How to stop the security breach tsunami

Are you really doing all you can to catch data thieves and prevent security breaches?

It seems like almost every week there is a new security breach in either the government or in private business. The latest had nothing to do with China, instead it appeared to be more of a revenge attack by one baseball team on another.

Often, the focus becomes firing whoever runs the security effort. However, there is a technology that's been on the market for some time called UBA, or User Based Analysis or User Based Analytics (depending on which vendor you are talking about) that could help prevent such major breaches. But it isn't widely deployed because companies, IT organizations and security teams have apparently wrapped their heads around the idea that perimeter security is a fantasy, it simply isn't working and likely hasn't ever.

I recently attended an event where I was surprised to learn that of a number of companies that had deployed a UBA solution, 75 percent indicated they had caught a breach in progress with it. Makes you wonder how many breaches aren't being caught in firms that haven't deployed this technology.

It strikes me that when we see major events like this everyone acts as if they are isolated events. Unlike stealing something material, when data is stolen it is generally copied so folks don't notice anything missing. So you have to think, if one person could steal the data, then others could as well and the only thing you can be certain of is that you know at least one event occurred. The reality is that there could be hundreds of similar events where the thief didn't screw up or have the need to share what he or she took publically.

Let's talk about how the real cause for the security breach Tsunami, which is that we haven't really understood that our companies aren't even close to being secure.

You've already been breached

I can certainly understand that firms, after spending massive amounts of money on perimeter security, think they are secure even in the face of substantial evidence that they can't be thanks to rogue employees, access points, vendors, subcontractors, temporary workers, viruses, compromised BYOD systems and a whole host of other technology.

People and events constantly create potential freeways for information to flow out of the company on a daily basis, often unapproved. And we aren't even close to the end of the potential areas for breach, just wait until the Internet of Things (IoT) becomes more common and we become surrounded by little devices broadcasting what they know right through our walls and potentially becoming bridges for folks wanting to virtually break into our companies.

But saying this and fully understanding what it means can be two different concepts. Once you understand that someone in mining your company in some creative fashion at any given moment you stop thinking about being secure and start thinking about catching the SOB.

User Based Analysis or UBA

In most cases, the attacks are coming through legitimate credentials. Ether an employee acting inappropriately, or someone using an employee's credentials is executing the theft.

UBA works under the theory that an attacker typically hits when the employee isn't around or, if the employee is the thief, they are behaving unusually. They could be there after hours when they typically don't work late, they could be downloading and printing stuff that no one downloads and prints (like IDs and passwords) or they could be taking a sudden interest in things they never seemed to care about before.

UBA builds a profile of each employee and if it sees an employee acting strangely it sends out an alert. It doesn't know the why's of the strange behavior (it could be legitimate), but it recognizes it as suspicious. The IT organization and/or security team gets an immediate alert so they can either confront the employee or use a tool like SIEM (Security Information and Event Management) to determine what is going on and determine if there is a crime in progress. It could be as simple as checking the security cameras to make sure it is actually the employee and not a maintenance worker or someone else using the employee's ID getting access. However, typically, access should be cut off until the identity of the employee is confirmed to assure that if there is a leak it is minimized.

Two types of companies ...

Years ago, security firm Kaspersky indicated there were two types of companies, those that have been attacked and those that don't know they have been attacked. I'm struck by the high number of reported attacks in firms using a UBA product and that these firms are no different than the ones not deploying this tool. The difference is the second group falls into the second half of Kaspersky's definition. If you want to be in the dark, don't look at tools like UBA. However, if you want to actually catch the folks who are stealing from the firm that puts food in your kid's mouth maybe it is time to take action.

Join the CSO newsletter!

Error: Please check your email address.

Tags no companysecuritydata breach

More about Kaspersky

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Rob Enderle

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts