Tag Archives: Fidelis Security

Protecting your blackberry

Dealing with DLP and privacy

Dealing with DLP and privacy

It’s a long hot summer here in the Middle East and with 2/3 of  the office out on vacation, you have some time to reflect on data security. Or on the humidity.  Or on a cold beer.

Maybe you are working on building a business case for DLP technology like Websense or Symantec or Verdasys, or Mcafee or Fidelis in your organization.  Or maybe you  already purchased DLP technology and you’re embroiled in turf wars that have put your DLP implementation at a standstill as one of your colleagues is claiming that there are employee privacy issues with DLP and you’re trying to figure out how to get the project back on track after people get back from their work and play vacations in Estonia and brushing up on their hacking skills.

Unlike firewall/IPS, DLP is content-centric. It is technology that drives straight to the core of business asset protection and business process.  This frequently generates opposition from people who own business assets and manage business process. They may have legitimate concerns regarding the cost-effectiveness of DLP as a data security countermeasure.

But – people who oppose DLP on grounds of potential employee privacy violations might be selling sturm and drang to further a political agenda.   If you’re not sure about this – ask them what they’ve done recently to prevent cyber-stalking and sexual harassment in the workplace. 

For sure, there are countries such as France and Germany where any network or endpoint monitoring that touches employees is verboten or interdit as the case may be; but if you are in Israel, the US or the UK, you will want to read on.

What is DLP and what are the privacy concerns?

DLP (data loss prevention) is a solution for monitoring/preventing sensitive outbound content not activity at an endpoint. This is the primary mission. DLP is often a misnomer, as DLP is more often than not, DLD – data loss detection but whatever…Network DLP solutions intercept content from the network and endpoint DLP agents intercept content by hooking into Windows operating system events.  Most of the DLP vendors offer an integrated network DLP and endpoint DLP solution in order to control removable devices in addition to content leaving network egress points. A central command console analyzes the intercepted content and generates security events, visualizes them and stores forensics as part of generating actionable intelligence. Data that is not part of the DLP forensics package is discarded.

In other words, DLP is not about reading your employees email on their PC.  It’s about keeping the good stuff inside the company.    If you want to mount surveillance on your users, you have plenty of other (far cheaper) options like browser history capturer or key loggers. Your mileage will vary and this blog does not provide legal guidance but technically – it’s not a problem.

DLP rules and policies are content-centric not user-centric.

A DLP implementation will involve writing custom content signatures (for example to detect top-secret projects by keyword, IP or source code) or selecting canned content signatures from a library (for example credit cards). 

The signatures are then combined into a policy which maps to the company’s data governance policy – for example “Protect top-secret documents from leaking to the competition”. 

One often combines server endpoints and Web services to make a more specific policy like “Alert if top-secret documents from Sharepoint servers are not sent via encrypted channels to authorized server destinations“. 

In 13 DLP installations in 3 countries, I never saw a policy that targeted a specific user endpoint. The reason for this is that it is far easier using DLP content detection to pickup endpoint violations then to white list and black list endpoints which in a large organization with lots of wireless and mobile devices is an exercise in futility.  

We often hear privacy concerns from people who come from the traditional firewall/IPS world but the firewall/IPS paradigm breaks when you have a lot of rules and endpoint IP addresses and that is why none of the firewall vendors like Checkpoint ever succeeded in selling the internal firewall concept. 

Since DLP is part of the company data governance enforcement, it is commonly used as a tool to reinforce policy such as not posting company assets to Facebook. 

It is important to emphasize again, that DLP is an alert generation and management technology not a general purpose network traffic recording tool – which you can do for free using a Netoptics tap and  Wireshark.

 Any content interception technology can be abused when in the wrong hands or in the right hands and wrong mission.  Witness NSA. 

Making your data governance policy work for your employees

Many companies, (Israeli companies in particular) don’t have a data governance policy but if they do, it should cover the entire space of protecting employees in the workplace from cyber-threats.

