Although September is Insider Threat Awareness month, it has not deterred employees at Shopify from taking malicious action. The rogue employees stole data from approximately 100 merchants, potentially exposing consumer data for those that shopped on the e-commerce sites using the company’s software..Compromised data is believed to include emails, names, addresses and order details.
It is critical for businesses to recognize that threats from legitimate users have always been more elusive and harder to detect or prevent than traditional external threats, explains Exabeam's Orion Cassetto. "The two employees from Shopify were able to steal data from over 100 merchants, potentially exposing emails, names, addresses and other details of thousands of customers. Organizations must be armed with the tools to prevent enemies from within their walls from launching attacks," says Cassetto.
Cassetto recommends a combination of training, organizational alignment, and technology is the right approach to stopping insider threats. "Behavioral analytics technology that tracks, collects and analyzes user and machine data to detect threats within an organization is essential because it determines anomalous from normal behaviors," he says. "This is typically done by collecting data over a period of time to understand what normal user behavior looks like, then flagging behavior that does not fit that pattern. It can often spot unusual online behaviors – credential abuse, unusual access patterns, large data uploads – that are telltale signs of insider threats. More importantly, it can often spot these unusual behaviors among compromised insiders long before criminals have gained access to critical systems."
The incident with Shopify is an unfortunate illustration of how cyberattacks are conducted today, according to Torsten George, cybersecurity evangelist with Centrify. "Rather than a hooded figure in the darkness penetrating a network, two of Shopify's own employees went rogue. With an enemy lurking within, the question becomes what measures can organizations take to minimize their exposure to insider threats," Torsten George. "The answer lies in limiting access and privilege. Many organizations grant too much privilege to their staff, contractors, and partners, where traditional perimeter security will not protect them from an insider accessing critical data. Businesses need to adjust their security strategies to match modern threats, moving away from sloppy password practices and unsecured privileged access and shifting to focus on administrative access controls based on a least privilege approach."
George recommends businesses take the following steps to address insider threats:
Enforce segregation of duties: Separate duties, especially for sensitive or shared processes and tasks. In this context, organizations can, for example, leverage so-called ‘access zones’ to tie the rights a user has to specific resources.
Establish least privilege: Only give privileged users just enough access to resources, just-in-time to do the job required. Leave zero standing privileges to be exploited.
Implement access request and approval workflows: Govern privilege elevation with self-service access requests and multi-level approvals, to capture who approved access and the context associated with the request.
Leverage user and entity behavior analytics based on machine-learning technology to monitor privileged user behaviors: This will help identify abnormal and high-risk activity, as well as can trigger real-time alerts or removal of privileges to stop threat actors, whether they are internal or external threats.”
Bryan Skene, CTO, at Tempered adds, “While workforces remain in remote conditions for the foreseeable future, many organizations have rightfully chosen to adopt a zero-trust policy to counter insider threats like the ones seen at Shopify."
According to Skene, "Zero trust protects against these situations because everything (user, server, or networked thing) is required to establish trust first in order to communicate, even within the network perimeter. We recommend utilizing a software-defined perimeter (SDP) that extends invisibility to cloud, multi-cloud, virtual, physical, and edge environments. This provides global connectivity and mobility for entire workforces using one comprehensible policy, wherever they are, for whatever they need to reach securely. Best of all, this can be deployed without ripping and replacing (or even modifying in most cases) existing infrastructure," he says. "State-of-the art solutions are available today that utilize this type of SDP to isolate the network into trusted microsegments and can be deployed as overlays on top of any IP network. This creates a modern, zero-trust approach to network security that minimizes the common flaws we see in legacy products and prevents insider and external threats.”
