How to stop the security breach tsunami
- 20 June, 2015 01:43
It seems like almost every week there is a new security breach in either the government or in private business. The latest had nothing to do with China, instead it appeared to be more of a revenge attack by one baseball team on another.
Often, the focus becomes firing whoever runs the security effort. However, there is a technology that's been on the market for some time called UBA, or User Based Analysis or User Based Analytics (depending on which vendor you are talking about) that could help prevent such major breaches. But it isn't widely deployed because companies, IT organizations and security teams have apparently wrapped their heads around the idea that perimeter security is a fantasy, it simply isn't working and likely hasn't ever.
I recently attended an event where I was surprised to learn that of a number of companies that had deployed a UBA solution, 75 percent indicated they had caught a breach in progress with it. Makes you wonder how many breaches aren't being caught in firms that haven't deployed this technology.
It strikes me that when we see major events like this everyone acts as if they are isolated events. Unlike stealing something material, when data is stolen it is generally copied so folks don't notice anything missing. So you have to think, if one person could steal the data, then others could as well and the only thing you can be certain of is that you know at least one event occurred. The reality is that there could be hundreds of similar events where the thief didn't screw up or have the need to share what he or she took publically.
Let's talk about how the real cause for the security breach Tsunami, which is that we haven't really understood that our companies aren't even close to being secure.
You've already been breached
I can certainly understand that firms, after spending massive amounts of money on perimeter security, think they are secure even in the face of substantial evidence that they can't be thanks to rogue employees, access points, vendors, subcontractors, temporary workers, viruses, compromised BYOD systems and a whole host of other technology.
People and events constantly create potential freeways for information to flow out of the company on a daily basis, often unapproved. And we aren't even close to the end of the potential areas for breach, just wait until the Internet of Things (IoT) becomes more common and we become surrounded by little devices broadcasting what they know right through our walls and potentially becoming bridges for folks wanting to virtually break into our companies.
But saying this and fully understanding what it means can be two different concepts. Once you understand that someone in mining your company in some creative fashion at any given moment you stop thinking about being secure and start thinking about catching the SOB.
User Based Analysis or UBA
In most cases, the attacks are coming through legitimate credentials. Ether an employee acting inappropriately, or someone using an employee's credentials is executing the theft.
UBA works under the theory that an attacker typically hits when the employee isn't around or, if the employee is the thief, they are behaving unusually. They could be there after hours when they typically don't work late, they could be downloading and printing stuff that no one downloads and prints (like IDs and passwords) or they could be taking a sudden interest in things they never seemed to care about before.
UBA builds a profile of each employee and if it sees an employee acting strangely it sends out an alert. It doesn't know the why's of the strange behavior (it could be legitimate), but it recognizes it as suspicious. The IT organization and/or security team gets an immediate alert so they can either confront the employee or use a tool like SIEM (Security Information and Event Management) to determine what is going on and determine if there is a crime in progress. It could be as simple as checking the security cameras to make sure it is actually the employee and not a maintenance worker or someone else using the employee's ID getting access. However, typically, access should be cut off until the identity of the employee is confirmed to assure that if there is a leak it is minimized.
Two types of companies ...
Years ago, security firm Kaspersky indicated there were two types of companies, those that have been attacked and those that don't know they have been attacked. I'm struck by the high number of reported attacks in firms using a UBA product and that these firms are no different than the ones not deploying this tool. The difference is the second group falls into the second half of Kaspersky's definition. If you want to be in the dark, don't look at tools like UBA. However, if you want to actually catch the folks who are stealing from the firm that puts food in your kid's mouth maybe it is time to take action.