An example of using DLP to protect employees are the threat scenarios of cyber-stalking, sexual harassment or drug trafficking in the workplace where DLP can be used to quickly (as in real-time) create very specific content rules and then refined to include specific endpoints to catch forensics and offenders in real-time. Just like inCSI New York New York.

In summary:

There are 3 key use cases for DLP in the context of privacy:

  1. Privacy compliance (for example PCI, HIPAA, US State and EU privacy laws) can be a trigger for installing DLP. This requires appropriate content rules that key to identifying PHI or PII.
  2. Enforcement of your corporate  data governance and compliance policies where privacy is an ancillary concern.   This requires appropriate content rules for IP, suppliers and sensitive projects. So long as you do not target endpoints in your DLP rules, you will be generating security events and collecting forensics that do not infringe on employee privacy.   In some countries like France and Germany this may still be an issue.  Ask your lawyer.
  3. Employee workplace protection – DLP can be an outstanding tool for mitigating and investigating cyber threats in the workplace and at the very least a great tool for security awareness and education. Ask your lawyer.

If you liked this or better yet hated it,  contact  me.  I am a professional security analyst specializing in HIPAA compliance and medical device security and I’m based in Israel and always looking for interesting and challenging projects.

Idea for the post prompted by Ariel Evans.

Tell your friends and colleagues about us. Thanks!
Share this

Wikileaks and data theft

A colleague of mine, Bill Munroe, is VP Marketing at Verdasys, the first of the agent DLP vendors and the most established of  the independent pure play DLP technology companies. (No. I do not have a business relationship with Verdasys).  Bill has written a paper entitled “Protecting against Wikileaks events and the trusted insider threat” . The paper brings a number of important insights regarding the massive data breach of State Department cables and why Wikileaks is different.

Wikileaks gives a leaker immediate visibility to her/his message. Once Wikileaks publishes the data, it’s  highly visible due to the tremendous conventional media interest in Wikileaks.  I doubt that PFC Manning, if he had a blog somewhere in the long tail of the Internet, would have made such an immediate impact.

Unlike Wikileaks, data theft of intellectual property or credit card data is motivated by the economic gain. In the case of Wikileaks, the motivation is social or political.  With cheap removable storage devices, smart phones, tables, dropbox and wireless network connectivity “employees with personal agendas will be more likely to jeopardize their careers in order to make a passionate statement“.

Network  DLP is a poor security countermeasure against the Wikileaks class of data breach. Network DLP can network-intercept but not analyze obfuscated data (encryption, embedded screenshots, steganography) and is blind to removable media and smart phones. The best technical countermeasure against a leak must be at the point of data use. First described in a 1983 DOD study called “The Trusted Computer System Evaluation Criteria” (TCSEC)  a user end point needs to be “instrumented” in order to identify and intercept content and mitigate threats before they can occur. This requires identification of the trusted user, appropriate content interception and analysis and the ability to tie the results into actionable forensics. Detecting data loss at the end point, is notably Verdasys’s key strength.

However – there are a few  points in the article that need to be addressed:

Insider theft of sensitive data is not new. WikiLeaks is just the latest outlet for the disaffected individual to be amplified in our interconnected world… WikiLeaks is merely the latest enabler of the populist-driven “Robin Hood” syndrome.

I don’t subscribe to the notion that data theft has always been an issue.   20 years ago, we had industrial espionage of trade secrets or national espionage of defense secrets – not the widespread data leaks we see today.  Conditions in 2011 are different then they were in the 80s when my father worked at TRW Defense and Space Systems in Redondo Beach.  Data breaches are driven by motive, means and opportunity – motive: under 30 something people have a sense of entitlement – they have a Blackberry, a nice car, a nice girlfriend, good standard of living, a 250K college education and a sense that they can do whatever they want without paying the price..  means – mobile and removable devices, Web services… opportunity – a leaker is in positions of access. Given the right stimulus (hating Obama,  despising Hilary, liking a bribe from Der Spiegel) they will get to the data, leave their ethics at the door and do the deed. Calling the phenomena “Robin Hood” is too gracious.

