By Dan Solomon, Director of Cyber Risk And Resilience Services, Optimal Risk Management and Arye Gickman, C.E.O, Longsight
The mobility of the workforce has brought new demands for anytime, anywhere access to confidential information and enterprise systems. New technologies have led to a flurry of new devices and applications, enabling new capabilities and greater productivity for the enterprise, both in terms of its own operations, but also in the management of its supply chain. As the pace of change in enterprises has accelerated, the challenge of guarding against the dangers to enterprise assets has grown even more rapidly, as the reality has become exponentially more complex.
According to the SafeNet 2014 Survey, 74% of IT decision-makers still believe that the security perimeter will protect them from all security threats. At the same time, it was found by the 2014 Mandiant Study, Cybersecurity’s Maginot Line: A Real-World Assessment of the Defence-in-Depth Model, that 97 percent of businesses have already been breached whether they know it or not. The consensus in dozens of other studies is that the majority of recent attacks can be characterised as “internal”. These findings are quite ironic and speak directly to a level of delusion that is plaguing the IT security profession, and the failings of long-established doctrine for defending a network. The irony is that despite these facts, organisations still invest significantly in the perimeter enforcement; with little attention to the fact that today’s perimeter borders are almost impossible to define. The number of ingoing and outgoing engagement points to the fact the enterprise is changing on an hourly basis.
Companies are striving to define and apply security measures that will best protect data, based on their specific business priorities. In doing so, IT staff need to anticipate the evolving nature of the threats and security needs, and are faced with a complex choice of solutions. Despite the investment of recent years, most organisations are still vulnerable because of the choices they have made. Although the investments clearly contribute to a higher level of protection and compliance, few firms can consider themselves to be secure. In most cases, they are augmenting capabilities to an established approach, or making adjustments to the focus or emphasis, in order to avoid common mistakes and known weaknesses, without adopting a more relevant or effective approach. Much of this is centered on defending ‘the network’. The high-profile victims of recent information breaches all invested in education and technology, yet they were all proven to be vulnerable.
In today’s business environment, with the well-established digitisation of the organisation, people and information are everywhere. As applications and storage are moving to the cloud, adoption of the Bring Your Device (BYOD) trend is growing, the organisation’s confidential data is no longer used only within the organisation. This data must be kept secure, anywhere, anytime, whether it is at rest, in motion or “in use” and this requires a more data-centric security concept.
THE INSIDER VULNERABILITY
Securing “the environment” has proven unachievable and will remain as elusive as “world peace”; With a network-centric approach, organisations find themselves failing to adapt to new attacks that change on a daily basis, not least because it is near-impossible to detect engineered zero-day attacks, and the threat from within the “perimeter” from employees and 3rd party has proven to be more potent than any other in negating the efficacy of network security measures. More often than not, managers are struggling to cope with detection, and organisations are found vulnerable, to attacks that exploit legitimate credentials & access for unauthorised, or malicious purposes, because most perimeter security measures are focused on external activity opposite points of entry to the network rather than the actions and behaviour of internal parties. Attackers are acutely aware of this fact and they invest considerable efforts to secure the legitimate credentials that allow access to increasingly confidential and valuable data, while minimising the risk [to them] of being detected and identified. Irrespective of whether this is achieved with the knowing support of an employee or through the unwitting activity of an insider, there is a poor appreciation of how to mitigate the threat, and the magnitude of the risk among most companies.
The vulnerability is not new, and the established dialogue around the threat is uninspiring. Years of painful experience has proved that a never-ending monologue about awareness & education, policy, enforcement, and due diligence in recruitment have had little demonstrable effect. Few employees are “bad” when they are recruited, and it has taken time for companies to reluctantly recognise that it is management behaviour and the organisational environment that makes employees “disgruntled”. Moreover, a growing body of anecdotal evidence of successful phishing attacks, and naïve employee behaviour, has shown that the problem of “insider threat” needs to be taken more seriously.
While it had been recognised that monitoring user behaviour was important, it was always perceived as a poorly defined task for managers, that they did not want, and were not trained to undertake effectively. While identifying the triggers and symptoms of a disgruntled employee should be important to a manager that is sensitive to his/her staff, there was no “method” for understanding user behaviour that could translate into effective security measures. The situation has changed over recent years as technology has enabled the development of new applications capable of identifying “normal” patterns of user access and behaviour towards company data, in a similar way that credit card companies identify anomalies in patterns of spending that may indicate fraud or abuse of the credit card by someone other than the legitimate owner/user.
For a company, this offers the opportunity of adopting a more user-centric approach to security and risk management, which enables monitoring and detection of abnormal behaviour and inappropriate access to data. More specifically, it adds a more effective dimension to the management of user privileges, and can even provide a predictive capability for internal threat detection by identifying anomalies that may be pre-cursors to a breach event.
The adoption of greater mobility and collaboration tools has increased productivity, but it also brings new security challenges. How do you protect a piece of data once it leaves the person who created it? Can you guarantee it will not be copied, forwarded to a wrong person or edited without permission? Can you keep confidential files protected even in the case of a data breach? Security managers learn to juggle these issues, but in the age of data-centric security the focus is more granular and therefore more comprehensive switching from a top-down approach, to a bottom-up one.
Data is increasingly valuable in the wrong hands, and because it is the ultimate target of hackers, data protection has to be of paramount importance to any organisation, given the high risks associated with the failure to protect data as an asset. Think in simplistic terms, of how the recipe of a successful food or drink product would have been guarded in the pre-digital era of the 1970s. It would most probably have been handwritten, a single copy, in a safe with only one or two people having access to it. This data-centric security concept was built to ensure that the information in that copy was always secure. Even in today’s business environment where digital copies of documents are shared and accessed by different people, using multiple devices, in unknown locations, achieving the same outcome is much harder but the parameters are still the same: What is the sensitive data? Where is it located? Who can access the data? How is the data protected? The key is in conducting effective security data analytics, and implementing the process correctly:
Data discovery is not a new term and has been used for a long time in the content management context, but has been rarely applied to data protection. The problem is that security enforcement is historically an IT responsibility, while content is created by business units, but not often been managed and protected according to IT guidelines. To support a data-centric approach, there are tools that can provide the required ability for bringing situational awareness into a business context. The common approach is tactical – the discovery of specific terms according to regulatory requirements, but to be fully effective, data discovery and metadata aggregation need to be comprehensive as a first step in solving the data puzzle. A good solution will group the data using the latest data mining technics.
Define Data Classes According to the Business Relevance
The next task is to know which of the data need to be protected. The effective long-term protection of data and the efficiency of later steps in the process, require great specificity in the class definitions and within the context of the data’s use. This must drive security professionals to work closely with the different business units and data owners, to define the exact classes, based on the results of the data discovery exercise.
Data classification is the core facet of establishing a data-centric approach. It can be straightforward if the definitions of the classifications are aligned to the business context, but it might be impossible if the data discovery is incomplete, and to be effective, it must be automated and managed.
An integrated data-centric approach can generate relevant outputs for the other key constituents of the conjoint solution. Primarily through the identification of “blind spots” of unprotected data, but it should provide intelligence for data protection systems, and provide “logic” for enforcement tools like DLP, and, of course, implementing data encryption. Finally it needs to enhance an ability to monitor and predict malicious attempts to access the data, by both unauthorised users as well as privileged insiders, or the victims of APTs whose credentials have been compromised.
U.B.A – USER BEHAVIOUR ANALYTICS
When an employee uses legitimate credentials to access corporate systems, from a company office, during business hours, we can be quite sure that there is a minimal risk to our data. But when the same credentials are used after midnight to connect to a database server and run queries that this user has never performed before: Is our data still secured? It is possible that certain maintenance operations require the execution of new queries. Alternatively, the user’s credentials could have been compromised and are being used to commit a breach. With conventional security controls, there’s no clear cut answer.
Employees and contractors have a significant advantage over the organisation’s primary security perimeter (e.g. firewalls, access controls, physical access controls), which were built for the untrusted external attacker and not for the trusted insider. Furthermore, people working for or within the organisation are aware of the mechanisms in place and can use this knowledge to circumvent defences. To counter this advantage and realistically address insider threats, organisations need better capabilities in such areas as context-based monitoring, advanced behaviour anomaly detection, and link-analysis driven investigation.
The primary defence against the theft of data is application access controls and in some cases DLP (Data Loss Prevention) monitoring tools. Fully deployed, these controls tend to be defenceless against motivated insiders or outsiders, and they generate a continuous stream of false positives. To combat these threats effectively, organisations need better context of a user’s behaviour and their associated peers, to pinpoint the real attacks and to focus on monitoring efforts to understand what is high risk before it is too late.
Sensitive data including trade secrets, intellectual property, personally identifiable information, sales forecasts, proposals, credit card records and other confidential information reside in several formats and data stores across the enterprise. It is not uncommon for this data to be in collaborative business applications like SAP or spread across repositories such as SharePoint or Documentum in unstructured formats. A user-centric approach, addresses this challenge through real-time monitoring, and analysis of sensitive data access, and usage at the source in the applications and data repositories.
User Behaviour Analytics (UBA) utilises identity and access analytics to automatically identify and continuously monitor for high-risk access, and activity associated with this data based on abnormal behavior or access, compared to the users past behaviour or their peer groups’ behaviour. This “data risk intelligence” allows an organisation to dramatically improve their primary data protection control of access by removing unauthorised or unnecessary access while giving them real-time continuous monitoring control over sensitive data.
UBA can automatically detect high-risk data access and usage for real-time investigation and access removal thereby reducing the exposure to sensitive data at its source. Meanwhile, if DLP monitoring at the endpoint, egress, or host is being used, UBA will automatically identify the true high-risk DLP events through advanced identity, behaviour, and peer group analysis. The combination of these advanced monitoring and detection techniques provides the real user identity and behaviour context to rapidly detect the most complex data theft and snooping attacks.
A new type of conjoint concept that combines UBA and data centricity to correlate which data is being accessed, by which users, with time and location factored in, can mitigate risk from inside the organisation, and from outside. By providing oversight of high-risk data and high-risk users, it can provide significantly improved security against a wide range of high- and low-probability scenarios, or the basis for a proactive defence against theft, fraud and industrial espionage. By classifying data and managing privileges automatically, it can simplify and enhance the monitoring of data & users, and generate near-real-time alerts when suspicious activity is taking place. ■
ABOUT THE AUTHORS
Dan Solomon heads the Cyber Risk and Resilience Services division at Optimal Risk and is a leading proponent of a converged approach to security risk. He is an industrial espionage specialist and a practitioner of FAIR, and is a prominent advocate of red teaming and cyber war games. Previously he was Consulting Lead for Cisco’s Cyber Security Centre of Excellence and VP at Security Art, an Israeli cyber security boutique.
Arye Glickman is CEO of Longsight, part of the SECOZ group of companies. Arye is known for his astute understanding of the business-technology interface over many years, and his ability to configure emerging technology to solve user problems. He has a successful and diverse professional background spanning technical, operational management, service delivery, project management, and general management disciplines over 25 years including roles at Oracle, Symantec and CA.
This article first appeared in Cyber Security Review, Autumn 2015 edition published by Delta Business Media.