It’s very difficult to control the flow of information within today’s work-place. In any normal “business” day there could be foreign national interaction, USB key exchanges, work from home, contractors –all greatly increasing opportunity for espionage and data theft. There is plenty of room for mischief and the amount of harm done by a well-informed saboteur is non-trivial. It is an order of magnitude more damaging than a stranger.
Definition of an insider by CERT: A current or former employee, contractor, or business partner who
• Has or had authorized access to an organization’s network, system, or data and
• Intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems
Trouble with an "insider" is they have legitimate access. They are working within regulation, aware of policy and unlikely to break rules. So access control won't work nor will "intrusion detection". There is no intrusion.
Most of the time an employee will be reported for unusual behavior by a co-worker or an audit. There are also personnel screening processes that have to be in place before hiring. Training and awareness helps employee's notice unusual activity.
That's old-school stuff - and it works and is crucial. In addition there are technical approaches that have gained a rightful place in the "must-have" list. Most companies should turn on network and application activity logging, file integrity checks and data loss monitoring. Stitching together the alerts that are generated by "big brother" helps spot things that are "out of the norm". For example if a file changes, or an email is sent with a sensitive attachment, a user or behavior can be marked as "bad" and declared suitable for further surveillance.
Unfortunately there is still plenty of noise obstructing an accurate and clear reading of what is good, bad or ugly behavior. We hop on and off social networks, plug and unplug cables, head to work late, forget to submit expense reports, make travel arrangements out of policy, skip virus updates and get overly zealous downloading information. The list goes on. Human behavior can seem hopelessly impossible to predict.
Statistics brings the magic of mathematics to make sense of data and tell us "what's up". It is a science that fills in blanks in our memory, keeps us honest about the present and paints a rough approximation of our future. There is good research literature on the topic of user behavior analysis. We are working to take tried and true algorithms such as root cause analysis, propensity analysis, link analysis and econometric forecasts - and then rigoursly apply them to hard to solve cyber security prolems.
If you are interested in assessing threats across transactions, individuals and groups that are unobservable to the naked human eye, please contact me. While tackling the problem of employee betrayal can be hard, we can turn to “big data” and analytics to help trip up the enemy within.
No comments:
Post a Comment