Trade secret and IP theft is projected to double again by 2017 with 2008 losses reaching one trillion dollars!

The $1 Trillion number for the financial losses due to IP theft  was mentioned in a McAfee press release (they took  the item off their web site…) and later quoted by President Obama’s in his talk on “aggressively protecting intellectual property”.

Since the 1 trillion number is  the cornerstone of both vendor and political argumentation for protecting IP, the number bears closer scrutiny. We will see that the $1 trillion number is no more than a love for round numbers, not unlike Gordon Browns love for round numbers “Bring 1,000 troops home for Christmas”.

Referring to Bessen and Maurer “Patent  Failure” and other research articles, the empirical data shows a different picture. Global patents held by US firms as of 1999 was $122BN in 1992 dollars.  Even if that number tripled in 20 years that means that the total IP value is 360BN so it’s impossible that 1 Trillion was “lost”.  I will discuss what loss of IP actually means in a moment.

Examining firm level data, we see that worldwide value of patent stocks is only about 1% of market value.   Note that the majority of this value is owned by a small number of large pharmaceutical companies.   Then, we have to net out litigation and IP legal costs from the net patent rents (the above-normal returns) that a company earns from it’s IP.

And to provide a sanity check on how disproportionate the 1 Trillion dollar IP loss number really is, consider that at  GSK (and their numbers are consistent with the other big innovative pharmas) – cost of sales is 26% of expenses, marketing – 31% and R&D 15%.  Now we know 2 things: (a) that the big pharmas account for most of the IP and (b) most of their money is in sales and marketing. If 10 big pharmas with a total of 100BN operating profit had lost a Trillion dollars, they would all be bankrupt by now,  but they are all alive and kicking and selling us everything from Viagra to Remicade.

What does the loss of intellectual property actually mean?  After all, it’s not like losing cash.

In a threat analysis I did for a NASDAQ traded firm with significant IP – I determined together with the CFO and the board that their exposure to IP leakage was about 1% of their market cap – they understood that you cannot “lose” IP – but when it’s leaked it goes to a competitor who may gain a time to market advantage – and that advantage is only temporary.   At another public firm where I did a threat analysis using the same methodology, the CEO and board determined that the exposure to IP theft was negligible since the competitors needed 12-18 months to implement stolen IP and since the firm was operating on a 12 month product release cycle, they were ahead of the competition who were using stolen IP.  In other words – it’s better to innovate than to steal and try to re-implement.  This is particularly true in the software industry where the cost of implementation is far higher than the time and cost to develop the algorithm.

Reading Bill’s article, one would naturally ask, given the magnitude of the problem and the effectiveness of Verdasys technology, why doesn’t every company in the world deploy end point DLP like they deploy a firewall.  I think that the answer lies in the actual magnitude of the financial impact of data leakage.   The State department cables Wikileaks disclosure may or may not have been orchestrated by the Obama administration itself – but arguably, no economic damage and no tangible damage was incurred to the US political image or image of it’s allies.  If  real damage had been done to the US, then Hilary would be keeping Jonathan Pollard company.

I think that Verdasys and other DLP vendors miss one of the key strengths of data loss detection/prevention technology: real time feedback to an organizations users, and the deterrent value.   As Andy Grove once wrote – “a little fear in the workplace is not necessarily a bad thing“.

With increasing consumerization of IT, entitled employees will have even more means at their disposal and even more blurring of business boundaries by sexy personal devices.

What is a company to do?  That leaves us with good management and a corporate culture with employee values of competitiveness that drives value that drives rewards both intangible and tangible for the employee.  If it’s just about the money – then an iPhone is worth a lot more than a $500 bonus but engendering a sense of being involved and influencing the business at all levels – even if it’s just a kind word once a day – will be worth 100 fold that number and go a long way towards mitigating the vulnerability of employee entitlement.

