What can we learn from JPMorgan's insider breaches?

Another former JPMorgan Chase & Co. (JPMC) employee was recently arrested by the FBI on charges of stealing customer data and trying to sell it to an undercover informant for tens of thousands of dollars.

Similar incidents have occurred multiple times at JPMC over the past few years. Upon closer inspection a common thread emerges from each of these incidents -- JPMC's inability to account for insider threats.  That being said, there are some valuable lessons we can take away from these incidents.

Look for Clues

JPMC wants to trust their employees and they want them to perform their jobs with the utmost integrity.  JPMC CEO Jamie Dimon states in JPMC's Code of Conduct, "...it's not just about following the rules -- it's about applying the highest ethical standards to everything we do."

Is trust and the expectation of ethical behavior by employees enough to protect against the potential misdeeds from those inside your organization?  Apparently not.

Regardless of industry, every organization must grant some employees access to its most sensitive data -- such as intellectual property or information that customer's expect will remain confidential. These include systems administrators with privileged access rights, or account representatives with access to customer data.

The question becomes, how could JPMC, or any organization, know that employees planned to steal and sell confidential data to outsiders?

Monitor Identities

It's well documented that JPMC spends over $250M a year on the cybersecurity personnel, tools and services to protect their digital assets. So while JPMC's IT perimeter may be hardened (but not impenetrable, see 2014 mega breach), insiders must have access to privileged information to do their jobs.

Hardening an organization's external perimeter poses is a very different set of challenges than hardening the internal network. Primarily because internal networks can be configured in countless ways, with endless combinations of who has access to what systems, applications and data.

Given these challenges, the most reliable way to keep track of what insiders are doing and their movements inside the network, is to manage identities and maintain visibility into their activities.

Follow the Threat Crumbs

Containing the damage, once insiders have stolen confidential company or customer information, is extremely difficult, if not impossible. Insider threats, whether in the form of malicious employees abusing their access credentials, or simple negligence, must be detected and rooted out as quickly as possible.

Monitoring activity inside the network using identities provides organizations the opportunity to discover anomalous behavior early in the kill chain.

To be successful, this approach requires a robust and well managed identity and access management (IAM) system (disclosure: I work for a User and Entity Behavior Analytics vendor). Next, actions and behaviors of each identity must be monitored using the following contextual filters:

Who - what is user or entity's role or the role they are emulating?

What - are they looking to access?

Where - what location are they accessing systems/data from, and what is the location are they accessing?

When - what time of day, what date, what week, month, etc.?

How -- what means or technology are they using to access the network -- company-issued or personal device, public kiosk, etc.?

Using this contextual knowledge, controlling access to information can be managed via rules-based risk scoring. This intelligence can also be used for predictive risk analysis of insiders' behavior to detect trends and activity that require further investigation.

The JPMC breaches serve as a valuable reminder that identity-based data sources and metrics must be integrated into the threat management cycle of monitoring, detecting, analyzing and responding.

Without visibility into user/entity behaviors, the detection, intervention and remediation of insider threats becomes a game of chance.

Join the CSO newsletter!

Error: Please check your email address.

Tags JPMorgan Chaseidentity managementcyber attacksespionagesecurityAccess control and authenticationfbi

More about FBI

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Leslie K. Lambert

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place