that 40% of data breachs would be coming from malicious insiders. And actually there was a study from PWC looking at this population saying 10% of malicious insider would be acting out of revenge. So I don't know if you picked this up, but last year there was a Tesla software engineer who has been tampering or changing the sourcing code. And he took some intellectual property himself.
He took some money and when he was investigated, he was caught by investigation by corporate security. And when he was asked, why did you do this?
He said, I did not get a promotion that I felt I deserve. So how can you understand those soft risk indicators that the person is changing behavior and is going to become disgruntled and potentially, and insider? I give the stage to professor Dr.
Yo PEK, who would explain a little bit about this very, Very much after an employee commits embezzlement theft, discloses, confidential business information in a company, his colleagues and superiors often analyze his behavior. And remember that he was in financial travel, that he borrowed money from his, his coworkers that he rarely used his annual leave. And when he was on annual leave, he came to the work and so on. So what did they actually observe? They saw security risk indicators, but they didn't pay enough attention to them.
Sometimes it happens that coworkers, superiors, or even security professionals don't register that indicators at all. They need stronger evidence that someone is malicious and evidence come a little, come a little bit later, but usually in multi-digit amounts of damages, what is important to know about security? Risk indicators, indicators are not necessary evidence that someone is malicious. They are a signal that that person need extra attention, especially when they are frequent, when there are more types of indicators. And when they are of stronger intensity, it is important.
Also when you're considering security, risk indicators, toed them in the context of particular person, business processes that they perform and all business activities of the company indicators are really numbers. But today I'll, I'll try to mention only a few of more frequent ones. We can start with the fact that malicious employees belong to the group of average and above average quality employees. Second fact is that malicious employees don't like supervision.
Well, nobody likes it, but they are specially nervous due to epidemiological measures. Many business processes have had adapt significantly, and it was an excellent opportunity for malicious employees to have more easily access to information that they haven't before to have excuses for bypassing security procedures, excuses for unusual behavior or avoiding supervision. It's necessary to establish rules in the new normal as soon as possible. Employees who are in direct contacts with clients and business partners are especially at risk.
It's easy to cross fine line, appropriate business relationship and go into an intensive semi-private relationship. Malicious employees need more privacy in work environment than others. And finally, corporate security professionals need to be in particular, more sensitive on some personal risks, like more pronounced material needs of employees, tendency to adventure, greed, addictions, to gambling, betting drugs, alcohol, be aware of employees who go to stormy divorces or have pronounced family problems.
But in order not to leave everything on indicators, a few sentences about security questionnaire, a tool that can help employers and security professionals to identify potentially risky can candidates when hiring or among existing employees, security ion are especially useful. When you hiring position of trust. When you're promoting some employees to important management positions, when it comes about on for example, vital or sensitive business processes, or as a part of an exit interview, its implementation in practice shows really good results.
Application of security question is based on I expert interpretation of answers on specially designed questions. And now third part of our presentation about indicators in virtual work environment and ways how to detect them a floor is yours. Yeah. Thank you very much. And fun fact, both Lana and I were employed fully virtually, right? We didn't even meet our, our current bosses in, in person last year.
Anyhow, my role here. And actually that's because of my discussion with, with both of them is to give a perspective from a, from a technology part, from the cyber part, which is why basically we are all here and I'm just gonna remind you. You probably felt it last year, especially security operation centers. So when the pandemic started, computers were going home, people were even carrying personal computers to home. There was not, not enough VPN in, in a bunch of big companies. There was a huge lack of visibility of what people were doing at home.
As we heard in, in few presentations before there was a huge problem with awareness because how we were training people before that also changed. And then from the other side, let's make everything digital, let's produce new applications, let's develop new stuff. We very often forget and forgot about risks, real risks. What happened to Tesla who was even checking those, those codes during the, the pandemic, because we had to do it very, very, very fast. And when I think about that and when I go to them and I tell them, Hey, people, we have so many problems with technology already.
What do you expect us? Do you really think we can see those indicators where while people are sitting at home and they can't even still click on click the unmute button, or we don't, we do not see them on, on cameras. Is there anything about technology that can actually help help this? But after a lot of discussion, especially with them, I did realize that this is definitely more broad topic and something that has to be interdisciplinary and something that we have to discuss together at all levels.
And if you attended a different session sessions throughout this past few days, you saw people mainly talking about external threats, about some factors and some threats that we are aware of. And we know how to fight. Yeah. It's not an easy fight, but we know what to do. And this is totally different because if they come to me and tell me, Hey, we do have indicators, can we use technology to track them? Can we use DLP, not just to put it in the company and it's there and it doesn't do anything. And we actually can.
And there, I would say few things that we all need to think about first need to know basis should not be a cliche. We really have to know who the people with the biggest knowledge and the biggest amount of data and information are. And of course give them access, but restrict that access to others. We need to classify that data and we need to, we need to use DLP and other tools to properly monitor such data in data flows. Bring your, bring your own device, especially from the last year has to be something, not just to tell people, yeah, you can use or not use your personal devices.
We need to put those devices properly in our security operations centers, again, to track that confidential data or to track the behavior of people. We can do that with the technology as well. We just need to know what to do, what to do with it. Of course the awareness is still gonna be here. It's very important. It's important to test, but we need to have a systematic approach to awareness and we need to follow the trends and to see that the trends are changing. And I think eon explained it very well.
It has to be a systematic approach in a way that we actually measure what we are doing with the awareness and last, which I think is the most important is the, the big popular trio and that's logging, monitoring, and alerting. We very often focus on logging. We collect a bunch of data from different systems, very often security operation centers do not even know which parts of the systems are more important from the other second is morning during the data. And that's of course, in connection with alerting, we need to do it proactively. We need to take those Indic indicators and track them.
Let me just give you one, one example. I was flying last a few weeks ago, three weeks ago, actually, to trich, there was a CFO of a huge pharma company sitting just next to me, preparing his board deck presentations with all the financial data, reading his emails, preparing responses, etcetera. I was there for two hours.
I could easily take all that data and could even everyone track that if we would go to security operations centers and tell them, Hey, if you have a board member or anyone at the, at the CC minus one level, and if you have the alert that that person has sent 50 emails in one minute, that means he was probably flying, preparing his emails. And when, when he got to, when he got to, to the airport or the hotel, he, he sent all the, all the emails. Can I get that information as a CISO and go and talk to that person and ask him, Hey, where were you preparing those emails?
Was anyone maybe watching your, your screen or something like that? I did simplify it because I only have few minutes, but that's where I think we should all work together. That's why I think it's what it was very hard for organizers actually, to find which track they're gonna put us with this topic. We ended up in this one, which I think is very good and we, we can do it together, but we should not definitely forget about this, this topic because it is gonna be more and more of a problem. Thank you.