I’d like to conclude with a call to the marketeers at McAfee, Symantec, IBM, Oracle, Websense, Fidelis, Checkpoint and Verdasys. Let’s shift the DLP marketing focus from large federal customers and banks and explain to small to medium sized enterprises how DLP technologies can protect the value of their implementation techniques and intellectual property.

For a 10 man vaccine startup the secret is in the recipe, not in the patents.  For a SME with IP – it’s not the IP licensing value, it’s difference between life and death.  And death trumps money any day of the week.

You can download the paper “Protecting Against WikiLeaks Events and the Insider Threat” on the Verdasys Web site.

Tell your friends and colleagues about us. Thanks!
Share this

Securing Web services in the cloud

Almost every SaaS (software as a service) is based on REST or XML Web services.  In this post, I’d like to provide a brief introduction to some typical threats and security countermeasures to protect Web services;

Malicious Attack on the message

The beauty of  HTTP Web Services is that traffic flows through port 80 and port 443 and it uses a human-readable format (XML or JSON). This is also the key vulnerability.  A typical IT / system administration approach that relies on protecting Web service providers with a firewall/IPS setup is not very effective.  We will explain why.

Firewalls do a good job of port monitoring and recognizing brute force malicious attack but are not good at being able to view the content of messages in order to detect and prevent more sophisticated security compromises. While most firewalls can recognize SOAP as well-formed HTTP traffic they cannot inspect the actual content of the SOAP message or JSON data. Web Services interfaces are much more complex than Web site interfaces which exchange HTML pages and forms. Web service interfaces are like software API’s and expose database functionality. In addition, an attacker has more information available to them. The message is often self-describing and clearly shows the data elements.

A Web service provider is a juicy, self-describing target.

Replay Attack
Similar to Denial of Service, replay attacks involve copying valid messages and repeatedly sending them to a service. Similar techniques for detecting and handling Denial of Service can be applied towards replay attacks. In some ways, replay attacks are easier to detect with Web Services because payload information is more readily available. With the right tools, patterns can be detected more easily even if the same or similar payload is being sent across multiple mediums like HTTP, HTTPS, SMTP, etc.

Buffer Overflow
An attacker can send a parameter that is longer than the program can handle, causing the service to crash or for the system to execute undesired code supplied by the attacker. A typical method of attack is to send an overly long request, for instance, a password with many more characters than expected. Similar to buffer overflow attacks; hackers often send malformed content to produce a similar effect. Sending in strings such as quotes, open parentheses and wildcards can often confuse a Web Service interface.

Dictionary Attack
Dictionary attacks are common where a hacker may either manually or programmatically guess passwords to gain entry into the system. Administrators should ensure that passwords are difficult to guess and are changed often.

Intrusion Detection of attacks by malicious outsiders
Proactively securing all of the possible misuses of Web Services is almost impossible. Security policies and strict access control management should help reduce the occurrence of intrusion. An IPS will detect anomalous attack behavior and if monitored may help the security team mitigate the threat.

Extrusion detection of attacks by trusted insiders
Attackers are usually thought to be outside of the organization. However, most security breaches occur from within the organization. With Web Services, more functionality is available to a more people. Access to confidential information or embezzlement of funds is just some of the possible internal security breaches that can be performed by employees or former employees. Because employees are the most familiar with internal systems, detection can be made extremely difficult. Unintentional compromises are also possible. If an interface is unsecured, an employee may accidentally access information that they are not intended to view. Since Firewalls are insufficient for data breach, we would require use of a DLP –  Data loss  prevention system such as Fidelis XPS or WebSense DLP.

Threat containment
Once a security breach is detected, being able to shut down systems and reject traffic from specific sources are important for handling a compromise.  A DLP system provides real-time detection, forensics recording and  the ability to drop traffic from specific IP source addresses in order to properly mitigate the threat.

