Source: Brian Contos, ArcSight
With the FSA warning of mafia gangs infiltrating British banks, Brian Contos, CISSP chief security officer, ArcSight, looks at the remedies available for repelling the insidious insider threat.
Historically, IT security and information risk management has been largely focused around building a solid defence against external attacks, with executives concentrating on threats ‘beyond the firewall’, protecting the company and its data from attacks by ‘unknowns’ from outside the company.
However, we are now seeing a sharp rise in attacks from inside the organisation, and the Financial Services Authority (FSA) issued a warning recently that ‘mafia’ gangs are infiltrating British banks to steal confidential information and sidestep anti-fraud systems. The image of an employee accessing the corporate network and stealing confidential data using a plug-in type storage device is no longer simply a threat scenario – today it has become a well-documented reality.
Managing the risk associated with insider threats poses some very specific practical and philosophical challenges, precisely because the enemy is murky and the politics can often get nasty. Indeed, the realisation that the biggest threat to the company may actually come from your trusted employees and partner organisations can be a major task for many employers. In many cases employees working alongside a threatening insider are reluctant to blow the whistle when they uncover evidence of wrong-doing. Overcoming this requires rigorous training and the enforcement of strict policies and procedures.
The growing insider threat is already a significant issue in the US, where illegitimate Websites now auction stolen personal details to the highest bidder. In some cases this may be a social security number or address, in others it may be an entire “wallet” consisting of financial, health, identification and other bits of personal information. This year in the US, eight Bank of America employees were caught stealing over 700,000 customer records with the express purpose of profiting from the action.
Insider and external attacks carry the same risks; loss of confidential data and intellectual property, personal integrity, including exposed personal or private information, damaged or destroyed critical information assets, severed communication and costly downtime. Yet due to the focus on protecting against perimeter threats, infiltration of the organisation has now become the target. For example, a case hit the headlines earlier this year when two people were jailed for stealing nearly £200,000 from actor and comedian Ricky Gervais, with the help of an insider. The insider was never caught.
Currently, around 75% of insider threat detection is manual. When dealing with employee access to hugely complex and wide-ranging global IT networks there can only be one consequence; that the vast majority of attacks and thefts go undetected. For example, if a door entry keycard is used at a company site in Rio, while the same user identity is used to access the IT system in New York, one of the events is likely to be suspicious. However, there is very little chance that this will be identified in a manual environment where the most common analysis method is diving into disparate device logs looking for the needle in the stack of needles. Similarly, if an employee uses his own, or a colleague’s password, to download sensitive records onto his portable USB key-fob, without a strip search at the door this will again pass unnoticed.
Research out this week, commissioned by TSSI Systems found that 35% of people surveyed would be quite happy to use someone else’s ID or pass card to access the office if they did not have theirs.
The most effective way to detect threats of this nature, and to reduce the potential risk to the institution, is to automate the process – just as it has been at the perimeter level.
These new automated Enterprise Security Management systems work in tandem with existing best practice processes to create a single, comprehensive view of the organisation’s IT risk, employing advanced correlation and pattern discovery techniques to match apparently unconnected events to identify a threat.
While managing the entire security portfolio, including event logging, monitoring, and alerting analysts to potential attacks is central to protecting against insider threats, it is this real-time correlation that holds the key to reducing and managing risk. Individual events may pose no obvious threat, yet by correlating them against one another, potentially innocuous network occurrences become highly malicious attacks, and vice-versa.
Of course, overall threat awareness is much greater now than just 18 months ago, and many organisations have much more mature policies in place. Yet while the drive towards reducing corporate risk through IT security is vital, it is part of a larger jigsaw that includes compliance regulations, company policy and organisational procedure by major financial services organisations.
Security is indeed a business imperative and should be approached with the same passion as other critical business initiatives. The adoption of Enterprise Security Management tools and the corresponding security policies and procedures most certainly give institutions the upper hand.
Unfortunately however, there is no silver bullet to put an end to insider threat. Human nature being what it is, there will always be dissatisfied or mercenary employees looking to take advantage of security gaps and criminals looking to exploit the human element. The key is to plug as many of these gaps as possible – often before they appear, and this is where ESM software, together with best practice policies, procedures, documentation and training has a clear role to play.