According to a report from ZDNet, security firm McAfee has sued three of its former sales employees for allegedly stealing company trade secrets and bringing them to a competitor, Tanium. These allegations show that the security industry isn’t immune to insider threats, and that dedicated insider threat management solutions are needed to catch such incidents before it’s too late.
In the case files, McAfee claimed that the sales employees engaged in a pattern of accessing confidential information both before and after they gave notice. The employees allegedly sent this confidential information -- including proprietary sales information and marketing strategies -- to personal email addresses, Google Drives and USB drives. Despite spending months on the investigation, McAfee was unable to identify exactly which files were taken.
Here’s our take on why insider threat incidents like this one happen and how to investigate them quickly and effectively.
What Causes Insider Threat Incidents Like McAfee’s?
The motivations of a malicious insider threat vary, from financial gain, to revenge, to political alliances. For McAfee’s alleged insider threat incident, the employees in question may have been motivated to gain a competitive edge for their new employer. Industries like cybersecurity are highly competitive and equally lucrative so there are significant incentives for both individuals and firms to exfiltrate and share sensitive data.
Insider threats can be anyone and everyone that works with sensitive data: The former McAfee employees were in sales support and were hardly thought of as privileged users. Yet, they regularly dealt with critical sales deals and sensitive, private information. Organisations must recognise that their “secret sauce” includes their sales, pricing, and marketing strategies -- not just their manufacturing designs and software code. McAfee saw the allegedly stolen information as part of their intellectual property.
How to Effectively Detect and Investigate Insider Threats
Often, organisations assume legacy tools are enough to defend against insider threats. In McAfee’s case, they may have lacked the ability to detect malicious user activity in real time. McAfee is known for their various DLP solutions, yet only recognised the alleged data exfiltration months after investigating the successive departure of high-profile sales employees.
Unfortunately, most existing security tools are focused on external threats, malware, and networks, and fail to detect the silent insider threats that exist within an organisation’s four walls. To contrast, dedicated insider threat management solutions like Proofpoint ITM are focused inwardly, and can provide context into both user and data activity to detect in real-time and quickly investigate potential incidents.
For example, instead of a firm like McAfee spending months on forensic analysis to identify basic facts (without knowing which of the actual files were taken), this context would have provided the team with The Whole Story: exact details on who took the files, which ones, when, from where, and why. A security analyst could spend a few hours -- instead of a few months -- gathering strong evidence within a solution like Proofpoint, and easily export this easy-to-understand visual context for HR, legal, and other stakeholders.
Insider threat incidents don’t have to take your organisation by surprise. What has your team done to detect warning signs and investigate insider threats?