Tell your friends and colleagues about us. Thanks!
Share this

Government Agencies Need to Comply with White House Directive to Keep WikiLeaks Documents Off of Their Networks

Yes – there is apparently a White House directive to keep Wikileaks documents off Federal networks – according to a directive from the White House Office of Management & Budget on the treatment of classified documents.

WASHINGTON, Nov 29 (Reuters) – The United States said on Monday that it deeply regretted the release of any classified information and would tighten security to prevent leaks such as WikiLeaks’ disclosure of a trove of State Department cables.

More than 250,000 cables were obtained by the whistle-blower website and given to the New York Times and other media groups, which published stories on Sunday exposing the inner workings of U.S. diplomacy, including candid and embarrassing assessments of world leaders.

The U.S. Justice Department said it was conducting a criminal investigation of the leak of classified documents and the White House, State Department and Pentagon all said they were taking steps to prevent such disclosures in future.

While Secretary of State Hillary Clinton said she would not comment directly on the cables or their substance, she said the United States would take aggressive steps to hold responsible those who “stole” them.

In the directive, federal agencies were informed that employees and federal contractors must avoid viewing and/or downloading classified documents that have been leaked via WikiLeaks disclosures. As the information on WikiLeaks is still classified, even if it’s in the public domain, a federal government employee electronically viewing the information from or downloading the information to devices connected to unclassified networks “risks that material still classified will be placed on non-classified systems”

NOTICE TO EMPLOYEES AND CONTRACTORS CONCERNING SAFEGUARDING OF CLASSIFIED INFORMATION AND USE OF GOVERNMENT INFORMATION TECHNOLOGY SYSTEMS”, Office of Management and Budget, December 3, 2010.

Data security vendor Fidelis Security Systems has announced that they will provide policies in their Network DLP product. Fidelis XPS to help ensure that employees cannot view or download classified documents.

Fidelis XPS is extremely powerful network DLP technology for high speed (in excess of 2.5GB) content interception and analysis in real time of data entering or leaving a network.   With all due respect to the power of Fidelis network DLP, the White House Directive is nonsense.  It’s more security theater, not security countermeasures, designed to show that the administration is “doing something”.

The directive is nonsense for a number of reasons:

a) Requiring employees and federal contractors to avoid viewing and/or downloading classified documents that have been leaked via WikiLeaks disclosures is like saying – “well, you will have to disconnect yourself from the Internet, from Facebook, From Gmail and your smart phone”.   It’s not a practical strategy, since it’s impossible to enforce.

b) The network vector is almost certainly not how the information was leaked.  First of all, this means that network DLP solutions are not an appropriate countermeasure against Wikileaks. Releasing custom network DLP policies for Wikileaks is a crude sort of  link-baiting; misdirected, since Federal decision makers don’t evaluate data security technology  using social media like Facebook.

The Wikileaks documents are provided by trusted insiders that have motive (dislike Obama or Clinton), means (physical, electronic or social access) and opportunity (no one is watching).   There is little utility (besides appearing to be doing something) to install network DLP technology to prevent employees from viewing or downloading.

c) And finally it’s nonsense because the OMB directive talks about viewing and downloading documents and not about leaking.

If the White House is serious about preventing more leaks they should start by firing Secretary Clinton.

Then again – perhaps the wikileaks documents were all leaked under tacit direction from the White House.  Since President Obama has a pattern of sticking it to US friends (Israel, Czech Republic, Poland) whatever embarrassment it might cause friendly allies is more than worth the price of issuing a worthless OMB directive.

Tell your friends and colleagues about us. Thanks!
Share this

WikiLeaks Breach – trusted insiders not hackers

With a delay of almost 10 years – SCIAM has published an article on the insider threat – WikiLeaks Breach Highlights Insider Security

As one of the pioneers in the DLP space (data loss prevention) and an active data security consultant in the field since 2003 – I am not surprised when civilians like the authors of the article and the current US administration claim discovery of America, once they discover that the emperor is naked.  Of course there is an insider threat and of course it is immune to anti-virus and firewalls and of course the US Federal government is way behind the curve on data security – installing host based security which was state of the art 7 years ago.

My Dad, who worked in the US and Israeli Defense industry for over 50 years is a PhD in systems science. He asked me how it happened that Wikileaks was able to hack into the US State Department cables.  I explained that this was not an external attack but a trusted insider leaking information because of a bribe or anger at Obama or Clinton or a combination of the 4 factors. My Dad just couldn’t get it.   I said look – you know that there is a sense of entitlement with people who are 20-30 something, that permits them to cross almost any line.  My Dad couldn’t get that either and I doubt that the US Federal bureaucrats are in a better place of understanding the problem.

Data leakage by trusted insiders is a complex phenomenon and without doubt, soft data security countermeasures like accepted usage policies have their place alongside hard core content interception technologies like Data loss prevention.  As Andy Grove once said – “a little fear in the workplace is not a bad thing”. The  set of data security countermeasures adopted and implemented must be a good fit to the organization culture, operation and network topology.

BUT, most of all – and this is of supreme importance – it is crucial for the head of the management pyramid to be personally committed by example and leadership to data protection.

The second key success factor is measuring the damage in financial terms. It can be argued that the Wikileaks disclosures via a trusted insider did little substantive damage to the US government and it’s allies and opponents alike. If anything – there is ample evidence that the disclosure has helped to clear the air of some of the urban legends surrounding US foreign policy – like the Israelis and the Palestinians being key to Middle East peace when in fact it is clear beyond doubt that the Iranians and Saudi financing are the key threats that need to be mitigated, not a handful of Israelis building homes in Judea and Samaria.

As an afternote to my comments on the SCIAM article, consider that after the discovery of America, almost 300 years went by before Jefferson and the founding fathers wrote the Declaration of Independence.   I would therefore expect that in the compressed 10:1 time of Internet years, it will be 30 years before organizations like the US government get their hands around the trusted insider threat.

Tell your friends and colleagues about us. Thanks!
Share this

What is security?

So what is security anyhow?

Security is not about awareness.

A lot of folks talk about the people factor and how investing in security awareness training is key for data protection.

I think that investing in formal security awareness training, internal advertising campaigns and all kinds of fancy booklets and cards for employees is a waste of time and money.  I prefer a  CEO that says “here are my 4 rules” and tells his staff to abide by them, who tell their direct reports to abide by them until it trickles down to the people at the front desk.  Making common sense security part of the performance review is more effective than posters and HR training.

Security from this perspective, is indeed an exercise in leadership. Unfortunately, in  many organizations, the management board sees themselves as exempt from the information security rules that they demand from their middle managers and employees. It might be a general manager bringing his new  notebook into the office, jacking into the corporate LAN and then attaching a wireless USB dongle effectively bridging the corporate network to the Internet with a capital I, not understanding and not really caring about the vulnerability he just created.

Security is not an enterprise GRC system

If you take a look at the big enterprise GRC systems from companies like Oracle – you see an emphasis placed on MANAGING THE GRC PROCESSES – document management and signature loops for ISO certification, SOX audits etc. I suppose this makes the auditors and CRO and Oracle salesperson happy but it has nothing to do with making secure software. In my world – most hackers attack  software, not audit compliance processes and GRC documentation. In other words – managing  GRC processes is a non-value add for security.

Security doesn’t improves your bottom line
Have you ever asked yourself why security is so hard to sell?

There are two reasons.

1) Security is  complex stuff and it’s hard to sell stuff people dont understand.

2). Security is about mitigating the impact of an event that might not happen, not about making the business operation more effective.

Note a curious trait of human behavior  (formalized in prospect theory – developed by Daniel Kahneman and Amos Tversky in 1979), that people (including managers who buy security) are risk-averse over prospects involving gains, but risk-loving over prospects involving losses.

In other words – a CEO would rather take the risk of a data breach (which might be high impact, but low probability) than invest in DLP technology that he does not understand. Managers are not stupid – they know what needs to be done to make more money or survive in a downturn. If it’s making payroll or getting a machine that makes widgets faster for less money – you can be sure the CEO will sign off on making payroll and buying the machine before she invests in that important DLP system.

Since almost no companies actually maintain security metrics and cost of their assets and security portfolio in order to track Value at Risk versus security portfolio over time – a  hypothesis of return on security investment cannot be proven. Indeed – the converse is true – judging by the behavior of most companies – they do not believe that security saves them money

So what is security?

It’s like brakes on your car. You would not get into a car without brakes or with faulty brakes. But brakes are a safety feature,  not a vehicle function that improves miles per gallon. It’s clear that a driver who has a lighter foot on the brakes will get better mileage, and continuing the analogy, perhaps spending less money on security technology and more on security professionals will get you better return on security investment.

Challenge your assumptions about what makes for effective security in your organization.  Is enterprise security really about multiple networks and multiple firewalls with thousands of rules? Perhaps a simpler firewall configuration in a consolidated enterprise network is more secure and cheaper to operate?

Tell your friends and colleagues about us. Thanks!
Share this

Why the Europeans are not buying DLP

It’s one of those things that European-based information security consultants must  ask themselves at times – why isn’t my phone ringing off the hook for DLP solutions if the European Data protection directives are so clear on the requirement to protect privacy?

The central guideline is the EU Data Protection Directive – and reading the law, we begin to get an answer to our dilemma.

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

Is your DLP project a failure?

Are we in the same valley of death that held  content management applications in the 90s?  Where companies spent 6-7 figures on content management from companies like Vignette and over 50% of the projects never got off the ground?

Tell me what you think in this Linked In poll – DLP success or failure

Tell your friends and colleagues about us. Thanks!
Share this

Learning about change and changing your security

Reading through the trade press, DLP vendor marketing collateral and various forums on information security,  the conventional wisdom is that the key threat to an organization is trusted insiders. This is arguable – since it depends on your organization, the size of the business and type of operation.   However –

This is certainly true at a national security level where trusted insiders that committed espionage have caused considerable damage.  MITRE Corporation – Detecting Insider Threat Behavior

There are three core and interrelated problem in modern data security:

  1. Systems are focussed on rule-breaking (IDS, DLP, firewalls, procedures) – yet malicious insider can engage in data theft and espionage without breaking one of the IDS/IPS/DLP rules.
  2. The rules are static (standards such as ISO 27001 or PCI DSS 1.x) or slow-moving at best (yearly IT Governance audit)
  3. Ignore collusion between insiders and malicious outsiders whether for espionage purposes (a handler who manipulates an employee) or for criminal purposes (stealing customer data for resale).

You may say – fine, let’s spend more time observing employee behavior and educate supervisors for tell-tale signs of change that may indicate impending involvement in a crime.

However – malicious outsiders (criminals, competitors, terrorists…) that may exploit employees in order to obtain confidential data is just another vulnerability in a whole line of business vulnerabilities.  Any vulnerability must be considered within the context of a threat model – the organization has assets that are damaged by threats that exploit vulnerabilities that are mitigated by countermeasures.   The organization needs to think literally  outside the box and at least attempt to identify new threats and vulnerabilities.

The issue is not that employees can be bought or manipulated, the issue is that government and other hierarchical organizations use a fixed system of security controls.  In reducing the organization’s security to passive executives of defense rules in their procedures and firewalls, we ignore the extreme ways in which attack patterns change over time. Any control policy that is presumed optimal today is likely to be obsolete tomorrow.  It is a fair assumption that an organization that doesn’t change data security procedures frequently – will provide an insider with  enough means, opportunity and social connectivity to game the system and once he or she has motivation – you have a crime.

Learning about change and changing your security systems must be at the heart of day-to-day security management.

Tell your friends and colleagues about us. Thanks!
Share this